Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Suppliers_Data.pif.exe

Overview

General Information

Sample name:Suppliers_Data.pif.exe
Analysis ID:1586916
MD5:6af2749e008b69261fb3221532e5e96e
SHA1:2ea58ea333f9de3455770c9da3047fe4e0d2bb73
SHA256:9516599f449a283c1863a45d1c95433aa769fd86d49058ca861e37a1f758831d
Tags:exeuser-lowmal3
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Suppliers_Data.pif.exe (PID: 5532 cmdline: "C:\Users\user\Desktop\Suppliers_Data.pif.exe" MD5: 6AF2749E008B69261FB3221532E5E96E)
    • powershell.exe (PID: 1340 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4156 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • Suppliers_Data.pif.exe (PID: 1280 cmdline: "C:\Users\user\Desktop\Suppliers_Data.pif.exe" MD5: 6AF2749E008B69261FB3221532E5E96E)
    • WerFault.exe (PID: 4788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["173.211.106.233:2404:1"], "Assigned name": "RemcoHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4WOIVV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          Click to see the 20 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.Suppliers_Data.pif.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            5.2.Suppliers_Data.pif.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              5.2.Suppliers_Data.pif.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                5.2.Suppliers_Data.pif.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                5.2.Suppliers_Data.pif.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 29 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Suppliers_Data.pif.exe", ParentImage: C:\Users\user\Desktop\Suppliers_Data.pif.exe, ParentProcessId: 5532, ParentProcessName: Suppliers_Data.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", ProcessId: 1340, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Suppliers_Data.pif.exe", ParentImage: C:\Users\user\Desktop\Suppliers_Data.pif.exe, ParentProcessId: 5532, ParentProcessName: Suppliers_Data.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", ProcessId: 1340, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Suppliers_Data.pif.exe", ParentImage: C:\Users\user\Desktop\Suppliers_Data.pif.exe, ParentProcessId: 5532, ParentProcessName: Suppliers_Data.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe", ProcessId: 1340, ProcessName: powershell.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: F5 A9 16 B7 D7 DD 52 3C 72 D4 F6 4A D6 84 87 63 46 28 7D 57 09 EA 6D 9D 83 31 A7 CA 72 83 B9 35 E2 B8 3B 1A FB 9A A5 37 9C 91 04 7F 16 6C BB 63 3D B2 C6 E4 43 49 4F 18 50 BF C8 55 49 60 FC 9C F0 6C AF 04 B8 D2 49 CE B3 5C 86 8E 23 73 23 57 56 8C D7 26 D6 BB AE AA 31 92 60 0F 05 56 10 13 18 BB , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Suppliers_Data.pif.exe, ProcessId: 1280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-4WOIVV\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T19:01:20.429116+010020365941Malware Command and Control Activity Detected192.168.2.649711173.211.106.2332404TCP
                2025-01-09T19:01:42.857021+010020365941Malware Command and Control Activity Detected192.168.2.649813173.211.106.2332404TCP
                2025-01-09T19:02:05.277215+010020365941Malware Command and Control Activity Detected192.168.2.649941173.211.106.2332404TCP
                2025-01-09T19:02:27.744908+010020365941Malware Command and Control Activity Detected192.168.2.649994173.211.106.2332404TCP
                2025-01-09T19:02:50.245911+010020365941Malware Command and Control Activity Detected192.168.2.649995173.211.106.2332404TCP
                2025-01-09T19:03:12.637376+010020365941Malware Command and Control Activity Detected192.168.2.649997173.211.106.2332404TCP
                2025-01-09T19:03:35.027408+010020365941Malware Command and Control Activity Detected192.168.2.649999173.211.106.2332404TCP
                2025-01-09T19:03:57.448755+010020365941Malware Command and Control Activity Detected192.168.2.650000173.211.106.2332404TCP
                2025-01-09T19:04:19.839661+010020365941Malware Command and Control Activity Detected192.168.2.650001173.211.106.2332404TCP
                2025-01-09T19:04:42.213541+010020365941Malware Command and Control Activity Detected192.168.2.650002173.211.106.2332404TCP
                2025-01-09T19:05:04.640964+010020365941Malware Command and Control Activity Detected192.168.2.650005173.211.106.2332404TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["173.211.106.233:2404:1"], "Assigned name": "RemcoHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4WOIVV", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Multi AV Scanner detection for submitted file
                Source: Suppliers_Data.pif.exeReversingLabs: Detection: 71%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                Machine Learning detection for sample
                Source: Suppliers_Data.pif.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_0043294A
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9e2647ee-6

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00406764 _wcslen,CoGetObject,5_2_00406764
                Source: Suppliers_Data.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Suppliers_Data.pif.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: mscorlib.pdbMZ source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.pdbp source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: mscorlib.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: Accessibility.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdbRSDS source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.pdb, source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Xml.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER1D92.tmp.dmp.8.dr
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B43F
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0044D5F9 FindFirstFileExA,5_2_0044D5F9
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C79
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00406F06

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49711 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49813 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49999 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49997 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50002 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49995 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49994 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49941 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50000 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50001 -> 173.211.106.233:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50005 -> 173.211.106.233:2404
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 173.211.106.233
                Source: global trafficTCP traffic: 192.168.2.6:49711 -> 173.211.106.233:2404
                Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.211.106.233
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00426107 recv,5_2_00426107
                Source: Suppliers_Data.pif.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Suppliers_Data.pif.exe, 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Suppliers_Data.pif.exe, 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2180152541.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000005_2_004099E4
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,5_2_00409B10
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041BB87 SystemParametersInfoW,5_2_0041BB87

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004158B9
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0089E5A40_2_0089E5A4
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511AA700_2_0511AA70
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511F5B80_2_0511F5B8
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_051130D80_2_051130D8
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511E3180_2_0511E318
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511DEE00_2_0511DEE0
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511F9F00_2_0511F9F0
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511CB880_2_0511CB88
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511AA600_2_0511AA60
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511DAA80_2_0511DAA8
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004520E25_2_004520E2
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041D0815_2_0041D081
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043D0A85_2_0043D0A8
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004371605_2_00437160
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004361BA5_2_004361BA
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004262645_2_00426264
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004313875_2_00431387
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041E5EF5_2_0041E5EF
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0044C7495_2_0044C749
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004267DB5_2_004267DB
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043C9ED5_2_0043C9ED
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00432A595_2_00432A59
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043CC1C5_2_0043CC1C
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00434D325_2_00434D32
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043CE4B5_2_0043CE4B
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00440E305_2_00440E30
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00426E835_2_00426E83
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00412F455_2_00412F45
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00452F105_2_00452F10
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00426FBD5_2_00426FBD
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: String function: 004020E7 appears 41 times
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: String function: 004338B5 appears 41 times
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: String function: 00433FC0 appears 55 times
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1780
                Source: Suppliers_Data.pif.exeBinary or memory string: OriginalFilename vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2183792811.0000000004E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2179177555.0000000000A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2180152541.0000000002735000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2184135621.00000000057DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exeBinary or memory string: OriginalFilenameswOX.exe8 vs Suppliers_Data.pif.exe
                Source: Suppliers_Data.pif.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Suppliers_Data.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/11@0/1
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_00416AB7
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,5_2_0040E219
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,5_2_0041A64F
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00419BD4
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Suppliers_Data.pif.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-4WOIVV
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5532
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bcermbw.d1a.ps1Jump to behavior
                Source: Suppliers_Data.pif.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Suppliers_Data.pif.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Suppliers_Data.pif.exeReversingLabs: Detection: 71%
                Source: unknownProcess created: C:\Users\user\Desktop\Suppliers_Data.pif.exe "C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Users\user\Desktop\Suppliers_Data.pif.exe "C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1780
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Users\user\Desktop\Suppliers_Data.pif.exe "C:\Users\user\Desktop\Suppliers_Data.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Suppliers_Data.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Suppliers_Data.pif.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: mscorlib.pdbMZ source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.pdbp source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: mscorlib.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: Accessibility.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdbRSDS source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.pdb, source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Drawing.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Xml.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb source: WER1D92.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER1D92.tmp.dmp.8.dr
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_06B75735 push ebx; retf 0_2_06B7573E
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_0511A4F1 push 5D03687Dh; ret 0_2_0511A517
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 0_2_051142D7 push ebx; ret 0_2_051142DA
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00434006 push ecx; ret 5_2_00434019
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004567F0 push eax; ret 5_2_0045680E
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0045B9DD push esi; ret 5_2_0045B9E6
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00455EBF push ecx; ret 5_2_00455ED2
                Source: Suppliers_Data.pif.exeStatic PE information: section name: .text entropy: 7.902483209687771
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00406128 ShellExecuteW,URLDownloadToFileW,5_2_00406128
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_00419BD4

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0040E54F Sleep,ExitProcess,5_2_0040E54F
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: 890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: 8630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: 87E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: 97E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_004198D2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6329Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3405Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeWindow / User API: threadDelayed 5055Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeWindow / User API: threadDelayed 4939Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeAPI coverage: 9.0 %
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exe TID: 2420Thread sleep count: 5055 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exe TID: 2420Thread sleep time: -15165000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exe TID: 2420Thread sleep count: 4939 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exe TID: 2420Thread sleep time: -14817000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B43F
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0044D5F9 FindFirstFileExA,5_2_0044D5F9
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C79
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00406F06
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Amcache.hve.8.drBinary or memory string: VMware
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Suppliers_Data.pif.exe, 00000000.00000002.2179177555.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<x%a
                Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Suppliers_Data.pif.exe, 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeAPI call chain: ExitProcess graph end nodegraph_5-47521
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A66D
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_0041BCF3
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00442564 mov eax, dword ptr fs:[00000030h]5_2_00442564
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0044E93E GetProcessHeap,5_2_0044E93E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00434178
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A66D
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00433B54
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00433CE7 SetUnhandledExceptionFilter,5_2_00433CE7
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMemory written: C:\Users\user\Desktop\Suppliers_Data.pif.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_00410F36
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00418764 mouse_event,5_2_00418764
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeProcess created: C:\Users\user\Desktop\Suppliers_Data.pif.exe "C:\Users\user\Desktop\Suppliers_Data.pif.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00433E1A cpuid 5_2_00433E1A
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetLocaleInfoW,5_2_004510CA
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: EnumSystemLocalesW,5_2_004470BE
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004511F3
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetLocaleInfoW,5_2_004512FA
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004513C7
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetLocaleInfoW,5_2_004475A7
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetLocaleInfoA,5_2_0040E679
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00450A8F
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: EnumSystemLocalesW,5_2_00450D52
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: EnumSystemLocalesW,5_2_00450D07
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: EnumSystemLocalesW,5_2_00450DED
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00450E7A
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeQueries volume information: C:\Users\user\Desktop\Suppliers_Data.pif.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_00404915 GetLocalTime,CreateEventA,CreateThread,5_2_00404915
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0041A7B2 GetComputerNameExW,GetUserNameW,5_2_0041A7B2
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: 5_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,5_2_0044801F
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040B335
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: \key3.db5_2_0040B335

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-4WOIVVJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Suppliers_Data.pif.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.4194000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Suppliers_Data.pif.exe.3751f08.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 5532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Suppliers_Data.pif.exe PID: 1280, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Suppliers_Data.pif.exeCode function: cmd.exe5_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol111
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Windows Service                		2
                Software Packing                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script121
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets33
                System Information Discovery                		SSHKeylogging1
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Bypass User Account Control                		Cached Domain Credentials41
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync41
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                Virtualization/Sandbox Evasion                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron121
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Suppliers_Data.pif.exe71%ReversingLabsByteCode-MSIL.Trojan.SnakeKeylogger
                Suppliers_Data.pif.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpSuppliers_Data.pif.exefalse
                  		high
                  http://upx.sf.netAmcache.hve.8.drfalse
                    		high
                    http://geoplugin.net/json.gp/CSuppliers_Data.pif.exe, 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Suppliers_Data.pif.exe, 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Suppliers_Data.pif.exe, 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSuppliers_Data.pif.exe, 00000000.00000002.2180152541.0000000002681000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        173.211.106.233
                        		unknownUnited States
                        		46261QUICKPACKETUStrue

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1586916
                        Start date and time:2025-01-09 19:00:06 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 46s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Suppliers_Data.pif.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@8/11@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 91%
                        • Number of executed functions: 101
                        • Number of non-executed functions: 190
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 52.182.143.212, 40.126.32.136, 23.56.254.164, 13.107.246.45, 20.109.210.53
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: Suppliers_Data.pif.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:00:57API Interceptor4744483x Sleep call for process: Suppliers_Data.pif.exe modified
                        13:00:59API Interceptor12x Sleep call for process: powershell.exe modified
                        13:01:02API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        QUICKPACKETUSc2.htaGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        c2.htaGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        c2.htaGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        https://z97f4f2525fyg27.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                        • 172.82.129.154
                        9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        c2.htaGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        c2.htaGet hashmaliciousRemcosBrowse
                        • 193.26.115.39
                        Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
                        • 193.31.28.181
                        3e88PGFfkf.exeGet hashmaliciousDCRatBrowse
                        • 185.230.138.58

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Suppliers_Data.p_4464becfb09215e5d7c29a12d69f83799a59_066f66d7_abf1e1af-5279-4280-b4e5-0722ce49ce5c\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):1.251575869594319
                        Encrypted:false
                        SSDEEP:192:JEj29WkA0BU/qa2OJoNZrYaadzuiFcrZ24IO8R:829WIBU/qaRuOzuiFcrY4IO8R
                        MD5:208EC12B060A8E0E72ABC70711AEA5E7
                        SHA1:E15EDCD6F23D8EB662A354731B201A6E2989BC6C
                        SHA-256:6595B121EF1BA3E09838F5989BB6AF4227C2BD0147204A3F990C6995E38AD4CA
                        SHA-512:9302AB9C642C991F586F04FF562ED2487DA1587C5FF4599839332E59259C2AF2BB56AC913C3234EA84E1C82B52B4404F144ACB708E94217A9DB02C66AC2C71AE
                        Malicious:false
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.1.9.2.5.9.5.2.4.2.3.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.1.9.2.6.0.2.4.2.9.8.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.f.1.e.1.a.f.-.5.2.7.9.-.4.2.8.0.-.b.4.e.5.-.0.7.2.2.c.e.4.9.c.e.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.a.9.8.b.a.1.-.d.f.3.0.-.4.8.b.3.-.b.7.f.4.-.2.a.d.b.e.b.f.f.7.6.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.u.p.p.l.i.e.r.s._.D.a.t.a...p.i.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.w.O.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.9.c.-.0.0.0.1.-.0.0.1.5.-.3.0.7.3.-.d.8.6.e.c.0.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.3.a.b.0.7.8.a.6.d.b.a.6.7.3.f.7.f.d.4.4.2.e.8.4.2.7.c.4.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.2.e.a.5.8.e.a.3.3.3.f.9.d.e.3.4.5.5.7.7.0.c.9.d.a.3.0.4.7.f.e.4.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D92.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Thu Jan 9 18:00:59 2025, 0x1205a4 type
                        Category:dropped
                        Size (bytes):336540
                        Entropy (8bit):3.8224340514116584
                        Encrypted:false
                        SSDEEP:6144:sCYj90R+ruEcjOp5NukWc40yxfTgtN/xhsOPuy:snjcEwU5skWs+ToxqOP
                        MD5:BE93EE0E52B22B440B58A5188C44460F
                        SHA1:EB4DE2244FEBCC4C0D4971399F08EFE9E2B07341
                        SHA-256:0F56C6ED2BABDC03C81E9A8A0F569130DA098984D03501D20F31207E4338F0CF
                        SHA-512:B215E1F3F2385C200861AC875E6DDC306F632AEFEB8B98F88DD1ABB4B95D8E9E074B356D3184724724D8FB3C2C5B5608E42EE9B419A52B19E8E4D4DF6AAC5F1C
                        Malicious:false
                        Reputation:low
                        Preview:MDMP..a..... ..........g........................0"..........$....,...........f..........`.......8...........T............B..............<,..........(...............................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F77.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8440
                        Entropy (8bit):3.693104710259953
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJJP6fH6Y2DRSU9zzgmfZ/rHpra89bfwsf0Y1m:R6lXJx6P6YsSU9fgmftJfDfa
                        MD5:960D9B85DA50FA048D29712C22C4F110
                        SHA1:6F8A157BDBAABB31672EFB78B987E54B6BE9BAFF
                        SHA-256:F6F27FE0193A6BC60B778B73545532169076A8989F123AD3F58068410543E0F8
                        SHA-512:FF1ED73C88579BBED0ACBC3C9F1DA6C9176C8FAE24370B1695ECAB72B0E98BADB5F97E70A8B9317E97D21DD0072EFB0113071BFDD2C66230FB2D1CE815235F1E
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.3.2.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FA7.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4781
                        Entropy (8bit):4.4789631601109505
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsCJg77aI9cHWpW8VYaQ2Ym8M4Jx/FKP+q8v2AD+0Sfbd:uIjfQI7i27VS/JuKhy0ybd
                        MD5:FBDEDC02EF2CB0BAE5D6D8E4B1CF1225
                        SHA1:0C8A4B1100913C533F056258250245FF8FEFB247
                        SHA-256:B5884753B544824FFA07DE5EB3A0274B450A89B0EED0F4E71B7EC8E0B4F388CF
                        SHA-512:900CE605EFF2D8AFC035209E97B31529AF2897A5F3E93F68F348B0F1A49FB74091ED7A7529EF41B5187407879E6CA56D8C54900D8A1835EB16CC74FE0418F847
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668703" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Suppliers_Data.pif.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\Suppliers_Data.pif.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:true
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2232
                        Entropy (8bit):5.380747059108785
                        Encrypted:false
                        SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeoPUyus:lGLHxvIIwLgZ2KRHWLOugYs
                        MD5:844F2045BCDEF300385E9B9F0D4FD9FE
                        SHA1:23190F5644FADE811CA696A3ADCB1862488AC0C4
                        SHA-256:84CC08EA3DD249D7C935B0149EC8EC6FD20BB3745DBD69E9CD278A3A78E97597
                        SHA-512:3F3F79FBF47D232285BC8DDFF58553B7FB5A47B5A06C7A1FA95E9A29110DDCC1927D41D24DBA4A4100C10CB57C3BF0201591E6BCEEA2152D0184065DB96EA7C3
                        Malicious:false
                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bcermbw.d1a.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2gk1oe2.hyu.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1sqq41a.kxm.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u13dunux.p3y.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.468755525685459
                        Encrypted:false
                        SSDEEP:6144:KzZfpi6ceLPx9skLmb0fzZWSP3aJG8nAgeiJRMMhA2zX4WABluuN4jDH5S:MZHtzZWOKnMM6bFpKj4
                        MD5:41F4E2247709A53A3BBBE534BED4C7A0
                        SHA1:9ACC6725750E85D9D364A0B589CC43A16EE5AB8A
                        SHA-256:798F7043450EABCF349BF217D48E2D688ECBC5328C42027A28483C72939E6F8C
                        SHA-512:D907D6942BB6D03976686A65FCB1F43B2EFC0BBF930E73A9F30969918182115D1F1C7369D9775053C1DB76C899C0B63B68CECA683D68DE8B912633B101DFAC67
                        Malicious:false
                        Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.&Ap.b................................................................................................................................................................................................................................................................................................................................................WD........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.897922583207698
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:Suppliers_Data.pif.exe
                        File size:982'016 bytes
                        MD5:6af2749e008b69261fb3221532e5e96e
                        SHA1:2ea58ea333f9de3455770c9da3047fe4e0d2bb73
                        SHA256:9516599f449a283c1863a45d1c95433aa769fd86d49058ca861e37a1f758831d
                        SHA512:e2edd970640102a258d18bd286c2c82139ac3e817eb0c25fa6f83548826f6e5b6624dc65d19acac13c4a424032d08bbd94bb88f827995371c04500cb1c2057da
                        SSDEEP:24576:0dFeeZbrWi6BoUgSjSxz6K511VRB1jubSogLgaIKkQM8B:Uzbmtj4v511VRB1ybSHLUjK
                        TLSH:592512DA6E03DC5BD48207B10621E37E66648EAFC522C3578EECFCF7B01275A5989391
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O>sg..............0......$......:.... ........@.. .......................`............@................................

                        File Icon

                        Icon Hash:53952576d1abd26e

                        Static PE Info

                        General

                        Entrypoint:0x4ef53a
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x67733E4F [Tue Dec 31 00:43:59 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xef4e80x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x21a0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xed5600xed6001b41fd3455f15095b4eada9b346e688fFalse0.947183344852554data7.902483209687771IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xf00000x21a00x2200b4ee6dc07841b4602b9e3ee2b5b54ee2False0.8986672794117647data7.474346799923221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xf40000xc0x200f61e3782a7dc80ab7a33b2ebab9d5f95False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xf00c80x1d72PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9698859113823295
                        RT_GROUP_ICON0xf1e4c0x14data1.05
                        RT_VERSION0xf1e700x32cdata0.4642857142857143

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-09T19:01:20.429116+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649711173.211.106.2332404TCP
                        2025-01-09T19:01:42.857021+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649813173.211.106.2332404TCP
                        2025-01-09T19:02:05.277215+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649941173.211.106.2332404TCP
                        2025-01-09T19:02:27.744908+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649994173.211.106.2332404TCP
                        2025-01-09T19:02:50.245911+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649995173.211.106.2332404TCP
                        2025-01-09T19:03:12.637376+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649997173.211.106.2332404TCP
                        2025-01-09T19:03:35.027408+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649999173.211.106.2332404TCP
                        2025-01-09T19:03:57.448755+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650000173.211.106.2332404TCP
                        2025-01-09T19:04:19.839661+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650001173.211.106.2332404TCP
                        2025-01-09T19:04:42.213541+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650002173.211.106.2332404TCP
                        2025-01-09T19:05:04.640964+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650005173.211.106.2332404TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 9, 2025 19:00:59.041753054 CET497112404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:00:59.046571970 CET240449711173.211.106.233192.168.2.6
                        Jan 9, 2025 19:00:59.047260046 CET497112404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:00:59.060478926 CET497112404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:00:59.065258980 CET240449711173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:20.429038048 CET240449711173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:20.429116011 CET497112404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:20.429212093 CET497112404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:20.433923006 CET240449711173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:21.445383072 CET498132404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:21.450220108 CET240449813173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:21.450301886 CET498132404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:21.453519106 CET498132404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:21.458337069 CET240449813173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:42.854871988 CET240449813173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:42.857021093 CET498132404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:42.857106924 CET498132404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:42.861859083 CET240449813173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:43.867499113 CET499412404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:43.873593092 CET240449941173.211.106.233192.168.2.6
                        Jan 9, 2025 19:01:43.873785019 CET499412404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:43.878813028 CET499412404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:01:43.883605957 CET240449941173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:05.277108908 CET240449941173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:05.277215004 CET499412404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:05.277295113 CET499412404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:05.282973051 CET240449941173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:06.292712927 CET499942404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:06.297962904 CET240449994173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:06.301755905 CET499942404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:06.305824995 CET499942404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:06.310592890 CET240449994173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:27.744812012 CET240449994173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:27.744908094 CET499942404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:27.744961023 CET499942404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:27.749748945 CET240449994173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:28.757993937 CET499952404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:28.763083935 CET240449995173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:28.763181925 CET499952404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:28.768306971 CET499952404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:28.773123026 CET240449995173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:50.245840073 CET240449995173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:50.245910883 CET499952404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:50.245985031 CET499952404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:50.250751019 CET240449995173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:51.258301020 CET499972404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:51.263106108 CET240449997173.211.106.233192.168.2.6
                        Jan 9, 2025 19:02:51.263192892 CET499972404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:51.266613960 CET499972404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:02:51.271397114 CET240449997173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:12.637186050 CET240449997173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:12.637376070 CET499972404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:12.637376070 CET499972404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:12.642283916 CET240449997173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:13.648909092 CET499992404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:13.653919935 CET240449999173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:13.654016018 CET499992404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:13.657438993 CET499992404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:13.662365913 CET240449999173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:35.026228905 CET240449999173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:35.027407885 CET499992404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:35.031251907 CET499992404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:35.036006927 CET240449999173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:36.039668083 CET500002404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:36.044456005 CET240450000173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:36.044606924 CET500002404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:36.050240040 CET500002404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:36.054997921 CET240450000173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:57.448681116 CET240450000173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:57.448755026 CET500002404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:57.448795080 CET500002404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:57.453717947 CET240450000173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:58.461460114 CET500012404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:58.466999054 CET240450001173.211.106.233192.168.2.6
                        Jan 9, 2025 19:03:58.469453096 CET500012404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:58.472894907 CET500012404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:03:58.478156090 CET240450001173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:19.838115931 CET240450001173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:19.839660883 CET500012404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:19.839660883 CET500012404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:19.844688892 CET240450001173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:20.852627993 CET500022404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:20.857832909 CET240450002173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:20.857920885 CET500022404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:20.861877918 CET500022404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:20.866796970 CET240450002173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:42.213479996 CET240450002173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:42.213541031 CET500022404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:42.213586092 CET500022404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:42.218436003 CET240450002173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:43.227900982 CET500052404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:43.232858896 CET240450005173.211.106.233192.168.2.6
                        Jan 9, 2025 19:04:43.232942104 CET500052404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:43.237612963 CET500052404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:04:43.242631912 CET240450005173.211.106.233192.168.2.6
                        Jan 9, 2025 19:05:04.640789986 CET240450005173.211.106.233192.168.2.6
                        Jan 9, 2025 19:05:04.640964031 CET500052404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:05:04.641026974 CET500052404192.168.2.6173.211.106.233
                        Jan 9, 2025 19:05:04.647243023 CET240450005173.211.106.233192.168.2.6

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:13:00:57
                        Start date:09/01/2025
                        Path:C:\Users\user\Desktop\Suppliers_Data.pif.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                        Imagebase:0x1a0000
                        File size:982'016 bytes
                        MD5 hash:6AF2749E008B69261FB3221532E5E96E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2181447356.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2181447356.0000000003689000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:13:00:58
                        Start date:09/01/2025
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                        Imagebase:0xc10000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:13:00:58
                        Start date:09/01/2025
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff66e660000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:13:00:58
                        Start date:09/01/2025
                        Path:C:\Users\user\Desktop\Suppliers_Data.pif.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Suppliers_Data.pif.exe"
                        Imagebase:0x8f0000
                        File size:982'016 bytes
                        MD5 hash:6AF2749E008B69261FB3221532E5E96E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4583097826.000000000106B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:8
                        Start time:13:00:59
                        Start date:09/01/2025
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1780
                        Imagebase:0x530000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:13:01:00
                        Start date:09/01/2025
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff717f30000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7.7%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:95
                          Total number of Limit Nodes:7
                          execution_graph 22727 89dca8 DuplicateHandle 22728 89dd3e 22727->22728 22729 894668 22730 894672 22729->22730 22734 894759 22729->22734 22739 893e40 22730->22739 22732 89468d 22735 89477d 22734->22735 22743 894859 22735->22743 22747 894868 22735->22747 22740 893e4b 22739->22740 22755 89738c 22740->22755 22742 89774f 22742->22732 22745 894868 22743->22745 22744 89496c 22744->22744 22745->22744 22751 8944c4 22745->22751 22748 89488f 22747->22748 22749 89496c 22748->22749 22750 8944c4 CreateActCtxA 22748->22750 22749->22749 22750->22749 22752 8958f8 CreateActCtxA 22751->22752 22754 8959bb 22752->22754 22754->22754 22756 897397 22755->22756 22759 89741c 22756->22759 22758 897a35 22758->22742 22760 897427 22759->22760 22763 89744c 22760->22763 22762 897b1a 22762->22758 22764 897457 22763->22764 22767 89746c 22764->22767 22766 897c0d 22766->22762 22768 897477 22767->22768 22770 898feb 22768->22770 22773 89b290 22768->22773 22769 899029 22769->22766 22770->22769 22777 89d381 22770->22777 22781 89b6c0 22773->22781 22785 89b6d0 22773->22785 22774 89b2a6 22774->22770 22778 89d3b1 22777->22778 22779 89d3d5 22778->22779 22799 89d948 22778->22799 22779->22769 22782 89b6d0 22781->22782 22788 89b7b7 22782->22788 22783 89b6df 22783->22774 22787 89b7b7 2 API calls 22785->22787 22786 89b6df 22786->22774 22787->22786 22789 89b7d9 22788->22789 22790 89b7fc 22788->22790 22789->22790 22791 89b7f4 22789->22791 22795 89ba52 22789->22795 22790->22783 22791->22790 22792 89ba00 GetModuleHandleW 22791->22792 22793 89ba2d 22792->22793 22793->22783 22796 89ba01 GetModuleHandleW 22795->22796 22798 89ba5a 22795->22798 22797 89ba2d 22796->22797 22797->22791 22798->22791 22800 89d955 22799->22800 22801 89d98f 22800->22801 22803 89d750 22800->22803 22801->22779 22805 89d75b 22803->22805 22804 89e2a0 22805->22804 22807 89d87c 22805->22807 22808 89d887 22807->22808 22809 89746c 2 API calls 22808->22809 22810 89e30f 22809->22810 22810->22804 22715 6c30440 22716 6c30485 Wow64SetThreadContext 22715->22716 22718 6c304cd 22716->22718 22811 6c30860 22812 6c308e9 22811->22812 22812->22812 22813 6c30a4e CreateProcessA 22812->22813 22814 6c30aab 22813->22814 22815 89da60 22816 89daa6 GetCurrentProcess 22815->22816 22818 89daf8 GetCurrentThread 22816->22818 22819 89daf1 22816->22819 22820 89db2e 22818->22820 22821 89db35 GetCurrentProcess 22818->22821 22819->22818 22820->22821 22822 89db6b GetCurrentThreadId 22821->22822 22824 89dbc4 22822->22824 22719 6c306c8 22720 6c30713 ReadProcessMemory 22719->22720 22722 6c30757 22720->22722 22723 6c305d8 22724 6c30620 WriteProcessMemory 22723->22724 22726 6c30677 22724->22726 22825 6c32cb8 22826 6c32ccd 22825->22826 22829 6c30518 22826->22829 22830 6c30558 VirtualAllocEx 22829->22830 22832 6c30595 22830->22832 22833 6c32e78 22834 6c33003 22833->22834 22835 6c32e9e 22833->22835 22835->22834 22837 6c330f8 PostMessageW 22835->22837 22838 6c33164 22837->22838 22838->22835

                          Executed Functions

                          Function 0511AA60 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0286c97a6500c938e7dacc84a13384343288dbc1d7d12f920bfd2d421ae5edc0
                          • Instruction ID: 3c403c210a217ad79312a4f8158fdc22bb5cd2d8dbb1644dc7d6b3059157e235
                          • Opcode Fuzzy Hash: 0286c97a6500c938e7dacc84a13384343288dbc1d7d12f920bfd2d421ae5edc0
                          • Instruction Fuzzy Hash: 6B2127B1D096088BEB18CF67C9043DEBEF7AFC9300F04C1BAD419A6264DB7409468F95
                          Function 0511AA70 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e415992f2d30875d25c96c4bb3aa5e30e9f5b4c3adc1dee029fdb2fb2f250c00
                          • Instruction ID: fee860e83c61317c24a600dee1a9e073cafca1ca3f8868a6d938feecb809fb33
                          • Opcode Fuzzy Hash: e415992f2d30875d25c96c4bb3aa5e30e9f5b4c3adc1dee029fdb2fb2f250c00
                          • Instruction Fuzzy Hash: E411B3B1D056188BEB18CF6BD9453EEBAF7AFC9300F04C17AD419A6264DB7409468F94
                          Function 0089DA60 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0089DADE
                          • GetCurrentThread.KERNEL32 ref: 0089DB1B
                          • GetCurrentProcess.KERNEL32 ref: 0089DB58
                          • GetCurrentThreadId.KERNEL32 ref: 0089DBB1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 25bfc00deb78bbfeb5967bc47326310440a78eb1e25bfbf8a75592f6f91ed83d
                          • Instruction ID: b50a6dda147e34ad7e8c300a8e629b962944b4dd931e3da0f232202176e2d158
                          • Opcode Fuzzy Hash: 25bfc00deb78bbfeb5967bc47326310440a78eb1e25bfbf8a75592f6f91ed83d
                          • Instruction Fuzzy Hash: 495157B090038A8FDB54DFAAD948B9EBBF1FF88314F248459E109A7360DBB45944CF65
                          Function 06C30860 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 21 6c30860-6c308f5 23 6c308f7-6c30901 21->23 24 6c3092e-6c3094e 21->24 23->24 25 6c30903-6c30905 23->25 31 6c30950-6c3095a 24->31 32 6c30987-6c309b6 24->32 26 6c30907-6c30911 25->26 27 6c30928-6c3092b 25->27 29 6c30913 26->29 30 6c30915-6c30924 26->30 27->24 29->30 30->30 33 6c30926 30->33 31->32 34 6c3095c-6c3095e 31->34 40 6c309b8-6c309c2 32->40 41 6c309ef-6c30aa9 CreateProcessA 32->41 33->27 35 6c30981-6c30984 34->35 36 6c30960-6c3096a 34->36 35->32 38 6c3096e-6c3097d 36->38 39 6c3096c 36->39 38->38 42 6c3097f 38->42 39->38 40->41 43 6c309c4-6c309c6 40->43 52 6c30ab2-6c30b38 41->52 53 6c30aab-6c30ab1 41->53 42->35 45 6c309e9-6c309ec 43->45 46 6c309c8-6c309d2 43->46 45->41 47 6c309d6-6c309e5 46->47 48 6c309d4 46->48 47->47 50 6c309e7 47->50 48->47 50->45 63 6c30b3a-6c30b3e 52->63 64 6c30b48-6c30b4c 52->64 53->52 63->64 65 6c30b40 63->65 66 6c30b4e-6c30b52 64->66 67 6c30b5c-6c30b60 64->67 65->64 66->67 70 6c30b54 66->70 68 6c30b62-6c30b66 67->68 69 6c30b70-6c30b74 67->69 68->69 71 6c30b68 68->71 72 6c30b86-6c30b8d 69->72 73 6c30b76-6c30b7c 69->73 70->67 71->69 74 6c30ba4 72->74 75 6c30b8f-6c30b9e 72->75 73->72 75->74
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C30A96
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184978027.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: true
                          • Associated: 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6b70000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 058adb117871f41bb5c9d444e271437a0409d2b236c90f9f1390944a1d43a610
                          • Instruction ID: 3813a52d3f3ddfe46c2fb641229528f93964d436943c2ddd0d75937f2f13c9b9
                          • Opcode Fuzzy Hash: 058adb117871f41bb5c9d444e271437a0409d2b236c90f9f1390944a1d43a610
                          • Instruction Fuzzy Hash: 91913B72E00369DFEF64DF68C84179DBBB2BF48314F1485A9E848A7240DB749A85CF91
                          Function 0089B7B7 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 77 89b7b7-89b7d7 78 89b7d9-89b7e6 call 89b458 77->78 79 89b803-89b807 77->79 84 89b7e8 78->84 85 89b7fc 78->85 81 89b809-89b813 79->81 82 89b81b-89b85c 79->82 81->82 88 89b869-89b877 82->88 89 89b85e-89b866 82->89 134 89b7ee call 89ba60 84->134 135 89b7ee call 89ba52 84->135 85->79 90 89b879-89b87e 88->90 91 89b89b-89b89d 88->91 89->88 93 89b889 90->93 94 89b880-89b887 call 89b464 90->94 96 89b8a0-89b8a7 91->96 92 89b7f4-89b7f6 92->85 95 89b938-89b9f8 92->95 98 89b88b-89b899 93->98 94->98 127 89b9fa-89b9fd 95->127 128 89ba00-89ba2b GetModuleHandleW 95->128 99 89b8a9-89b8b1 96->99 100 89b8b4-89b8bb 96->100 98->96 99->100 102 89b8c8-89b8d1 call 89b474 100->102 103 89b8bd-89b8c5 100->103 108 89b8de-89b8e3 102->108 109 89b8d3-89b8db 102->109 103->102 110 89b901-89b905 108->110 111 89b8e5-89b8ec 108->111 109->108 132 89b908 call 89bd31 110->132 133 89b908 call 89bd60 110->133 111->110 113 89b8ee-89b8fe call 89b484 call 89b494 111->113 113->110 116 89b90b-89b90e 118 89b931-89b937 116->118 119 89b910-89b92e 116->119 119->118 127->128 129 89ba2d-89ba33 128->129 130 89ba34-89ba48 128->130 129->130 132->116 133->116 134->92 135->92
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0089BA1E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: fd97badf9e9e3b7b90a81c8c35498a9e74139fff5b2d38a8bcbb72e6cc06b582
                          • Instruction ID: 7dd407459c4a8fad46d40d5e266ea293274033982864cdc8bd3b3d2644c1f3b9
                          • Opcode Fuzzy Hash: fd97badf9e9e3b7b90a81c8c35498a9e74139fff5b2d38a8bcbb72e6cc06b582
                          • Instruction Fuzzy Hash: 5E819970A00B058FDB24EF69E55175ABBF1FF88304F048A2DD08ADBA51DB75E845CB91
                          Function 008958EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 136 8958ec-8959b9 CreateActCtxA 138 8959bb-8959c1 136->138 139 8959c2-895a1c 136->139 138->139 146 895a2b-895a2f 139->146 147 895a1e-895a21 139->147 148 895a31-895a3d 146->148 149 895a40 146->149 147->146 148->149 150 895a41 149->150 150->150
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 008959A9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: f5c70538ee580a8ddbcba3df9eb3ba790344758924c165de3aeb93213404a3cd
                          • Instruction ID: 73ab65700bb97aa322235841fc7f1d1b60d58a5c6e96b3e29c2f5c4ca7ec6910
                          • Opcode Fuzzy Hash: f5c70538ee580a8ddbcba3df9eb3ba790344758924c165de3aeb93213404a3cd
                          • Instruction Fuzzy Hash: 5241F1B0C10719CBEF25DFA9C844B9DBBB6BF48304F20816AD408AB291DB715945CF90
                          Function 008944C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 152 8944c4-8959b9 CreateActCtxA 155 8959bb-8959c1 152->155 156 8959c2-895a1c 152->156 155->156 163 895a2b-895a2f 156->163 164 895a1e-895a21 156->164 165 895a31-895a3d 163->165 166 895a40 163->166 164->163 165->166 167 895a41 166->167 167->167
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 008959A9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 1f1f322ffd7b14749f8ba155c373947879ba83b3af22768f634335ce7cc8c6fa
                          • Instruction ID: 5e59d7aab11c3475e7da04424836d695abc088c458f43f9cd24964df29c69078
                          • Opcode Fuzzy Hash: 1f1f322ffd7b14749f8ba155c373947879ba83b3af22768f634335ce7cc8c6fa
                          • Instruction Fuzzy Hash: 0A41DEB0C0071DCBDB25DFAAC944B9EBBB6FF48304F24816AD408AB291DB756945CF90
                          Function 06C305D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 169 6c305d8-6c30626 171 6c30636-6c30675 WriteProcessMemory 169->171 172 6c30628-6c30634 169->172 174 6c30677-6c3067d 171->174 175 6c3067e-6c306ae 171->175 172->171 174->175
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C30668
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184978027.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: true
                          • Associated: 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6b70000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: e8bbf23e835fe52770bedaf632840ac8d61e3d6b09d8e10ba535457bbb92943a
                          • Instruction ID: 54842dd1ccb8c8fd137b6390625680f71872dab3de66c105a562a4650f6a4fe4
                          • Opcode Fuzzy Hash: e8bbf23e835fe52770bedaf632840ac8d61e3d6b09d8e10ba535457bbb92943a
                          • Instruction Fuzzy Hash: 382126B29003599FDB10CFA9C985BDEBBF5FF88310F108429E918A7240D7799954CBA4
                          Function 06C306C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 189 6c306c8-6c30755 ReadProcessMemory 192 6c30757-6c3075d 189->192 193 6c3075e-6c3078e 189->193 192->193
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C30748
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184978027.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: true
                          • Associated: 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6b70000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 66729400338191f243990f5c74f8974d0545bbc5cd367b78fd2ae111530dc7cc
                          • Instruction ID: 1208db109756d6833c614b1775b65cbfbc67925eddeac3e772acac2783a4e352
                          • Opcode Fuzzy Hash: 66729400338191f243990f5c74f8974d0545bbc5cd367b78fd2ae111530dc7cc
                          • Instruction Fuzzy Hash: B82116B29003599FDB10DFAAC881BDEBBF5FF48320F108429E518A7240C7799550CBA5
                          Function 06C30440 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 179 6c30440-6c3048b 181 6c3049b-6c304cb Wow64SetThreadContext 179->181 182 6c3048d-6c30499 179->182 184 6c304d4-6c30504 181->184 185 6c304cd-6c304d3 181->185 182->181 185->184
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C304BE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184978027.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: true
                          • Associated: 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6b70000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 0897d290ab69db6b5fb84be807567899d24a2702dd102c01a710bd6f3af51eec
                          • Instruction ID: 554acc3c1ee91e6018288eb46757b87741898e375add22cf9a6eaa08ffce28da
                          • Opcode Fuzzy Hash: 0897d290ab69db6b5fb84be807567899d24a2702dd102c01a710bd6f3af51eec
                          • Instruction Fuzzy Hash: 11213872D003098FDB10DFAAC4857AEBBF4EF88324F148429D519A7240CB789A44CFA5
                          Function 0089DCA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 197 89dca8-89dd3c DuplicateHandle 198 89dd3e-89dd44 197->198 199 89dd45-89dd62 197->199 198->199
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0089DD2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: c8e2dbd512976e01d67219a0ed0a26d104d7f65e7969aa9c3b057ce79ba0ec9e
                          • Instruction ID: 12693d5ffb29f07154499230a97df3b59330b6fe659c37c718211f532336f770
                          • Opcode Fuzzy Hash: c8e2dbd512976e01d67219a0ed0a26d104d7f65e7969aa9c3b057ce79ba0ec9e
                          • Instruction Fuzzy Hash: 5221E4B59003099FDB10CF9AD984ADEFBF4FB48320F14841AE914A3350D375A954CFA4
                          Function 0089BA52 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 202 89ba52-89ba58 203 89ba5a-89ba76 call 89b458 202->203 204 89ba01-89ba2b GetModuleHandleW 202->204 211 89ba78-89ba89 call 89b4b4 203->211 212 89baa6-89baab 203->212 205 89ba2d-89ba33 204->205 206 89ba34-89ba48 204->206 205->206 215 89ba8b-89ba94 call 89b4c0 211->215 216 89ba9d-89baa4 call 89b4cc 211->216 220 89ba99-89ba9b 215->220 216->212 220->212
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0089BA1E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 0760be0ed4721b69d0274cc65831dec188f482608c7518dc4eb3cb2f219755b5
                          • Instruction ID: 85c444d97baef9bb7768c37f929e544ac35536e23ce3c4fa64f7d1c5d1891eca
                          • Opcode Fuzzy Hash: 0760be0ed4721b69d0274cc65831dec188f482608c7518dc4eb3cb2f219755b5
                          • Instruction Fuzzy Hash: E3112571A003549FEF10EB6AF900BABBBE9FFC5314F18806AD008D3252CB749805CBA1
                          Function 06C30518 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 221 6c30518-6c30593 VirtualAllocEx 224 6c30595-6c3059b 221->224 225 6c3059c-6c305c1 221->225 224->225
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C30586
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184978027.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: true
                          • Associated: 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6b70000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 98ab83005e6769833130c30959734da7c6d38ab9506fa0c5c86f1c6294330035
                          • Instruction ID: 5cdd462b2fde0c1b78bdce5dcc00dad0cfec1d2799276ed302ff1c6d2326131d
                          • Opcode Fuzzy Hash: 98ab83005e6769833130c30959734da7c6d38ab9506fa0c5c86f1c6294330035
                          • Instruction Fuzzy Hash: FA1156729003499FDB10DFAAC844BDEBBF5EF88320F108419E519A7250C775A910CFA4
                          Function 0089B9B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 89b9b8-89b9f8 230 89b9fa-89b9fd 229->230 231 89ba00-89ba2b GetModuleHandleW 229->231 230->231 232 89ba2d-89ba33 231->232 233 89ba34-89ba48 231->233 232->233
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0089BA1E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 002963d9cb832fafce7bbaaa7a20b9aec075970cad2aac362d6bd72dd05765d4
                          • Instruction ID: a28e595e30f6e8f0aa01a82203e66d422c341b7efe51b9f853c1c1a6b0c38ee3
                          • Opcode Fuzzy Hash: 002963d9cb832fafce7bbaaa7a20b9aec075970cad2aac362d6bd72dd05765d4
                          • Instruction Fuzzy Hash: 11110FB6C003498FCB20DF9AD544A9EFBF4EB88724F14841AD419A7210C3B9A545CFA5
                          Function 06C330F8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 235 6c330f8-6c33162 PostMessageW 236 6c33164-6c3316a 235->236 237 6c3316b-6c3317f 235->237 236->237
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 06C33155
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184978027.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: true
                          • Associated: 00000000.00000002.2184697478.0000000006B70000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6b70000_Suppliers_Data.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: afcc73611728ee414e32f94833885b93eda8ba3002c1814b9229fa5f44456e15
                          • Instruction ID: d67e61e991e425758b568cffc0d06829cce543d1f388cde60a8407bc85f9cbd9
                          • Opcode Fuzzy Hash: afcc73611728ee414e32f94833885b93eda8ba3002c1814b9229fa5f44456e15
                          • Instruction Fuzzy Hash: D511D3B58003499FDB10DF9AC945BDEFBF8EB48724F108459E558A7240C375A544CFA5
                          Function 051169D0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 239 51169d0-51169d8 240 5116a2b 239->240 241 51169da-51169dc 239->241 244 5116a32-5116a4a 240->244 245 5116a2d 240->245 242 51169b7-51169bd 241->242 243 51169de-51169ff 241->243 246 511694a-5116953 242->246 247 51169bf-51169c1 242->247 248 5116a01-5116a05 243->248 249 5116a57-5116a5a 243->249 255 5116a4c-5116a54 244->255 245->244 250 5116955 246->250 251 511695a-5116972 call 51130d8 246->251 260 5116a06 call 5116a70 248->260 261 5116a06 call 5116a80 248->261 250->251 254 5116a0c-5116a1f 254->255 257 5116a55 255->257 257->257 260->254 261->254
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID: _
                          • API String ID: 0-701932520
                          • Opcode ID: a3e204046b1cab27f80f8cfa44ed72063f8c03f70ccc323746e7cd49ad524e1c
                          • Instruction ID: 2ce7f36ecb7d44dc532051542a0f8b3cc22aa01bfa2deedad7ecb40beb5f9780
                          • Opcode Fuzzy Hash: a3e204046b1cab27f80f8cfa44ed72063f8c03f70ccc323746e7cd49ad524e1c
                          • Instruction Fuzzy Hash: 76115EB090420ADFDB14DFA8D845BBE7FF5BB44305F2085EAD90AE7601D7B64A04CB95
                          Function 0511CE7F Relevance: .5, Instructions: 460COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 64e26241efccc3e5d957cac9d21489b9487c8cf593790307b6a813fef9668b5d
                          • Instruction ID: 22f0ffb9940e4e6e28f7e33dee2b6daa8fa80f86040e59c50189efcd34e23793
                          • Opcode Fuzzy Hash: 64e26241efccc3e5d957cac9d21489b9487c8cf593790307b6a813fef9668b5d
                          • Instruction Fuzzy Hash: 88718E9280E3E15FD7179B3C68B51D97F719E53218B1B41EBC5C08F0A3EA58490EC7AA
                          Function 0511D0C8 Relevance: .3, Instructions: 253COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50c8fda1bbbcfc1e0e510872cc566ae0ead236e2b93421c25feb561d29eb84c4
                          • Instruction ID: 7b13e9c6ac359c7ba8d801541fb8e5fd01012ce5cf45e3ada75214b42b5a0dd0
                          • Opcode Fuzzy Hash: 50c8fda1bbbcfc1e0e510872cc566ae0ead236e2b93421c25feb561d29eb84c4
                          • Instruction Fuzzy Hash: B1F0F6759092848FE715DB64E8153E93FB69F45300F4191B6D806A6252DBB84E07CB52
                          Function 05117248 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e978e6ddd4b297f760523660359b387c7f85df63acadd6ab57af89de52f5142
                          • Instruction ID: 0cfbf9ae022d79acd7059431da02df77f84b17fac6a9c7d9b753b064254d9a41
                          • Opcode Fuzzy Hash: 4e978e6ddd4b297f760523660359b387c7f85df63acadd6ab57af89de52f5142
                          • Instruction Fuzzy Hash: 3751D374E14219DFDB14CFE9D5809AEBBF2FB49310F20856AE816AB385E7309942CF54
                          Function 05116CAF Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d865bb5e5675e99ade881e4a33e645cef18aeea38e12f91ab110d412b10aadb6
                          • Instruction ID: 7466acbe12986098873fd5f958bfb480114920fa2379b9391ff4fce040ed0982
                          • Opcode Fuzzy Hash: d865bb5e5675e99ade881e4a33e645cef18aeea38e12f91ab110d412b10aadb6
                          • Instruction Fuzzy Hash: 5061A178E052288FCB14DFA8C984AADFBF1BF49300F2495A9D809E7355D335A982CF54
                          Function 05117237 Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8c7075079aa78ac20c6343bb08db11b19989e2b7b7d7d7e9a9bad2e4fd457a27
                          • Instruction ID: e8b6b536bc2869b763335a67a83a3ef6ae22957514e9b066d5489566e407e21f
                          • Opcode Fuzzy Hash: 8c7075079aa78ac20c6343bb08db11b19989e2b7b7d7d7e9a9bad2e4fd457a27
                          • Instruction Fuzzy Hash: 4051E574E14209DFDB14CFA9C84099EBBB2FB49310F1185AAEC16EB391E7309942CF54
                          Function 05119B3D Relevance: .1, Instructions: 110COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cdda968963da7ad9e572ac130a8120e120060356a8361ae7df0238abb470cd0f
                          • Instruction ID: 4407fb6ec770abba01c9c7a4d1fc0621c6932bbf19a5c08a9f6b83fd9455ef80
                          • Opcode Fuzzy Hash: cdda968963da7ad9e572ac130a8120e120060356a8361ae7df0238abb470cd0f
                          • Instruction Fuzzy Hash: 13419CB5D082488FDB08DFE6C9553EEBBF2FF89300F14846AD419AB255E7304A06CB45
                          Function 05119BA0 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e6ec508ada7771b836dda5287f8b76a83a31e7abbce441e3e2ab77464292be2
                          • Instruction ID: 8edcb3c99ea0562a26372347d82fb0d4845cbef695987d3964f631485acc4d11
                          • Opcode Fuzzy Hash: 8e6ec508ada7771b836dda5287f8b76a83a31e7abbce441e3e2ab77464292be2
                          • Instruction Fuzzy Hash: 50314AB4E082588FDB18CFA6C8547EEBBF6BF89300F15902AD419AB355DB704906CF40
                          Function 0511D472 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 658ddb19691d18ca2b7260cd53582fd565d7f9c5274f0c48885b0d3b555c0237
                          • Instruction ID: b60307aba6c815677d8730eec49afb5ac31c6716eb23b33418d792154541d3ab
                          • Opcode Fuzzy Hash: 658ddb19691d18ca2b7260cd53582fd565d7f9c5274f0c48885b0d3b555c0237
                          • Instruction Fuzzy Hash: D6411B74A06219DFEB14DF64E844BA9BBB6FB84304F1191EAD90DA7304DB749D81CF11
                          Function 05119BB0 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 862f385b880066597b84630f2f1d716d0b7b6c88306d02a442864b3c1a376c96
                          • Instruction ID: 4ed7e74634f02fd8e1a915ab39b116aa61d1c0aff633cf8a976488f38afe91d5
                          • Opcode Fuzzy Hash: 862f385b880066597b84630f2f1d716d0b7b6c88306d02a442864b3c1a376c96
                          • Instruction Fuzzy Hash: 9F310874E086588BDB18CFAAC8556EEFBF6FF89300F109029D419AB354DB745906CF44
                          Function 05119C1C Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1927c18f322c801729ae222a6ca09b584c14e503154ec0c75c0632f64f8620af
                          • Instruction ID: 7f3f9ffb7baad25a8b3de47b52a6cfdc3a462e367cf14c58e4a7c7235b8f01f7
                          • Opcode Fuzzy Hash: 1927c18f322c801729ae222a6ca09b584c14e503154ec0c75c0632f64f8620af
                          • Instruction Fuzzy Hash: 6431B174E04219DFCF08CFA9C894AEDBBF2FF48300F108169E929AB251D7315945CB50
                          Function 0511B761 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4934f2b3af1aee790359d5fbe54cc05d84f838ff358a7bb3e55c6d1129453d11
                          • Instruction ID: cdd15466b391298bc68c7aa6c754b4819643f198c74dfded3cd1531774e522f2
                          • Opcode Fuzzy Hash: 4934f2b3af1aee790359d5fbe54cc05d84f838ff358a7bb3e55c6d1129453d11
                          • Instruction Fuzzy Hash: EB318D7490C245CFD724DF54C0999BEFBBAFF5A301B2692A1DC4A96152CB30D882CB98
                          Function 051170E0 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b59f2f6f7b44e771a463ab97d7b46af629476864eb056299cef57d54d76a2c91
                          • Instruction ID: e1fc5fd45be3d96ebbd9152eb75f3962e3b8003e2a516a5e8f8c71f63d9bbbad
                          • Opcode Fuzzy Hash: b59f2f6f7b44e771a463ab97d7b46af629476864eb056299cef57d54d76a2c91
                          • Instruction Fuzzy Hash: CD312874E09209DFCB18CFA8D4409EEBBF6FB49314F1554AAE816B7381D7309941CBA9
                          Function 05116D09 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 13d8c2b3ebf28c061b1d6ed47d27ac92c2979c161a4276accdad4e5e409f44e4
                          • Instruction ID: 670e247e4c50e3cb97f0912da3282d8d2f6f840372dc4081f3e22c147e4a6b4a
                          • Opcode Fuzzy Hash: 13d8c2b3ebf28c061b1d6ed47d27ac92c2979c161a4276accdad4e5e409f44e4
                          • Instruction Fuzzy Hash: CC315F74E04218CFDB54DFA9C980A9DBBF2BB48314F2481A9D818A7356D735AA428F50
                          Function 0083D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2177951962.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_83d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31b4d8ca0f3332a63c7a1518c27644325d88a43a9f52aea071d988d0c1cc8b16
                          • Instruction ID: b19cbbc273bb517472187b2983040be4a4e420b5b6bfc89f062213235445e0f9
                          • Opcode Fuzzy Hash: 31b4d8ca0f3332a63c7a1518c27644325d88a43a9f52aea071d988d0c1cc8b16
                          • Instruction Fuzzy Hash: 9E212572504344EFDB05DF14E9C0B26BF65FBC8318F20C569E9098B256C336D856CAE1
                          Function 0083D3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2177951962.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_83d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0bd3430a24b821b77b34c5075525638b1bfa27e93351b3db763e42bd6953b779
                          • Instruction ID: 8695e2d39cee62540b6099ff39016163305975b74f0ecf2ebd9dd1695c310c68
                          • Opcode Fuzzy Hash: 0bd3430a24b821b77b34c5075525638b1bfa27e93351b3db763e42bd6953b779
                          • Instruction Fuzzy Hash: 3421F476504304DFDB05DF14E9C0B26BB65FBD4324F20C169D9098B256C33AE856CAE1
                          Function 0511D5BB Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51855d2e0d5fb1fe2a3b4f5fb65d03915279ccf8655de7be202245c2ee524316
                          • Instruction ID: 6b574b59074b942c52521197dd4401d08cdbeff50e3334e9a2abdcdde5f8cf18
                          • Opcode Fuzzy Hash: 51855d2e0d5fb1fe2a3b4f5fb65d03915279ccf8655de7be202245c2ee524316
                          • Instruction Fuzzy Hash: A4312174A05249DFDB04DFA8E4847ADBFB6FB48308F11A269D81AAB359DB749C01CF00
                          Function 05116AE8 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc6458d2a95db4be5c5c47cd76509b60c91cb155d3a99f20bcaccb7a13ad719e
                          • Instruction ID: d9ed5e6b3fa80bc51895fdf5ac28172b059cde3dfb7972b7d6090f9d2aaca53c
                          • Opcode Fuzzy Hash: cc6458d2a95db4be5c5c47cd76509b60c91cb155d3a99f20bcaccb7a13ad719e
                          • Instruction Fuzzy Hash: 4C21E6B4E09209EFCB18CFA9D6805EDBBF5EB49310F01906AE816B3710D7355A418F69
                          Function 0511FE28 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58bc923079012243dd2835c0c2b634396f1831f008d46f896c453ebdbe345ae1
                          • Instruction ID: 29cbb2ab3a96541f36db8a3ef70b6c549f0760bba59530fd1a54d5c5a7fbb386
                          • Opcode Fuzzy Hash: 58bc923079012243dd2835c0c2b634396f1831f008d46f896c453ebdbe345ae1
                          • Instruction Fuzzy Hash: EF31D474E112089FCB04DFA9D484ADDBBB1FF88310F01906AE906A7361DB34AE45CFA4
                          Function 0084D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178034000.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_84d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61a88d172ee8e91bde42cc3d3e40293e96b2105e467c6f44736dbe61b0b3d271
                          • Instruction ID: 764ebee0f8b872c14683f2bb62924233142123ee42123d1cdd802e44948c7a53
                          • Opcode Fuzzy Hash: 61a88d172ee8e91bde42cc3d3e40293e96b2105e467c6f44736dbe61b0b3d271
                          • Instruction Fuzzy Hash: A221F975604348EFDB05DF14D5C0B25BBA5FB84318F24C66DE9098B352C7BAE846CA61
                          Function 0084D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178034000.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_84d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75f3e6d88cd610bc06b8653ee4c9e0f8d92de9320e782203c71e9822c15a0e78
                          • Instruction ID: a114bf0c901657b81b32e349e6a2974e86e0fcd1438c5016cd4d8fe9b72640ec
                          • Opcode Fuzzy Hash: 75f3e6d88cd610bc06b8653ee4c9e0f8d92de9320e782203c71e9822c15a0e78
                          • Instruction Fuzzy Hash: 5C213475604708EFCB14DF14D9C0B26BB61FB84318F20C56DD90A8B392C37AD807CA61
                          Function 05116AF8 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57de359aed1178c90a4b09a86d48ee7b47431d6b51bb2156a8b1df66bd19542e
                          • Instruction ID: 0de615193a0b1e70406ff9f366e6b86e93beee6ad2ebeac015711f83ec37cf64
                          • Opcode Fuzzy Hash: 57de359aed1178c90a4b09a86d48ee7b47431d6b51bb2156a8b1df66bd19542e
                          • Instruction Fuzzy Hash: 1C21B774E09209EFCB18CFA9D6805EDFBF6EB49350F11546AE816B3700D73559418F68
                          Function 051170F0 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 993fa7ecafa36fcb18f250fe87873ad0ed235eff0c0dd7ad0492920da990800e
                          • Instruction ID: b5ac3fb789e8f2256b072621c293eaf72290d5334c207319206a10c628e97b5e
                          • Opcode Fuzzy Hash: 993fa7ecafa36fcb18f250fe87873ad0ed235eff0c0dd7ad0492920da990800e
                          • Instruction Fuzzy Hash: A521E574E04219DFCB18CFA8D4409EEBBF6EB49210F14946AE816B7380D73099418FA8
                          Function 05117048 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 197042d199f135144c4b1922fe5fb22aa6ed99f134cba2d8de37fd4bf31f61ff
                          • Instruction ID: 0dfb6610894761427b756b3928385c8131ae20d725181215274cb7121dde4ffd
                          • Opcode Fuzzy Hash: 197042d199f135144c4b1922fe5fb22aa6ed99f134cba2d8de37fd4bf31f61ff
                          • Instruction Fuzzy Hash: 871128B4D08319DFDB18CFB4D4445EEBBB5EB4A310F0154A6D816B7381E7315A818FA9
                          Function 0511E7B0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 97a0647388c1499c6a5abdfd489a844d7d18ee113ce14d162319da464e1106fe
                          • Instruction ID: 31c41233412ce98baa3ec49266f7ebe58cccaa9b85050ecec5a0ed91feaed018
                          • Opcode Fuzzy Hash: 97a0647388c1499c6a5abdfd489a844d7d18ee113ce14d162319da464e1106fe
                          • Instruction Fuzzy Hash: CA115130B042149BDB289AB9981477E7EABFFC4750F148279ED16D7381EF70890187D5
                          Function 0511B47D Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c74f1eb486c10bc86ab0e1b355925230842eddd611006270f68caf4270a0a1aa
                          • Instruction ID: 36fc5e50ab0607011ac0bec64ac08b8a02201f7fad7ae5953066d565ccd59815
                          • Opcode Fuzzy Hash: c74f1eb486c10bc86ab0e1b355925230842eddd611006270f68caf4270a0a1aa
                          • Instruction Fuzzy Hash: 19117970E05314CFD709CFAAC9016ADBBF6BF89300B05C0AAE845AB255DB348942CF94
                          Function 0083D3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2177951962.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_83d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                          • Instruction ID: dff2eee821655eeb47493c252b45131e32a4f44a7fc1c4bde2f3f63b70b34d47
                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                          • Instruction Fuzzy Hash: 0E11D3B6504380DFCB16CF10E5C4B16BF71FB94324F24C6A9D8494B656C33AE856CBA1
                          Function 0083D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2177951962.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_83d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                          • Instruction ID: 82670d446f0d90a922824f250e6140bbe46a279bb71eaf73a3ee41cbbe5e035d
                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                          • Instruction Fuzzy Hash: 7511D376504380CFCB16CF10D5C4B16BF71FB94318F24C6A9D8494B656C33AD856CBA1
                          Function 0511464C Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb444fbc7b1dc3104c5864327668626c7ad6d58bb875be870a90537343da0611
                          • Instruction ID: 7f5849ea6cc7665b6a784e3f2432d068e8131fbf9fdcf59c2150ca1df1c0fc89
                          • Opcode Fuzzy Hash: bb444fbc7b1dc3104c5864327668626c7ad6d58bb875be870a90537343da0611
                          • Instruction Fuzzy Hash: 502106B69043499FCF10CF9AC944ADEBFF4FB48310F108469E919A7211C375A554CFA5
                          Function 05116101 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd013c6e844634040733db09ba048e15d8c0dc34694651daccbc3f0d09bb6582
                          • Instruction ID: cfa174def381328943a5bd7feffd7f32e6750668452406b4a04c5fdf69c83632
                          • Opcode Fuzzy Hash: bd013c6e844634040733db09ba048e15d8c0dc34694651daccbc3f0d09bb6582
                          • Instruction Fuzzy Hash: 8621D0B68003499FCB50CF9AD984ADEBBF4FB48320F10852AE959A7310C379A555CFA5
                          Function 05117058 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f6348568b4769bf44abbae1199cf4e573a041a9fc777da314d52e79d88fd128
                          • Instruction ID: dd106b581e316993f79537c5e4cf248f7aaaba6bf8931762547a8d6a972910d8
                          • Opcode Fuzzy Hash: 4f6348568b4769bf44abbae1199cf4e573a041a9fc777da314d52e79d88fd128
                          • Instruction Fuzzy Hash: 0E11E574D08219DBCB18CFB5D4445EEBBB6EB4A210F1154AAD816B3380E7715A818FA9
                          Function 0511AC44 Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d19aac7861c6346dcdab428e63e88cf7cbab0020f4146217cb11cb102e25fe08
                          • Instruction ID: 684747b20188da88e5219effe6cbe7e8d8875d64aa23d0d1bc1683a47b4319fe
                          • Opcode Fuzzy Hash: d19aac7861c6346dcdab428e63e88cf7cbab0020f4146217cb11cb102e25fe08
                          • Instruction Fuzzy Hash: 0C21D574A14268CFDB28CF54C885BECBBB5FB49341F5191E6E80AAB352C731A981CF54
                          Function 0084D017 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178034000.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_84d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                          • Instruction ID: c57d30a0364c64e0cb723dbc131b2ce035b91abcf091b04d5b4869d1834b08db
                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                          • Instruction Fuzzy Hash: 2A118B75504784DFCB15CF14D5C4B15BBA2FB84314F24C6AAD8498B656C33AD84ACBA2
                          Function 0084D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178034000.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_84d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                          • Instruction ID: 5bf5e5f82fb672080052af3d8968b6b8155f22871a2fb5a978b61f8dce1723e2
                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                          • Instruction Fuzzy Hash: 97118B75504384DFCB15CF10D5C4B15BBA2FB84314F24C6A9D8498B6A6C37AE84ACB61
                          Function 0511D606 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a50051a285a03402a5bb15a8dee1056e46c199f2c0fbb8bf64252c54df2c00e
                          • Instruction ID: 9c337d17915049c5868b42ba0717ec63b3d0672122ed74b86a2511cab00d070e
                          • Opcode Fuzzy Hash: 5a50051a285a03402a5bb15a8dee1056e46c199f2c0fbb8bf64252c54df2c00e
                          • Instruction Fuzzy Hash: 50118F74A05208DFDB00DFA8E8847ADBBB2FF48308F119269D806AB349DB749C01CF00
                          Function 05119C58 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e95adf4e7dd6887d36a129820312f760a210d6a08be8817fa104534ee246ef5
                          • Instruction ID: 30464b7abb318665699b6836cc9c9c2d02543d03df95d4f0e1e1591e5e3b90b9
                          • Opcode Fuzzy Hash: 4e95adf4e7dd6887d36a129820312f760a210d6a08be8817fa104534ee246ef5
                          • Instruction Fuzzy Hash: D7119F75E00209DFCF08DFE8C4949ADBBB2FB88305F10816AE929AB355D7315956CB50
                          Function 0511B898 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd8061777d2be0b7845f2f66f1af15c515005c214bb75f4aea486efc76a56186
                          • Instruction ID: e95f73ada8906c125dd6d1e881c589f758116411ef4b9d5b0befe57e60fad9e4
                          • Opcode Fuzzy Hash: cd8061777d2be0b7845f2f66f1af15c515005c214bb75f4aea486efc76a56186
                          • Instruction Fuzzy Hash: EF0126B0A0D248DFC719DB15C510AFDBBBAAF5A700B06D1E9D8088B153CB304F06CB85
                          Function 0511B911 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e47143264b5edcb8b177b724390a710907f9d5c4d3064b58e94ed3c57e44e92
                          • Instruction ID: 8860d3b37fa336f6064a4b7a629602ae0c3b7e0b9f2082779007ac3b865b8d5d
                          • Opcode Fuzzy Hash: 1e47143264b5edcb8b177b724390a710907f9d5c4d3064b58e94ed3c57e44e92
                          • Instruction Fuzzy Hash: 9A01B17560C148DFC705DBA8C654BADBFF6AF4A300F1A91D5E84ACB262C7348E02DB41
                          Function 0083D745 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2177951962.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_83d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 993424625d625c21119d531f3128bc4e73f95fab163c4b67bcffe161a4b6ecca
                          • Instruction ID: 52801b9ac2fed90ea00a485f2a389d8f558506dc2044f770f74ca674899acf55
                          • Opcode Fuzzy Hash: 993424625d625c21119d531f3128bc4e73f95fab163c4b67bcffe161a4b6ecca
                          • Instruction Fuzzy Hash: DD0126724093449AF7105E65ED84B66FF98FFC1364F18C51AEE088E282D6B99840CAF1
                          Function 0511B4A8 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce0149547542d980b0e9df489c93452ef688f817c1728160374637091efd25ff
                          • Instruction ID: a70369c6e74f5ec62cb6ad4131a4a5d6edea215afcbd875fd87df258e70f851e
                          • Opcode Fuzzy Hash: ce0149547542d980b0e9df489c93452ef688f817c1728160374637091efd25ff
                          • Instruction Fuzzy Hash: A1110971E04218DFCB18CF6AC8449ADBBF6BF89300B00C169E805A7350DB309942CF50
                          Function 0511B920 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ac4c9b581e5d47a57b8e85f9d2b5a165dcc9962cf38817cb9032b980851a2de
                          • Instruction ID: ec8e43ddb03015ff82fd0aed21efb1687ff69ac82d4462db480fe94c3b85e46b
                          • Opcode Fuzzy Hash: 8ac4c9b581e5d47a57b8e85f9d2b5a165dcc9962cf38817cb9032b980851a2de
                          • Instruction Fuzzy Hash: AB01E874A0C108EFC704EFA9C649AADBBF6AB48300F1590E4E80A97261DB349E02DB44
                          Function 0511D407 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34315cd58cf91810a2174a9e44e19b4cabeba7f256e78e3d16b1e5af30300d98
                          • Instruction ID: 71ac1b84f4eb65c12e340a9b29863f8df36d4422cfa1d1634d9621703c4b4235
                          • Opcode Fuzzy Hash: 34315cd58cf91810a2174a9e44e19b4cabeba7f256e78e3d16b1e5af30300d98
                          • Instruction Fuzzy Hash: D2112378B06318DFEB54AF10D8547A9BB77EB88204F1081A9D949A7309DB346E81CF52
                          Function 0511B8A8 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4e5c1b371f169cbb87c81252a763d82325cad33a6c3fa8e6ed158d8be9a0676
                          • Instruction ID: 76064cc9f9682ab7fd59f990d88a851aa9bf96dbf49f7c33e85e6e5d260cb654
                          • Opcode Fuzzy Hash: c4e5c1b371f169cbb87c81252a763d82325cad33a6c3fa8e6ed158d8be9a0676
                          • Instruction Fuzzy Hash: 47F0AF70A0D208DBC718DF5AC4409BDBBBAAF89700F01A1F9D8095B211CB308E05DB48
                          Function 0083D744 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2177951962.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_83d000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d62f3d903b340bf169e77b1dbbddda2d3202879fe549b9f2817bd8175c0f1a21
                          • Instruction ID: 7ed405138910473c889615da87d3f81dfb4b85975a911c0077a5cfbdff58cfab
                          • Opcode Fuzzy Hash: d62f3d903b340bf169e77b1dbbddda2d3202879fe549b9f2817bd8175c0f1a21
                          • Instruction Fuzzy Hash: EBF062724053449EE7108E15DD84B62FF98EB91774F18C45AED088A286C2799844CBB1
                          Function 051171E0 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e9597e649e7e605c0235150a4ad2398cab5d5dae66d942d2c0190c9c3c8467e8
                          • Instruction ID: f65903c6a376d7832919c4fae34d750e65e4c5959c74d0ead6f612c6ea19b9af
                          • Opcode Fuzzy Hash: e9597e649e7e605c0235150a4ad2398cab5d5dae66d942d2c0190c9c3c8467e8
                          • Instruction Fuzzy Hash: BAF0BE71C49348EFC725CFA4A4006ACBFB9EB1A200F0150E6D845A7391E3348A41CB29
                          Function 0511D378 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80cdf07710340e3e45c82b7388db55960120e63f19389c6bec11db55b66ebffa
                          • Instruction ID: 74a53694a9aac4567d0a57626c76c18bd92280c92d814cf2fbc43cedeb5f7ff9
                          • Opcode Fuzzy Hash: 80cdf07710340e3e45c82b7388db55960120e63f19389c6bec11db55b66ebffa
                          • Instruction Fuzzy Hash: F8F04978E05108CFD754EB24E801798BBB6EB85208F1691A6D90EA7246DB345E46CF40
                          Function 051171F0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69ee2bafaeedf9dc91daf1f177576b8ec6cc1d74b2f040d807c2e3086d85f0be
                          • Instruction ID: 531580440f201a7f6f295de976564994b048281cee16cf0ff66a098def71063d
                          • Opcode Fuzzy Hash: 69ee2bafaeedf9dc91daf1f177576b8ec6cc1d74b2f040d807c2e3086d85f0be
                          • Instruction Fuzzy Hash: A6F03074D48208EFC754DFE4E0446ACFBB5EB0A201F1055F59C09A7380E3348A418B58
                          Function 051169E0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc0b883adcbcb04c626d343754414e048c1ffae0648bf2426bd2674bdcf7f3f5
                          • Instruction ID: 72610e26cfefee882ff5f06d8acbb4674dd8e3fe5ece6867802e3acead5570d8
                          • Opcode Fuzzy Hash: fc0b883adcbcb04c626d343754414e048c1ffae0648bf2426bd2674bdcf7f3f5
                          • Instruction Fuzzy Hash: 79F03AB0D0430A9FDB44DFA9D841AAEBBF4FB48200F1085A9D918E3200D7758A408B90
                          Function 0511D290 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c90ce763cd401c439f4186f57baa4d03de5ac398974d22c9c3c2dbf433a4f975
                          • Instruction ID: caadbd6325142d3f4bc144ecfd6f8c85098d0f4c6906c31f53c1e6cf4568f611
                          • Opcode Fuzzy Hash: c90ce763cd401c439f4186f57baa4d03de5ac398974d22c9c3c2dbf433a4f975
                          • Instruction Fuzzy Hash: 4CF0E530908248DBEB18EB65E8083AD7AFBAF89300F009175D80A66345CFB85D42CF56
                          Function 05116978 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c8992c6902e98a46e36345b28f76cde5f9018d9dae3613e34927b9fa1221d7e4
                          • Instruction ID: 3450ba654143e5c800e59de47e2ef94d0fb4b58b35fdb5b1f0721d12b67e97a3
                          • Opcode Fuzzy Hash: c8992c6902e98a46e36345b28f76cde5f9018d9dae3613e34927b9fa1221d7e4
                          • Instruction Fuzzy Hash: F2F039B0954209AFC744EF69D904A8FBFF4BF08714F21C5AAE509EB352E77186048F91
                          Function 0511E750 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 79cb04d7eb7da0631b9f9ed72f3bfb1f82dd4f024309f90d782e3cf803f1c1bc
                          • Instruction ID: 3700d3363c72231993cb751cf95a52cb5dcc941be582bc509b6d7d5772378f34
                          • Opcode Fuzzy Hash: 79cb04d7eb7da0631b9f9ed72f3bfb1f82dd4f024309f90d782e3cf803f1c1bc
                          • Instruction Fuzzy Hash: F0F01574D04208ABDB04EFA8D40468CBBB5FB88301F0082AAE844A3350DB385E90EF95
                          Function 0511ABFC Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d20db6d663678bb35ca5ab5dc0818170967b9440bb26797ec2289c5914f72e77
                          • Instruction ID: 625e2593d4cf0068e2c935b81c233a6d43ad6f0b83853ff7404320b4f9a86b94
                          • Opcode Fuzzy Hash: d20db6d663678bb35ca5ab5dc0818170967b9440bb26797ec2289c5914f72e77
                          • Instruction Fuzzy Hash: D7E04F36719244CFC724CB14E444AAC7BB6FB4A206F4140F5E40A5B212C7369855CB10
                          Function 0511AE1A Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bebf55be7010661ad50902bff0f821de3947528898ddc079ffa5d82cfcccd820
                          • Instruction ID: 51c97ff455a88ac966dfcaa281ae3b8a2bb2dcc4cfc60efc14d0f2305b65c81c
                          • Opcode Fuzzy Hash: bebf55be7010661ad50902bff0f821de3947528898ddc079ffa5d82cfcccd820
                          • Instruction Fuzzy Hash: A2E0E5B9D093488FCB04CF58C990AEDBBB5BF09200F101095D809EB302D230AA40CB51
                          Function 05116988 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a5b138f17edbcf2590e0a3623e61b5cebbd9e9d60049a4644ec4e49b6ce9956
                          • Instruction ID: 600fca7ca1185b12d08982346aca4f82d706d41d0812e7742730009c47763416
                          • Opcode Fuzzy Hash: 8a5b138f17edbcf2590e0a3623e61b5cebbd9e9d60049a4644ec4e49b6ce9956
                          • Instruction Fuzzy Hash: 17E012B0D002099FC740EFAAC908A5EBBF0AB08600F1184A9C419EB251EB7086048F80
                          Function 0511AEF3 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb68b84f79d6b09691a96a21bbfd0614d843519abb0bdc743d4daef832bc8061
                          • Instruction ID: ed2cea93b21ea1f05fd6b8f2090157c2a24195b1f669939d34c9f56fde39ce3e
                          • Opcode Fuzzy Hash: bb68b84f79d6b09691a96a21bbfd0614d843519abb0bdc743d4daef832bc8061
                          • Instruction Fuzzy Hash: 15E0EC3890C655CFCB19CF10C8155FD7F36AF9A241F0156E1D81A52151CB305996DE54
                          Function 05119170 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8da7e8fd9f4cd959fe872083e79f5bf3467f1f722c591030af142474c1d8c4ac
                          • Instruction ID: 52084d048cf7c3de52bf913bc479b743b3140540928c909ace4fd14d7fd14c3a
                          • Opcode Fuzzy Hash: 8da7e8fd9f4cd959fe872083e79f5bf3467f1f722c591030af142474c1d8c4ac
                          • Instruction Fuzzy Hash: 52D0A7A28092845FC7225F50FA5912D3F30FE0231173405CBF89AC7563D6698BD6C345
                          Function 05116A80 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81625a580e2269bf748c64578a909479d26c02d6d097cae17f722217ea047b31
                          • Instruction ID: d1131f1985b3d356263ce8f94d8b9784b96153698c9be73965aa03e1a8aab7e6
                          • Opcode Fuzzy Hash: 81625a580e2269bf748c64578a909479d26c02d6d097cae17f722217ea047b31
                          • Instruction Fuzzy Hash: AED012362202085E4B40EF94E800C52B7EDBB64600700C472E944CB421F722F464DB55
                          Function 05119180 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1313c127ab12729c587df300d9bb0ffc7a2df1e43ff64d715bdd28bb4b3102c4
                          • Instruction ID: f649d507c291f3c7c6a2bfc2d18431d4b1f13d97611c0c79e8c74a7b526bf4b0
                          • Opcode Fuzzy Hash: 1313c127ab12729c587df300d9bb0ffc7a2df1e43ff64d715bdd28bb4b3102c4
                          • Instruction Fuzzy Hash: 5EC08C3110430487D3242790A40D32C7A68BB00212F001164F44E410104FB86CD1CE59
                          Function 051198DC Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 523ee0896292ea532286c09ec595d78075a456e0340b8294b385ed9908ce8bf2
                          • Instruction ID: fe3ef73314059895a682a4b61dd22930148392e85f5249416cebb25ffa58e619
                          • Opcode Fuzzy Hash: 523ee0896292ea532286c09ec595d78075a456e0340b8294b385ed9908ce8bf2
                          • Instruction Fuzzy Hash: EFC00230A2626ACBDB24DB24DD64BA8BBB6FB49204F0066E9D519A7295DB741E418F00

                          Non-executed Functions

                          Function 051130D8 Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID: :$~
                          • API String ID: 0-2431124681
                          • Opcode ID: 24ee01535ea1747e22817c1bf5949b347a89a657b94678a4061993e030545127
                          • Instruction ID: 62d2065c457f7db572c6c5142a62553c1622df31f0738b69842b38f1ee96c38b
                          • Opcode Fuzzy Hash: 24ee01535ea1747e22817c1bf5949b347a89a657b94678a4061993e030545127
                          • Instruction Fuzzy Hash: 5142F475A00218DFDB29CFA9C844E9DBBB2FF48300F1184E9E919AB225DB319D91DF54
                          Function 0511F5B8 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d96fec84a82151700f80b054f3208bca16f426a9cb5d3963b10ce919055eefc
                          • Instruction ID: 9fb1db4d724c6968a692d0655fb320a653824daf6386d9453119066502f7100b
                          • Opcode Fuzzy Hash: 8d96fec84a82151700f80b054f3208bca16f426a9cb5d3963b10ce919055eefc
                          • Instruction Fuzzy Hash: B3E14C74E00259DFDB14DFA9C590AAEFBB2FF88304F248269D815A7359D730A942CF60
                          Function 0511E318 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c2724a03409dfb05a401ccfae79fc85c4f85c101469f1f579ae227a593815ec
                          • Instruction ID: 5e76a497c1dfe69d36eb8b2f967c33b6783da25c3ccc67edbeabf08778a80d59
                          • Opcode Fuzzy Hash: 3c2724a03409dfb05a401ccfae79fc85c4f85c101469f1f579ae227a593815ec
                          • Instruction Fuzzy Hash: 5AE12A74E042599FDB14DFA9C590AAEFBB2FF88304F248269D815A7355D730AD42CFA0
                          Function 0511DEE0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aaa749a50af5e08f79d992c1e0c8d2c2e6b35fc7f30d08d8089b64cd268b281b
                          • Instruction ID: 0d61d5811b21577ee75ccb913a40b97ef3bd6c8d2d334e58d357eab520e9f4ec
                          • Opcode Fuzzy Hash: aaa749a50af5e08f79d992c1e0c8d2c2e6b35fc7f30d08d8089b64cd268b281b
                          • Instruction Fuzzy Hash: 7DE12A74E00259DFDB14DFA9D590AAEFBB2FF89304F248269D815AB355C730A942CF60
                          Function 0511F9F0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cafe3dd64497a66db8cc2747d498ef7d62bdea7afbf3bdf7c911e4aed146018
                          • Instruction ID: 60199a40ba9d668c11690928202156d5e8fb22e752125f0e1dcc1860fefc24a3
                          • Opcode Fuzzy Hash: 6cafe3dd64497a66db8cc2747d498ef7d62bdea7afbf3bdf7c911e4aed146018
                          • Instruction Fuzzy Hash: 3FE13C74E00259DFDB14DFA8D590AAEFBB2FF88304F248269D815A7359D730A942CF64
                          Function 0511DAA8 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ded8bef765ac4db95979c3bfdd2f5c1837db597268f29ebae9b6a74aa3b439b
                          • Instruction ID: a22a4b3cdfbb5fa26ef3e69f11f91da07213413bbae0e7f82e1d8d1239f6acae
                          • Opcode Fuzzy Hash: 6ded8bef765ac4db95979c3bfdd2f5c1837db597268f29ebae9b6a74aa3b439b
                          • Instruction Fuzzy Hash: E2E13B74E04259DFCB14DFA8D590AAEFBB2FF88304F248269D815A7359C770A942CF64
                          Function 0089E5A4 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2178636170.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 766530399001e98f640c90626cbad89cc5c12fe18173cadfa9f59c74bedcd12b
                          • Instruction ID: 6abeb75f0a55641b51f7054e54acbf538150d33cda9660b9c7145409e9cffb56
                          • Opcode Fuzzy Hash: 766530399001e98f640c90626cbad89cc5c12fe18173cadfa9f59c74bedcd12b
                          • Instruction Fuzzy Hash: 8CA14C32A002198FCF09EFB5C84459EBBB2FF94300B19857AE905EB266DB71ED55CB40
                          Function 0511CB88 Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2184071838.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_5110000_Suppliers_Data.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 838d4fc08d30ff4ef038d6a21a0bc14cfe5bc2b03cea5d00c8d0d30c66ef1b15
                          • Instruction ID: 1658d7e8683551a6ad8bb101b1db47b23b8f9c1f89a59aaddfc3ed995dfa8652
                          • Opcode Fuzzy Hash: 838d4fc08d30ff4ef038d6a21a0bc14cfe5bc2b03cea5d00c8d0d30c66ef1b15
                          • Instruction Fuzzy Hash: 83510274E48209CBCB18CF9AD4846EEBBF6BB89304F1594B6E819A7211D7309D41CF98

                          Execution Graph

                          Execution Coverage:3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:5.8%
                          Total number of Nodes:1047
                          Total number of Limit Nodes:53
                          execution_graph 46198 41d4e0 46199 41d4f6 ctype ___scrt_fastfail 46198->46199 46200 41d6f3 46199->46200 46202 431fa9 21 API calls 46199->46202 46204 41d744 46200->46204 46214 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46200->46214 46207 41d6a6 ___scrt_fastfail 46202->46207 46203 41d704 46203->46204 46205 41d770 46203->46205 46215 431fa9 46203->46215 46205->46204 46223 41d484 21 API calls ___scrt_fastfail 46205->46223 46207->46204 46208 431fa9 21 API calls 46207->46208 46212 41d6ce ___scrt_fastfail 46208->46212 46210 41d73d ___scrt_fastfail 46210->46204 46220 43265f 46210->46220 46212->46204 46213 431fa9 21 API calls 46212->46213 46213->46200 46214->46203 46216 431fb3 46215->46216 46217 431fb7 46215->46217 46216->46210 46224 43a89c 46217->46224 46233 43257f 46220->46233 46222 432667 46222->46205 46223->46204 46228 446b0f _strftime 46224->46228 46225 446b4d 46232 445364 20 API calls __dosmaperr 46225->46232 46226 446b38 RtlAllocateHeap 46226->46228 46229 431fbc 46226->46229 46228->46225 46228->46226 46231 442210 7 API calls 2 library calls 46228->46231 46229->46210 46231->46228 46232->46229 46234 43258e 46233->46234 46235 432598 46233->46235 46234->46222 46235->46234 46236 431fa9 21 API calls 46235->46236 46237 4325b9 46236->46237 46237->46234 46239 43294a CryptAcquireContextA 46237->46239 46240 43296b CryptGenRandom 46239->46240 46242 432966 46239->46242 46241 432980 CryptReleaseContext 46240->46241 46240->46242 46241->46242 46242->46234 46243 426040 46248 426107 recv 46243->46248 46249 44e8c6 46250 44e8d1 46249->46250 46251 44e8f9 46250->46251 46252 44e8ea 46250->46252 46255 44e908 46251->46255 46271 455583 27 API calls 2 library calls 46251->46271 46270 445364 20 API calls __dosmaperr 46252->46270 46258 44b9ce 46255->46258 46257 44e8ef ___scrt_fastfail 46259 44b9e6 46258->46259 46260 44b9db 46258->46260 46262 44b9ee 46259->46262 46269 44b9f7 _strftime 46259->46269 46272 446b0f 21 API calls 3 library calls 46260->46272 46273 446ad5 20 API calls __dosmaperr 46262->46273 46264 44ba21 RtlReAllocateHeap 46267 44b9e3 46264->46267 46264->46269 46265 44b9fc 46274 445364 20 API calls __dosmaperr 46265->46274 46267->46257 46269->46264 46269->46265 46275 442210 7 API calls 2 library calls 46269->46275 46270->46257 46271->46255 46272->46267 46273->46267 46274->46267 46275->46269 46276 4260a1 46281 42611e send 46276->46281 46282 446f53 GetLastError 46283 446f6c 46282->46283 46284 446f72 46282->46284 46308 447476 11 API calls 2 library calls 46283->46308 46288 446fc9 SetLastError 46284->46288 46301 448716 46284->46301 46291 446fd2 46288->46291 46289 446f8c 46309 446ad5 20 API calls __dosmaperr 46289->46309 46292 446fa1 46292->46289 46294 446fa8 46292->46294 46311 446d41 20 API calls __Toupper 46294->46311 46295 446f92 46296 446fc0 SetLastError 46295->46296 46296->46291 46298 446fb3 46312 446ad5 20 API calls __dosmaperr 46298->46312 46300 446fb9 46300->46288 46300->46296 46306 448723 _strftime 46301->46306 46302 448763 46314 445364 20 API calls __dosmaperr 46302->46314 46303 44874e RtlAllocateHeap 46305 446f84 46303->46305 46303->46306 46305->46289 46310 4474cc 11 API calls 2 library calls 46305->46310 46306->46302 46306->46303 46313 442210 7 API calls 2 library calls 46306->46313 46308->46284 46309->46295 46310->46292 46311->46298 46312->46300 46313->46306 46314->46305 46315 43a9a8 46317 43a9b4 _swprintf CallCatchBlock 46315->46317 46316 43a9c2 46333 445364 20 API calls __dosmaperr 46316->46333 46317->46316 46320 43a9ec 46317->46320 46319 43a9c7 46334 43a837 26 API calls _Deallocate 46319->46334 46328 444adc EnterCriticalSection 46320->46328 46323 43a9f7 46329 43aa98 46323->46329 46325 43a9d2 __fread_nolock 46328->46323 46330 43aaa6 46329->46330 46332 43aa02 46330->46332 46336 448426 39 API calls 2 library calls 46330->46336 46335 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46332->46335 46333->46319 46334->46325 46335->46325 46336->46330 46337 402bcc 46338 402bd7 46337->46338 46339 402bdf 46337->46339 46355 403315 28 API calls _Deallocate 46338->46355 46341 402beb 46339->46341 46345 4015d3 46339->46345 46342 402bdd 46347 43361d 46345->46347 46346 43a89c ___std_exception_copy 21 API calls 46346->46347 46347->46346 46348 402be9 46347->46348 46351 43363e std::_Facet_Register 46347->46351 46356 442210 7 API calls 2 library calls 46347->46356 46350 433dfc std::_Facet_Register 46358 437be7 RaiseException 46350->46358 46351->46350 46357 437be7 RaiseException 46351->46357 46353 433e19 46355->46342 46356->46347 46357->46350 46358->46353 46359 4339ce 46360 4339da CallCatchBlock 46359->46360 46391 4336c3 46360->46391 46362 4339e1 46363 433b34 46362->46363 46366 433a0b 46362->46366 46691 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46363->46691 46365 433b3b 46692 4426ce 28 API calls _abort 46365->46692 46376 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46366->46376 46685 4434e1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46366->46685 46368 433b41 46693 442680 28 API calls _abort 46368->46693 46371 433a24 46373 433a2a 46371->46373 46686 443485 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46371->46686 46372 433b49 46375 433aab 46402 433c6e 46375->46402 46376->46375 46687 43ee04 38 API calls 3 library calls 46376->46687 46385 433acd 46385->46365 46386 433ad1 46385->46386 46387 433ada 46386->46387 46689 442671 28 API calls _abort 46386->46689 46690 433852 13 API calls 2 library calls 46387->46690 46390 433ae2 46390->46373 46392 4336cc 46391->46392 46694 433e1a IsProcessorFeaturePresent 46392->46694 46394 4336d8 46695 4379fe 10 API calls 3 library calls 46394->46695 46396 4336dd 46401 4336e1 46396->46401 46696 44336e 46396->46696 46398 4336f8 46398->46362 46401->46362 46705 436060 46402->46705 46405 433ab1 46406 443432 46405->46406 46707 44ddd9 46406->46707 46408 433aba 46411 40d767 46408->46411 46409 44343b 46409->46408 46711 44e0e3 38 API calls 46409->46711 46713 41bcf3 LoadLibraryA GetProcAddress 46411->46713 46413 40d783 GetModuleFileNameW 46718 40e168 46413->46718 46415 40d79f 46733 401fbd 46415->46733 46418 401fbd 28 API calls 46419 40d7bd 46418->46419 46737 41afd3 46419->46737 46423 40d7cf 46762 401d8c 46423->46762 46425 40d7d8 46426 40d835 46425->46426 46427 40d7eb 46425->46427 46768 401d64 46426->46768 47019 40e986 111 API calls 46427->47019 46430 40d845 46433 401d64 28 API calls 46430->46433 46431 40d7fd 46432 401d64 28 API calls 46431->46432 46436 40d809 46432->46436 46434 40d864 46433->46434 46773 404cbf 46434->46773 47020 40e937 68 API calls 46436->47020 46437 40d873 46777 405ce6 46437->46777 46440 40d87f 46780 401eef 46440->46780 46441 40d824 47021 40e155 68 API calls 46441->47021 46444 40d88b 46784 401eea 46444->46784 46445 40d82d 46448 401eea 26 API calls 46445->46448 46447 40d894 46450 401eea 26 API calls 46447->46450 46449 40dc9f 46448->46449 46688 433ca4 GetModuleHandleW 46449->46688 46451 40d89d 46450->46451 46452 401d64 28 API calls 46451->46452 46453 40d8a6 46452->46453 46788 401ebd 46453->46788 46455 40d8b1 46456 401d64 28 API calls 46455->46456 46457 40d8ca 46456->46457 46458 401d64 28 API calls 46457->46458 46460 40d8e5 46458->46460 46459 40d946 46461 401d64 28 API calls 46459->46461 46476 40e134 46459->46476 46460->46459 47022 4085b4 46460->47022 46468 40d95d 46461->46468 46463 40d912 46464 401eef 26 API calls 46463->46464 46465 40d91e 46464->46465 46466 401eea 26 API calls 46465->46466 46469 40d927 46466->46469 46467 40d9a4 46792 40bed7 46467->46792 46468->46467 46472 4124b7 3 API calls 46468->46472 47026 4124b7 RegOpenKeyExA 46469->47026 46471 40d9aa 46471->46445 46795 41a473 46471->46795 46477 40d988 46472->46477 46475 40d9c5 46478 40da18 46475->46478 46812 40697b 46475->46812 47102 412902 30 API calls 46476->47102 46477->46467 47029 412902 30 API calls 46477->47029 46480 401d64 28 API calls 46478->46480 46483 40da21 46480->46483 46492 40da32 46483->46492 46493 40da2d 46483->46493 46485 40e14a 47103 4112b5 64 API calls ___scrt_fastfail 46485->47103 46486 40d9e4 47030 40699d 30 API calls 46486->47030 46487 40d9ee 46491 401d64 28 API calls 46487->46491 46500 40d9f7 46491->46500 46497 401d64 28 API calls 46492->46497 47033 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46493->47033 46494 40d9e9 47031 4064d0 97 API calls 46494->47031 46498 40da3b 46497->46498 46816 41ae18 46498->46816 46500->46478 46503 40da13 46500->46503 46501 40da46 46820 401e18 46501->46820 47032 4064d0 97 API calls 46503->47032 46504 40da51 46824 401e13 46504->46824 46507 40da5a 46508 401d64 28 API calls 46507->46508 46509 40da63 46508->46509 46510 401d64 28 API calls 46509->46510 46511 40da7d 46510->46511 46512 401d64 28 API calls 46511->46512 46513 40da97 46512->46513 46514 401d64 28 API calls 46513->46514 46516 40dab0 46514->46516 46515 40db1d 46518 40db2c 46515->46518 46524 40dcaa ___scrt_fastfail 46515->46524 46516->46515 46517 401d64 28 API calls 46516->46517 46522 40dac5 _wcslen 46517->46522 46519 40db35 46518->46519 46546 40dbb1 ___scrt_fastfail 46518->46546 46520 401d64 28 API calls 46519->46520 46521 40db3e 46520->46521 46523 401d64 28 API calls 46521->46523 46522->46515 46526 401d64 28 API calls 46522->46526 46525 40db50 46523->46525 47093 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46524->47093 46529 401d64 28 API calls 46525->46529 46527 40dae0 46526->46527 46530 401d64 28 API calls 46527->46530 46531 40db62 46529->46531 46532 40daf5 46530->46532 46534 401d64 28 API calls 46531->46534 47034 40c89e 46532->47034 46533 40dcef 46535 401d64 28 API calls 46533->46535 46538 40db8b 46534->46538 46536 40dd16 46535->46536 46838 401f66 46536->46838 46543 401d64 28 API calls 46538->46543 46540 401e18 26 API calls 46542 40db14 46540->46542 46547 401e13 26 API calls 46542->46547 46544 40db9c 46543->46544 47091 40bc67 45 API calls _wcslen 46544->47091 46545 40dd25 46842 4126d2 RegCreateKeyA 46545->46842 46828 4128a2 46546->46828 46547->46515 46551 40dbac 46551->46546 46553 40dc45 ctype 46556 401d64 28 API calls 46553->46556 46554 401d64 28 API calls 46555 40dd47 46554->46555 46848 43a5f7 46555->46848 46557 40dc5c 46556->46557 46557->46533 46560 40dc70 46557->46560 46563 401d64 28 API calls 46560->46563 46561 40dd5e 47094 41bec0 86 API calls ___scrt_fastfail 46561->47094 46562 40dd81 46567 401f66 28 API calls 46562->46567 46565 40dc7e 46563->46565 46568 41ae18 28 API calls 46565->46568 46566 40dd65 CreateThread 46566->46562 47523 41c97f 10 API calls 46566->47523 46569 40dd96 46567->46569 46570 40dc87 46568->46570 46571 401f66 28 API calls 46569->46571 47092 40e219 109 API calls 46570->47092 46573 40dda5 46571->46573 46852 41a696 46573->46852 46574 40dc8c 46574->46533 46576 40dc93 46574->46576 46576->46445 46578 401d64 28 API calls 46579 40ddb6 46578->46579 46580 401d64 28 API calls 46579->46580 46581 40ddcb 46580->46581 46582 401d64 28 API calls 46581->46582 46583 40ddeb 46582->46583 46584 43a5f7 _strftime 42 API calls 46583->46584 46585 40ddf8 46584->46585 46586 401d64 28 API calls 46585->46586 46587 40de03 46586->46587 46588 401d64 28 API calls 46587->46588 46589 40de14 46588->46589 46590 401d64 28 API calls 46589->46590 46591 40de29 46590->46591 46592 401d64 28 API calls 46591->46592 46593 40de3a 46592->46593 46594 40de41 StrToIntA 46593->46594 46876 409517 46594->46876 46597 401d64 28 API calls 46598 40de5c 46597->46598 46599 40dea1 46598->46599 46600 40de68 46598->46600 46603 401d64 28 API calls 46599->46603 47095 43361d 22 API calls 3 library calls 46600->47095 46602 40de71 46604 401d64 28 API calls 46602->46604 46605 40deb1 46603->46605 46606 40de84 46604->46606 46608 40def9 46605->46608 46609 40debd 46605->46609 46607 40de8b CreateThread 46606->46607 46607->46599 47527 419138 102 API calls 2 library calls 46607->47527 46610 401d64 28 API calls 46608->46610 47096 43361d 22 API calls 3 library calls 46609->47096 46613 40df02 46610->46613 46612 40dec6 46614 401d64 28 API calls 46612->46614 46616 40df6c 46613->46616 46617 40df0e 46613->46617 46615 40ded8 46614->46615 46618 40dedf CreateThread 46615->46618 46619 401d64 28 API calls 46616->46619 46620 401d64 28 API calls 46617->46620 46618->46608 47526 419138 102 API calls 2 library calls 46618->47526 46621 40df75 46619->46621 46622 40df1e 46620->46622 46623 40df81 46621->46623 46624 40dfba 46621->46624 46625 401d64 28 API calls 46622->46625 46628 401d64 28 API calls 46623->46628 46901 41a7b2 GetComputerNameExW GetUserNameW 46624->46901 46626 40df33 46625->46626 47097 40c854 31 API calls 46626->47097 46629 40df8a 46628->46629 46634 401d64 28 API calls 46629->46634 46631 401e18 26 API calls 46633 40dfce 46631->46633 46636 401e13 26 API calls 46633->46636 46638 40df9f 46634->46638 46635 40df46 46639 401e18 26 API calls 46635->46639 46637 40dfd7 46636->46637 46640 40dfe0 SetProcessDEPPolicy 46637->46640 46641 40dfe3 CreateThread 46637->46641 46648 43a5f7 _strftime 42 API calls 46638->46648 46642 40df52 46639->46642 46640->46641 46643 40e004 46641->46643 46644 40dff8 CreateThread 46641->46644 47495 40e54f 46641->47495 46645 401e13 26 API calls 46642->46645 46646 40e019 46643->46646 46647 40e00d CreateThread 46643->46647 46644->46643 47522 410f36 136 API calls 46644->47522 46649 40df5b CreateThread 46645->46649 46651 40e073 46646->46651 46653 401f66 28 API calls 46646->46653 46647->46646 47524 411524 38 API calls ___scrt_fastfail 46647->47524 46650 40dfac 46648->46650 46649->46616 47525 40196b 49 API calls _strftime 46649->47525 47098 40b95c 7 API calls 46650->47098 46912 41246e RegOpenKeyExA 46651->46912 46654 40e046 46653->46654 47099 404c9e 28 API calls 46654->47099 46658 40e053 46660 401f66 28 API calls 46658->46660 46659 40e12a 46924 40cbac 46659->46924 46661 40e062 46660->46661 46664 41a696 79 API calls 46661->46664 46663 41ae18 28 API calls 46666 40e0a4 46663->46666 46667 40e067 46664->46667 46915 412584 RegOpenKeyExW 46666->46915 46669 401eea 26 API calls 46667->46669 46669->46651 46672 401e13 26 API calls 46675 40e0c5 46672->46675 46673 40e0ed DeleteFileW 46674 40e0f4 46673->46674 46673->46675 46677 41ae18 28 API calls 46674->46677 46675->46673 46675->46674 46676 40e0db Sleep 46675->46676 47100 401e07 46676->47100 46679 40e104 46677->46679 46920 41297a RegOpenKeyExW 46679->46920 46681 40e117 46682 401e13 26 API calls 46681->46682 46683 40e121 46682->46683 46684 401e13 26 API calls 46683->46684 46684->46659 46685->46371 46686->46376 46687->46375 46688->46385 46689->46387 46690->46390 46691->46365 46692->46368 46693->46372 46694->46394 46695->46396 46700 44e959 46696->46700 46699 437a27 8 API calls 3 library calls 46699->46401 46703 44e972 46700->46703 46702 4336ea 46702->46398 46702->46699 46704 433d3c 5 API calls ___raise_securityfailure 46703->46704 46704->46702 46706 433c81 GetStartupInfoW 46705->46706 46706->46405 46708 44ddeb 46707->46708 46709 44dde2 46707->46709 46708->46409 46712 44dcd8 51 API calls 4 library calls 46709->46712 46711->46409 46712->46708 46714 41bd32 LoadLibraryA GetProcAddress 46713->46714 46715 41bd22 GetModuleHandleA GetProcAddress 46713->46715 46716 41bd5b 32 API calls 46714->46716 46717 41bd4b LoadLibraryA GetProcAddress 46714->46717 46715->46714 46716->46413 46717->46716 47104 41a64f FindResourceA 46718->47104 46721 43a89c ___std_exception_copy 21 API calls 46722 40e192 ctype 46721->46722 47107 401f86 46722->47107 46725 401eef 26 API calls 46726 40e1b8 46725->46726 46727 401eea 26 API calls 46726->46727 46728 40e1c1 46727->46728 46729 43a89c ___std_exception_copy 21 API calls 46728->46729 46730 40e1d2 ctype 46729->46730 47111 406052 46730->47111 46732 40e205 46732->46415 46734 401fcc 46733->46734 47119 402501 46734->47119 46736 401fea 46736->46418 46757 41afe6 46737->46757 46738 41b056 46739 401eea 26 API calls 46738->46739 46740 41b088 46739->46740 46742 401eea 26 API calls 46740->46742 46741 41b058 47132 403b60 28 API calls 46741->47132 46745 41b090 46742->46745 46747 401eea 26 API calls 46745->46747 46746 41b064 46749 401eef 26 API calls 46746->46749 46748 40d7c6 46747->46748 46758 40e8bd 46748->46758 46751 41b06d 46749->46751 46750 401eef 26 API calls 46750->46757 46752 401eea 26 API calls 46751->46752 46754 41b075 46752->46754 46753 401eea 26 API calls 46753->46757 46755 41bfb9 28 API calls 46754->46755 46755->46738 46757->46738 46757->46741 46757->46750 46757->46753 47124 403b60 28 API calls 46757->47124 47125 41bfb9 46757->47125 46759 40e8ca 46758->46759 46761 40e8da 46759->46761 47160 40200a 26 API calls 46759->47160 46761->46423 46763 40200a 46762->46763 46767 40203a 46763->46767 47161 402654 26 API calls 46763->47161 46765 40202b 47162 4026ba 26 API calls _Deallocate 46765->47162 46767->46425 46769 401d6c 46768->46769 46770 401d74 46769->46770 47163 401fff 28 API calls 46769->47163 46770->46430 46774 404ccb 46773->46774 47164 402e78 46774->47164 46776 404cee 46776->46437 47173 404bc4 46777->47173 46779 405cf4 46779->46440 46781 401efe 46780->46781 46783 401f0a 46781->46783 47182 4021b9 26 API calls 46781->47182 46783->46444 46785 4021b9 46784->46785 46786 4021e8 46785->46786 47183 40262e 26 API calls _Deallocate 46785->47183 46786->46447 46790 401ec9 46788->46790 46789 401ee4 46789->46455 46790->46789 46791 402325 28 API calls 46790->46791 46791->46789 47184 401e8f 46792->47184 46794 40bee1 CreateMutexA GetLastError 46794->46471 47186 41b16b 46795->47186 46800 401eef 26 API calls 46801 41a4af 46800->46801 46802 401eea 26 API calls 46801->46802 46803 41a4b7 46802->46803 46804 41a50a 46803->46804 46805 412513 31 API calls 46803->46805 46804->46475 46806 41a4dd 46805->46806 46807 41a4e8 StrToIntA 46806->46807 46808 41a4ff 46807->46808 46809 41a4f6 46807->46809 46811 401eea 26 API calls 46808->46811 47194 41c112 28 API calls 46809->47194 46811->46804 46813 40698f 46812->46813 46814 4124b7 3 API calls 46813->46814 46815 406996 46814->46815 46815->46486 46815->46487 46817 41ae2c 46816->46817 47195 40b027 46817->47195 46819 41ae34 46819->46501 46821 401e27 46820->46821 46823 401e33 46821->46823 47204 402121 26 API calls 46821->47204 46823->46504 46825 402121 46824->46825 46826 402150 46825->46826 47205 402718 26 API calls _Deallocate 46825->47205 46826->46507 46829 4128c0 46828->46829 46830 406052 28 API calls 46829->46830 46831 4128d5 46830->46831 46832 401fbd 28 API calls 46831->46832 46833 4128e5 46832->46833 46834 4126d2 29 API calls 46833->46834 46835 4128ef 46834->46835 46836 401eea 26 API calls 46835->46836 46837 4128fc 46836->46837 46837->46553 46839 401f6e 46838->46839 47206 402301 46839->47206 46843 412722 46842->46843 46845 4126eb 46842->46845 46844 401eea 26 API calls 46843->46844 46846 40dd3b 46844->46846 46847 4126fd RegSetValueExA RegCloseKey 46845->46847 46846->46554 46847->46843 46849 43a610 _strftime 46848->46849 47210 43994e 46849->47210 46853 41a747 46852->46853 46854 41a6ac GetLocalTime 46852->46854 46855 401eea 26 API calls 46853->46855 46856 404cbf 28 API calls 46854->46856 46857 41a74f 46855->46857 46858 41a6ee 46856->46858 46859 401eea 26 API calls 46857->46859 46860 405ce6 28 API calls 46858->46860 46862 40ddaa 46859->46862 46861 41a6fa 46860->46861 47244 4027cb 46861->47244 46862->46578 46864 41a706 46865 405ce6 28 API calls 46864->46865 46866 41a712 46865->46866 47247 406478 76 API calls 46866->47247 46868 41a720 46869 401eea 26 API calls 46868->46869 46870 41a72c 46869->46870 46871 401eea 26 API calls 46870->46871 46872 41a735 46871->46872 46873 401eea 26 API calls 46872->46873 46874 41a73e 46873->46874 46875 401eea 26 API calls 46874->46875 46875->46853 46877 409536 _wcslen 46876->46877 46878 409541 46877->46878 46879 409558 46877->46879 46880 40c89e 31 API calls 46878->46880 46881 40c89e 31 API calls 46879->46881 46882 409549 46880->46882 46883 409560 46881->46883 46884 401e18 26 API calls 46882->46884 46885 401e18 26 API calls 46883->46885 46900 409553 46884->46900 46886 40956e 46885->46886 46887 401e13 26 API calls 46886->46887 46889 409576 46887->46889 46888 401e13 26 API calls 46890 4095ad 46888->46890 47267 40856b 28 API calls 46889->47267 47252 409837 46890->47252 46893 409588 47268 4028cf 46893->47268 46896 409593 46897 401e18 26 API calls 46896->46897 46898 40959d 46897->46898 46899 401e13 26 API calls 46898->46899 46899->46900 46900->46888 47287 403b40 46901->47287 46905 41a80d 46906 4028cf 28 API calls 46905->46906 46907 41a817 46906->46907 46908 401e13 26 API calls 46907->46908 46909 41a820 46908->46909 46910 401e13 26 API calls 46909->46910 46911 40dfc3 46910->46911 46911->46631 46913 40e08b 46912->46913 46914 41248f RegQueryValueExA RegCloseKey 46912->46914 46913->46659 46913->46663 46914->46913 46916 4125b0 RegQueryValueExW RegCloseKey 46915->46916 46917 4125dd 46915->46917 46916->46917 46918 403b40 28 API calls 46917->46918 46919 40e0ba 46918->46919 46919->46672 46921 412992 RegDeleteValueW 46920->46921 46922 4129a6 46920->46922 46921->46922 46923 4129a2 46921->46923 46922->46681 46923->46681 46925 40cbc5 46924->46925 46926 41246e 3 API calls 46925->46926 46927 40cbcc 46926->46927 46931 40cbeb 46927->46931 47320 401602 46927->47320 46929 40cbd9 47323 4127d5 RegCreateKeyA 46929->47323 46932 413fd4 46931->46932 46933 413feb 46932->46933 47340 41aa83 46933->47340 46935 413ff6 46936 401d64 28 API calls 46935->46936 46937 41400f 46936->46937 46938 43a5f7 _strftime 42 API calls 46937->46938 46939 41401c 46938->46939 46940 414021 Sleep 46939->46940 46941 41402e 46939->46941 46940->46941 46942 401f66 28 API calls 46941->46942 46943 41403d 46942->46943 46944 401d64 28 API calls 46943->46944 46945 41404b 46944->46945 46946 401fbd 28 API calls 46945->46946 46947 414053 46946->46947 46948 41afd3 28 API calls 46947->46948 46949 41405b 46948->46949 47344 404262 WSAStartup 46949->47344 46951 414065 46952 401d64 28 API calls 46951->46952 46953 41406e 46952->46953 46954 401d64 28 API calls 46953->46954 46968 4140ed 46953->46968 46955 414087 46954->46955 46956 401d64 28 API calls 46955->46956 46957 414098 46956->46957 46959 401d64 28 API calls 46957->46959 46958 41afd3 28 API calls 46958->46968 46960 4140a9 46959->46960 46962 401d64 28 API calls 46960->46962 46961 4085b4 28 API calls 46961->46968 46963 4140ba 46962->46963 46965 401d64 28 API calls 46963->46965 46964 4027cb 28 API calls 46964->46968 46967 4140cb 46965->46967 46966 401eef 26 API calls 46966->46968 46969 401d64 28 API calls 46967->46969 46968->46958 46968->46961 46968->46964 46968->46966 46970 401d64 28 API calls 46968->46970 46973 41a696 79 API calls 46968->46973 46975 414244 WSAGetLastError 46968->46975 46980 401f66 28 API calls 46968->46980 46983 401eea 26 API calls 46968->46983 46984 404cbf 28 API calls 46968->46984 46985 401d8c 26 API calls 46968->46985 46986 405ce6 28 API calls 46968->46986 46987 43a5f7 _strftime 42 API calls 46968->46987 46992 401fbd 28 API calls 46968->46992 46994 412513 31 API calls 46968->46994 47017 41446f 46968->47017 47345 413f9a 46968->47345 47351 4041f1 46968->47351 47358 404915 46968->47358 47373 40428c connect 46968->47373 47433 4047eb WaitForSingleObject 46968->47433 47449 404c9e 28 API calls 46968->47449 47450 413683 50 API calls 46968->47450 47451 4082dc 28 API calls 46968->47451 47452 440c61 26 API calls 46968->47452 47453 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46968->47453 46971 4140dd 46969->46971 46970->46968 47447 404101 87 API calls 46971->47447 46973->46968 47448 41bc86 30 API calls 46975->47448 46980->46968 46983->46968 46984->46968 46985->46968 46986->46968 46988 414b80 Sleep 46987->46988 46988->46968 46992->46968 46994->46968 46995 403b40 28 API calls 46995->47017 46998 401d64 28 API calls 46999 4144ed GetTickCount 46998->46999 47456 41ad56 28 API calls 46999->47456 47002 41ad56 28 API calls 47002->47017 47004 41aed8 28 API calls 47004->47017 47007 405ce6 28 API calls 47007->47017 47008 4027cb 28 API calls 47008->47017 47009 40275c 28 API calls 47009->47017 47011 401eea 26 API calls 47011->47017 47014 401f66 28 API calls 47014->47017 47015 41a696 79 API calls 47015->47017 47016 414b22 CreateThread 47016->47017 47488 419e99 101 API calls 47016->47488 47017->46968 47017->46995 47017->46998 47017->47002 47017->47004 47017->47007 47017->47008 47017->47009 47017->47011 47017->47014 47017->47015 47017->47016 47018 401e13 26 API calls 47017->47018 47454 40cbf1 6 API calls 47017->47454 47455 41adfe 28 API calls 47017->47455 47457 41acb0 GetTickCount 47017->47457 47458 41ac62 30 API calls ___scrt_fastfail 47017->47458 47459 40e679 29 API calls 47017->47459 47460 4027ec 28 API calls 47017->47460 47461 404468 59 API calls ctype 47017->47461 47462 4045d5 111 API calls ___std_exception_copy 47017->47462 47463 40a767 84 API calls 47017->47463 47018->47017 47019->46431 47020->46441 47023 4085c0 47022->47023 47024 402e78 28 API calls 47023->47024 47025 4085e4 47024->47025 47025->46463 47027 4124e1 RegQueryValueExA RegCloseKey 47026->47027 47028 41250b 47026->47028 47027->47028 47028->46459 47029->46467 47030->46494 47031->46487 47032->46478 47033->46492 47035 40c8ba 47034->47035 47036 40c8da 47035->47036 47037 40c90f 47035->47037 47040 40c8d0 47035->47040 47489 41a75b 29 API calls 47036->47489 47039 41b16b GetCurrentProcess 47037->47039 47038 40ca03 GetLongPathNameW 47042 403b40 28 API calls 47038->47042 47043 40c914 47039->47043 47040->47038 47045 40ca18 47042->47045 47046 40c918 47043->47046 47047 40c96a 47043->47047 47044 40c8e3 47048 401e18 26 API calls 47044->47048 47049 403b40 28 API calls 47045->47049 47051 403b40 28 API calls 47046->47051 47050 403b40 28 API calls 47047->47050 47052 40c8ed 47048->47052 47053 40ca27 47049->47053 47054 40c978 47050->47054 47055 40c926 47051->47055 47057 401e13 26 API calls 47052->47057 47492 40cc37 28 API calls 47053->47492 47060 403b40 28 API calls 47054->47060 47061 403b40 28 API calls 47055->47061 47057->47040 47058 40ca3a 47493 402860 28 API calls 47058->47493 47063 40c98e 47060->47063 47064 40c93c 47061->47064 47062 40ca45 47494 402860 28 API calls 47062->47494 47491 402860 28 API calls 47063->47491 47490 402860 28 API calls 47064->47490 47068 40ca4f 47071 401e13 26 API calls 47068->47071 47069 40c999 47072 401e18 26 API calls 47069->47072 47070 40c947 47073 401e18 26 API calls 47070->47073 47075 40ca59 47071->47075 47076 40c9a4 47072->47076 47074 40c952 47073->47074 47078 401e13 26 API calls 47074->47078 47079 401e13 26 API calls 47075->47079 47077 401e13 26 API calls 47076->47077 47080 40c9ad 47077->47080 47081 40c95b 47078->47081 47082 40ca62 47079->47082 47084 401e13 26 API calls 47080->47084 47085 401e13 26 API calls 47081->47085 47083 401e13 26 API calls 47082->47083 47086 40ca6b 47083->47086 47084->47052 47085->47052 47087 401e13 26 API calls 47086->47087 47088 40ca74 47087->47088 47089 401e13 26 API calls 47088->47089 47090 40ca7d 47089->47090 47090->46540 47091->46551 47092->46574 47093->46533 47094->46566 47095->46602 47096->46612 47097->46635 47098->46624 47099->46658 47101 401e0c 47100->47101 47102->46485 47105 40e183 47104->47105 47106 41a66c LoadResource LockResource SizeofResource 47104->47106 47105->46721 47106->47105 47108 401f8e 47107->47108 47114 402325 47108->47114 47110 401fa4 47110->46725 47112 401f86 28 API calls 47111->47112 47113 406066 47112->47113 47113->46732 47115 40232f 47114->47115 47117 40233a 47115->47117 47118 40294a 28 API calls 47115->47118 47117->47110 47118->47117 47120 40250d 47119->47120 47122 40252b 47120->47122 47123 40261a 28 API calls 47120->47123 47122->46736 47123->47122 47124->46757 47126 41bfbe 47125->47126 47127 41bfe2 47126->47127 47128 41bfdb 47126->47128 47133 41c562 47127->47133 47152 41bff3 28 API calls 47128->47152 47130 41bfe0 47130->46757 47132->46746 47134 41c56c __EH_prolog 47133->47134 47135 41c683 47134->47135 47136 41c5a5 47134->47136 47159 402649 28 API calls std::_Xinvalid_argument 47135->47159 47153 4026a7 28 API calls 47136->47153 47140 41c5b9 47154 41c546 28 API calls 47140->47154 47142 41c5ec 47143 41c613 47142->47143 47144 41c607 47142->47144 47156 41c7df 26 API calls 47143->47156 47155 41c7c2 26 API calls 47144->47155 47147 41c611 47158 41c76a 26 API calls 47147->47158 47148 41c61f 47157 41c7df 26 API calls 47148->47157 47151 41c64e 47151->47130 47152->47130 47153->47140 47154->47142 47155->47147 47156->47148 47157->47147 47158->47151 47160->46761 47161->46765 47162->46767 47166 402e85 47164->47166 47165 402ea9 47165->46776 47166->47165 47167 402e98 47166->47167 47169 402eae 47166->47169 47171 403445 28 API calls 47167->47171 47169->47165 47172 40225b 26 API calls 47169->47172 47171->47165 47172->47165 47174 404bd0 47173->47174 47177 40245c 47174->47177 47176 404be4 47176->46779 47178 402469 47177->47178 47180 402478 47178->47180 47181 402ad3 28 API calls 47178->47181 47180->47176 47181->47180 47182->46783 47183->46786 47185 401e94 47184->47185 47187 41a481 47186->47187 47188 41b178 GetCurrentProcess 47186->47188 47189 412513 RegOpenKeyExA 47187->47189 47188->47187 47190 412541 RegQueryValueExA RegCloseKey 47189->47190 47191 412569 47189->47191 47190->47191 47192 401f66 28 API calls 47191->47192 47193 41257e 47192->47193 47193->46800 47194->46808 47196 40b02f 47195->47196 47199 40b04b 47196->47199 47198 40b045 47198->46819 47200 40b055 47199->47200 47202 40b060 47200->47202 47203 40b138 28 API calls 47200->47203 47202->47198 47203->47202 47204->46823 47205->46826 47207 40230d 47206->47207 47208 402325 28 API calls 47207->47208 47209 401f80 47208->47209 47209->46545 47228 43a555 47210->47228 47212 43999b 47237 4392ee 38 API calls 2 library calls 47212->47237 47213 439960 47213->47212 47214 439975 47213->47214 47227 40dd54 47213->47227 47235 445364 20 API calls __dosmaperr 47214->47235 47217 43997a 47236 43a837 26 API calls _Deallocate 47217->47236 47220 4399a7 47221 4399d6 47220->47221 47238 43a59a 42 API calls __Tolower 47220->47238 47224 439a42 47221->47224 47239 43a501 26 API calls 2 library calls 47221->47239 47240 43a501 26 API calls 2 library calls 47224->47240 47225 439b09 _strftime 47225->47227 47241 445364 20 API calls __dosmaperr 47225->47241 47227->46561 47227->46562 47229 43a55a 47228->47229 47230 43a56d 47228->47230 47242 445364 20 API calls __dosmaperr 47229->47242 47230->47213 47232 43a55f 47243 43a837 26 API calls _Deallocate 47232->47243 47234 43a56a 47234->47213 47235->47217 47236->47227 47237->47220 47238->47220 47239->47224 47240->47225 47241->47227 47242->47232 47243->47234 47248 401e9b 47244->47248 47246 4027d9 47246->46864 47247->46868 47249 401ea7 47248->47249 47250 40245c 28 API calls 47249->47250 47251 401eb9 47250->47251 47251->47246 47253 409855 47252->47253 47254 4124b7 3 API calls 47253->47254 47255 40985c 47254->47255 47256 409870 47255->47256 47257 40988a 47255->47257 47259 4095cf 47256->47259 47260 409875 47256->47260 47273 4082dc 28 API calls 47257->47273 47259->46597 47271 4082dc 28 API calls 47260->47271 47261 409898 47274 4098a5 85 API calls 47261->47274 47264 409883 47272 409959 29 API calls 47264->47272 47266 409888 47266->47259 47267->46893 47278 402d8b 47268->47278 47270 4028dd 47270->46896 47271->47264 47272->47266 47275 40999f 129 API calls 47272->47275 47273->47261 47274->47259 47276 4099b5 52 API calls 47274->47276 47277 4099a9 124 API calls 47274->47277 47279 402d97 47278->47279 47282 4030f7 47279->47282 47281 402dab 47281->47270 47283 403101 47282->47283 47285 403115 47283->47285 47286 4036c2 28 API calls 47283->47286 47285->47281 47286->47285 47288 403b48 47287->47288 47294 403b7a 47288->47294 47291 403cbb 47303 403dc2 47291->47303 47293 403cc9 47293->46905 47295 403b86 47294->47295 47298 403b9e 47295->47298 47297 403b5a 47297->47291 47299 403ba8 47298->47299 47301 403bb3 47299->47301 47302 403cfd 28 API calls 47299->47302 47301->47297 47302->47301 47304 403dce 47303->47304 47307 402ffd 47304->47307 47306 403de3 47306->47293 47308 40300e 47307->47308 47313 4032a4 47308->47313 47312 40302e 47312->47306 47314 4032b0 47313->47314 47315 40301a 47313->47315 47319 4032b6 28 API calls 47314->47319 47315->47312 47318 4035e8 28 API calls 47315->47318 47318->47312 47326 4395ca 47320->47326 47324 412814 47323->47324 47325 4127ed RegSetValueExA RegCloseKey 47323->47325 47324->46931 47325->47324 47329 43954b 47326->47329 47328 401608 47328->46929 47330 43955a 47329->47330 47331 43956e 47329->47331 47337 445364 20 API calls __dosmaperr 47330->47337 47336 43956a __alldvrm 47331->47336 47339 447611 11 API calls 2 library calls 47331->47339 47333 43955f 47338 43a837 26 API calls _Deallocate 47333->47338 47336->47328 47337->47333 47338->47336 47339->47336 47341 41aac9 ctype ___scrt_fastfail 47340->47341 47342 401f66 28 API calls 47341->47342 47343 41ab3e 47342->47343 47343->46935 47344->46951 47346 413fb3 WSASetLastError 47345->47346 47347 413fa9 47345->47347 47346->46968 47464 413e37 35 API calls ___std_exception_copy 47347->47464 47349 413fae 47349->47346 47352 404206 socket 47351->47352 47353 4041fd 47351->47353 47355 404220 47352->47355 47356 404224 CreateEventW 47352->47356 47465 404262 WSAStartup 47353->47465 47355->46968 47356->46968 47357 404202 47357->47352 47357->47355 47359 40492a 47358->47359 47361 4049b1 47358->47361 47360 404933 47359->47360 47362 404987 CreateEventA CreateThread 47359->47362 47363 404942 GetLocalTime 47359->47363 47360->47362 47361->46968 47362->47361 47468 404b1d 47362->47468 47466 41ad56 28 API calls 47363->47466 47365 40495b 47467 404c9e 28 API calls 47365->47467 47367 404968 47368 401f66 28 API calls 47367->47368 47369 404977 47368->47369 47370 41a696 79 API calls 47369->47370 47371 40497c 47370->47371 47372 401eea 26 API calls 47371->47372 47372->47362 47374 4043e1 47373->47374 47375 4042b3 47373->47375 47376 4043e7 WSAGetLastError 47374->47376 47377 404343 47374->47377 47375->47377 47379 4042e8 47375->47379 47380 404cbf 28 API calls 47375->47380 47376->47377 47378 4043f7 47376->47378 47377->46968 47381 4042f7 47378->47381 47382 4043fc 47378->47382 47472 420161 27 API calls 47379->47472 47384 4042d4 47380->47384 47390 401f66 28 API calls 47381->47390 47483 41bc86 30 API calls 47382->47483 47387 401f66 28 API calls 47384->47387 47386 4042f0 47386->47381 47389 404306 47386->47389 47392 4042e3 47387->47392 47388 40440b 47484 404c9e 28 API calls 47388->47484 47399 404315 47389->47399 47400 40434c 47389->47400 47391 404448 47390->47391 47394 401f66 28 API calls 47391->47394 47395 41a696 79 API calls 47392->47395 47397 404457 47394->47397 47395->47379 47396 404418 47398 401f66 28 API calls 47396->47398 47401 41a696 79 API calls 47397->47401 47402 404427 47398->47402 47404 401f66 28 API calls 47399->47404 47480 420f44 55 API calls 47400->47480 47401->47377 47405 41a696 79 API calls 47402->47405 47407 404324 47404->47407 47409 40442c 47405->47409 47406 404354 47410 404389 47406->47410 47411 404359 47406->47411 47408 401f66 28 API calls 47407->47408 47412 404333 47408->47412 47414 401eea 26 API calls 47409->47414 47482 4202fa 28 API calls 47410->47482 47415 401f66 28 API calls 47411->47415 47416 41a696 79 API calls 47412->47416 47414->47377 47418 404368 47415->47418 47430 404338 47416->47430 47417 404391 47419 4043be CreateEventW CreateEventW 47417->47419 47421 401f66 28 API calls 47417->47421 47420 401f66 28 API calls 47418->47420 47419->47377 47422 404377 47420->47422 47424 4043a7 47421->47424 47425 41a696 79 API calls 47422->47425 47427 401f66 28 API calls 47424->47427 47426 40437c 47425->47426 47481 4205a2 53 API calls 47426->47481 47429 4043b6 47427->47429 47431 41a696 79 API calls 47429->47431 47473 4201a1 47430->47473 47432 4043bb 47431->47432 47432->47419 47434 404805 SetEvent CloseHandle 47433->47434 47435 40481c closesocket 47433->47435 47436 40489c 47434->47436 47437 404829 47435->47437 47436->46968 47438 404838 47437->47438 47439 40483f 47437->47439 47487 404ab1 83 API calls 47438->47487 47441 404851 WaitForSingleObject 47439->47441 47442 404892 SetEvent CloseHandle 47439->47442 47443 4201a1 3 API calls 47441->47443 47442->47436 47444 404860 SetEvent WaitForSingleObject 47443->47444 47445 4201a1 3 API calls 47444->47445 47446 404878 SetEvent CloseHandle CloseHandle 47445->47446 47446->47442 47447->46968 47448->46968 47449->46968 47450->46968 47451->46968 47452->46968 47453->46968 47454->47017 47455->47017 47456->47017 47457->47017 47458->47017 47459->47017 47460->47017 47461->47017 47462->47017 47463->47017 47464->47349 47465->47357 47466->47365 47467->47367 47471 404b29 101 API calls 47468->47471 47470 404b26 47471->47470 47472->47386 47474 41dc25 47473->47474 47475 4201a9 47473->47475 47476 41dc33 47474->47476 47485 41cd79 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47474->47485 47475->47377 47486 41d960 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47476->47486 47479 41dc3a 47480->47406 47481->47430 47482->47417 47483->47388 47484->47396 47485->47476 47486->47479 47487->47439 47489->47044 47490->47070 47491->47069 47492->47058 47493->47062 47494->47068 47496 40e56a 47495->47496 47497 4124b7 3 API calls 47496->47497 47498 40e60e 47496->47498 47500 40e5fe Sleep 47496->47500 47517 40e59c 47496->47517 47497->47496 47531 4082dc 28 API calls 47498->47531 47500->47496 47503 41ae18 28 API calls 47503->47517 47504 40e619 47505 41ae18 28 API calls 47504->47505 47506 40e625 47505->47506 47532 412774 29 API calls 47506->47532 47509 401e13 26 API calls 47509->47517 47510 40e638 47511 401e13 26 API calls 47510->47511 47513 40e644 47511->47513 47512 401f66 28 API calls 47512->47517 47514 401f66 28 API calls 47513->47514 47515 40e655 47514->47515 47518 4126d2 29 API calls 47515->47518 47516 4126d2 29 API calls 47516->47517 47517->47500 47517->47503 47517->47509 47517->47512 47517->47516 47528 40bf04 73 API calls ___scrt_fastfail 47517->47528 47529 4082dc 28 API calls 47517->47529 47530 412774 29 API calls 47517->47530 47519 40e668 47518->47519 47533 411699 TerminateProcess WaitForSingleObject 47519->47533 47521 40e670 ExitProcess 47534 411637 60 API calls 47522->47534 47529->47517 47530->47517 47531->47504 47532->47510 47533->47521

                          Executed Functions

                          Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                          • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleLibraryLoadModule
                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                          • API String ID: 384173800-625181639
                          • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                          • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                          • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                          • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                          Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                            • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                            • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                          • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                          • ExitProcess.KERNEL32 ref: 0040E672
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseExitOpenProcessQuerySleepValue
                          • String ID: 5.3.0 Pro$override$pth_unenc$BG
                          • API String ID: 2281282204-3981147832
                          • Opcode ID: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
                          • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                          • Opcode Fuzzy Hash: 099a9bf13a86a18ae7ced4af45115ec220a16a2a1b66786f925988895ab02a01
                          • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                          Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1202 404915-404924 1203 4049b1 1202->1203 1204 40492a-404931 1202->1204 1207 4049b3-4049b7 1203->1207 1205 404933-404937 1204->1205 1206 404939-404940 1204->1206 1208 404987-4049af CreateEventA CreateThread 1205->1208 1206->1208 1209 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1206->1209 1208->1207 1209->1208
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 00404946
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                          • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                          Strings
                          • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$EventLocalThreadTime
                          • String ID: KeepAlive | Enabled | Timeout:
                          • API String ID: 2532271599-1507639952
                          • Opcode ID: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
                          • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                          • Opcode Fuzzy Hash: d248886e52a7d0ac6cae50da1f59772ac17be00107f66e41d9b0c0522851940d
                          • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                          Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Context$AcquireRandomRelease
                          • String ID:
                          • API String ID: 1815803762-0
                          • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                          • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                          • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                          • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                          Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                          • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7CF
                          • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Name$ComputerUser
                          • String ID:
                          • API String ID: 4229901323-0
                          • Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                          • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                          • Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                          • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                          Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: recv
                          • String ID:
                          • API String ID: 1507349165-0
                          • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                          • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                          • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                          • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                          Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 80->90 91 40d9ae-40d9b0 80->91 81->80 98 40d98e-40d9a4 call 401e8f call 412902 81->98 95 40d9c0-40d9cc call 41a473 90->95 96 40d9be 90->96 94 40dc95 91->94 94->49 103 40d9d5-40d9d9 95->103 104 40d9ce-40d9d0 95->104 96->95 98->80 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 166 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 166->222 170 40dbb1-40dbbb call 4082d7 167->170 171 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->171 178 40dbc0-40dbe4 call 4022f8 call 4338d8 170->178 171->178 198 40dbf3 178->198 199 40dbe6-40dbf1 call 436060 178->199 191->163 201 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->201 199->201 259 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 201->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 259->222 272 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 259->272 272->222 292 40dc93 272->292 276 40dd81 273->276 277 40dd7d-40dd7f 273->277 275 40dd60-40dd77 call 41bec0 CreateThread 274->275 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->94 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 343 40def9-40df0c call 401d64 call 401e8f 333->343 344 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 333->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 413 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->102 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                          APIs
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                            • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                            • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                            • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Suppliers_Data.pif.exe,00000104), ref: 0040D790
                            • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                          • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\Suppliers_Data.pif.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                          • API String ID: 2830904901-1006981457
                          • Opcode ID: 27a01aff42a579400e3101b255f1ec488547eb91d73c3514a06912c85c481647
                          • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                          • Opcode Fuzzy Hash: 27a01aff42a579400e3101b255f1ec488547eb91d73c3514a06912c85c481647
                          • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                          Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142d8 call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a696 560->566 579 4142dd-4142df 565->579 566->583 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 579->582 579->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 905 414ad2-414ad4 901->905 903 414ae4-414ae9 call 40a767 902->903 904 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->904 903->904 916 414b22-414b2e CreateThread 904->916 917 414b34-414b4f call 401eea * 2 call 401e13 904->917 905->902 916->917 917->583
                          APIs
                          • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                          • WSAGetLastError.WS2_32 ref: 00414249
                          • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$ErrorLastLocalTime
                          • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\Suppliers_Data.pif.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                          • API String ID: 524882891-2424270271
                          • Opcode ID: 9fbcf082b9712a934eb7fcb763e3e8452ffb3661f93586d2b4f69cd9451bafcd
                          • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                          • Opcode Fuzzy Hash: 9fbcf082b9712a934eb7fcb763e3e8452ffb3661f93586d2b4f69cd9451bafcd
                          • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                          Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • connect.WS2_32(?,?,?), ref: 004042A5
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                          • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                          • API String ID: 994465650-2151626615
                          • Opcode ID: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
                          • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                          • Opcode Fuzzy Hash: 2601ad7ba584dd83cc4b687a7b2e5622e4b8e2ffaa9cdc4205b416171ec1cd63
                          • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                          Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                          • closesocket.WS2_32(000000FF), ref: 0040481F
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                          • String ID:
                          • API String ID: 3658366068-0
                          • Opcode ID: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
                          • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                          • Opcode Fuzzy Hash: 7b4c4e1fc9e1a33e746d3ea038c7d733e0ecce283ed42e9dfa2e2b523637497c
                          • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                          Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1022 40c8d0-40c8d5 1019->1022 1023 40c9c2-40c9c7 1019->1023 1024 40c905-40c90a 1019->1024 1025 40c9d8 1019->1025 1026 40c9c9-40c9ce call 43ac1f 1019->1026 1027 40c8da-40c8e8 call 41a75b call 401e18 1019->1027 1028 40c8fb-40c900 1019->1028 1029 40c9bb-40c9c0 1019->1029 1030 40c90f-40c916 call 41b16b 1019->1030 1041 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1041 1032 40c9dd-40c9e2 call 43ac1f 1022->1032 1023->1032 1024->1032 1025->1032 1038 40c9d3-40c9d6 1026->1038 1050 40c8ed 1027->1050 1028->1032 1029->1032 1042 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1042 1043 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1043 1044 40c9e3-40c9e8 call 4082d7 1032->1044 1038->1025 1038->1044 1055 40c8f1-40c8f6 call 401e13 1042->1055 1043->1050 1044->1020 1050->1055 1055->1020
                          APIs
                          • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: LongNamePath
                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                          • API String ID: 82841172-425784914
                          • Opcode ID: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
                          • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                          • Opcode Fuzzy Hash: e65b7fd2f28b979a12418c5f5c2e2d29b720dc4ff9d72dd2f9df27909d96306d
                          • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                          Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                            • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                            • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                            • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                          • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCurrentOpenProcessQueryValue
                          • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                          • API String ID: 1866151309-3211212173
                          • Opcode ID: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
                          • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                          • Opcode Fuzzy Hash: 9cf1f296616cdcd313259411c277503da338ecbad0565973079cd90fb6de65e1
                          • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                          Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1169 4126d2-4126e9 RegCreateKeyA 1170 412722 1169->1170 1171 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1169->1171 1173 412724-412730 call 401eea 1170->1173 1171->1173
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                          • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                          • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: HgF$pth_unenc
                          • API String ID: 1818849710-3662775637
                          • Opcode ID: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
                          • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                          • Opcode Fuzzy Hash: 5060bd4906adf847476d1d6d5221a1eec7a3f5928a954e173dbc633271fad0d2
                          • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                          Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1179 446f53-446f6a GetLastError 1180 446f6c-446f76 call 447476 1179->1180 1181 446f78-446f7f call 448716 1179->1181 1180->1181 1186 446fc9-446fd0 SetLastError 1180->1186 1185 446f84-446f8a 1181->1185 1187 446f95-446fa3 call 4474cc 1185->1187 1188 446f8c 1185->1188 1190 446fd2-446fd7 1186->1190 1194 446fa5-446fa6 1187->1194 1195 446fa8-446fbe call 446d41 call 446ad5 1187->1195 1191 446f8d-446f93 call 446ad5 1188->1191 1197 446fc0-446fc7 SetLastError 1191->1197 1194->1191 1195->1186 1195->1197 1197->1190
                          APIs
                          • GetLastError.KERNEL32(00434413,00434413,?,00445369,00446B52,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?), ref: 00446F58
                          • _free.LIBCMT ref: 00446F8D
                          • _free.LIBCMT ref: 00446FB4
                          • SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FC1
                          • SetLastError.KERNEL32(00000000,?,00434413), ref: 00446FCA
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                          • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                          • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                          • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                          Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1219 4127d5-4127eb RegCreateKeyA 1220 412818-41281b 1219->1220 1221 4127ed-412812 RegSetValueExA RegCloseKey 1219->1221 1221->1220 1222 412814-412817 1221->1222
                          APIs
                          • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                          • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                          • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: TUF
                          • API String ID: 1818849710-3431404234
                          • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                          • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                          • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                          • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                          Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1223 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                          APIs
                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                          • GetLastError.KERNEL32 ref: 0040BEF1
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateErrorLastMutex
                          • String ID: (CG
                          • API String ID: 1925916568-4210230975
                          • Opcode ID: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
                          • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                          • Opcode Fuzzy Hash: 68001a27d0a1b5aca9f7806f756c118c8604acbb3141160e9eafa025ff823f9e
                          • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                          Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1226 412513-41253f RegOpenKeyExA 1227 412541-412567 RegQueryValueExA RegCloseKey 1226->1227 1228 412572 1226->1228 1227->1228 1229 412569-412570 1227->1229 1230 412577-412583 call 401f66 1228->1230 1229->1230
                          APIs
                          • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                          • RegCloseKey.KERNELBASE(?), ref: 0041255F
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                          • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                          • Opcode Fuzzy Hash: fb0399a994eaa7e17bc6b867fc74c46ca573e9fca6dfde94924c7a451072e484
                          • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                          Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1233 4124b7-4124df RegOpenKeyExA 1234 4124e1-412509 RegQueryValueExA RegCloseKey 1233->1234 1235 41250f-412512 1233->1235 1234->1235 1236 41250b-41250e 1234->1236
                          APIs
                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                          • RegCloseKey.KERNELBASE(?), ref: 00412500
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                          • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                          • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                          • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                          Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                          • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID:
                          • API String ID: 3677997916-0
                          • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                          • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                          • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                          • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                          Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _wcslen
                          • String ID: xAG
                          • API String ID: 176396367-2759412365
                          • Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                          • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                          • Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                          • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                          Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0044B9EF
                            • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap$_free
                          • String ID:
                          • API String ID: 1482568997-0
                          • Opcode ID: 562d4c1fddf21a80c38cfe2e0300bdc28a7a71d666f3b820161c9f5a7c2f7eb0
                          • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                          • Opcode Fuzzy Hash: 562d4c1fddf21a80c38cfe2e0300bdc28a7a71d666f3b820161c9f5a7c2f7eb0
                          • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                          Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WS2_32(?,00000001,00000006), ref: 00404212
                            • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEventStartupsocket
                          • String ID:
                          • API String ID: 1953588214-0
                          • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                          • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                          • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                          • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                          Function 0043361D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DF7
                            • Part of subcall function 00437BE7: RaiseException.KERNEL32(?,?,00434421,?,?,?,?,?,?,?,?,00434421,?,0046D644,00404AD0), ref: 00437C47
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E14
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID:
                          • API String ID: 3476068407-0
                          • Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                          • Instruction ID: a120e58b429b9861eb3006866c51ef53ea309f8249189fce9472b36b7df41f91
                          • Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                          • Instruction Fuzzy Hash: EFF0243080430D7BCB14BEAAE80799D772C5D08319F60612BB825955E1EF7CE715C58E
                          Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,00437237,?,?,?,?,?,0040CC87,00434413), ref: 00448757
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
                          • Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
                          • Opcode Fuzzy Hash: c0e71c43265bb7a2ed883484c95d5de73dd4aa74b019aeb8b9faa22b7eb24aee
                          • Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD
                          Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                          • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                          • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                          • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                          Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Startup
                          • String ID:
                          • API String ID: 724789610-0
                          • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                          • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                          • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                          • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                          Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                          • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                          • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                          • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                          Non-executed Functions

                          Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?,?), ref: 00406F28
                          • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                          • DeleteFileW.KERNEL32(00000000), ref: 00407018
                            • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                            • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                            • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                            • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                            • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                            • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                            • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                            • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                            • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                            • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                          • DeleteFileA.KERNEL32(?), ref: 004078CC
                            • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                            • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                            • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                          • Sleep.KERNEL32(000007D0), ref: 00407976
                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                            • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                          • API String ID: 2918587301-599666313
                          • Opcode ID: 6b0812c8d1b6409269fcb58b153d354c58b0a859e07f54bdc5fc8ea92fbea60e
                          • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                          • Opcode Fuzzy Hash: 6b0812c8d1b6409269fcb58b153d354c58b0a859e07f54bdc5fc8ea92fbea60e
                          • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                          Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0040508E
                            • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                            • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          • __Init_thread_footer.LIBCMT ref: 004050CB
                          • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                          • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                            • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                            • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                            • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                          • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                          • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                          • CloseHandle.KERNEL32 ref: 004053CD
                          • CloseHandle.KERNEL32 ref: 004053D5
                          • CloseHandle.KERNEL32 ref: 004053E7
                          • CloseHandle.KERNEL32 ref: 004053EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                          • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                          • API String ID: 3815868655-1274243119
                          • Opcode ID: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
                          • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                          • Opcode Fuzzy Hash: 8cbc04d304936592b8c30d8c5467e03ddebc48fda1e63d99d06426c92a2a1825
                          • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                          Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcessId.KERNEL32 ref: 00410F45
                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                            • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                            • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                          • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                            • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                            • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                          • CloseHandle.KERNEL32(00000000), ref: 00410F90
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                          • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                          • API String ID: 65172268-860466531
                          • Opcode ID: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
                          • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                          • Opcode Fuzzy Hash: 3d2ec039f958bf048a8c201d7f8a81e9ba8d6979ff7f871c800e70ef052d4e82
                          • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                          Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                          • FindClose.KERNEL32(00000000), ref: 0040B3CE
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                          • FindClose.KERNEL32(00000000), ref: 0040B517
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$CloseFile$FirstNext
                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                          • API String ID: 1164774033-3681987949
                          • Opcode ID: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
                          • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                          • Opcode Fuzzy Hash: a55c21d547313303409bc2568ceb902046709c86c763491b0c53e4f2ca284d26
                          • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                          Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                          • FindClose.KERNEL32(00000000), ref: 0040B5CC
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                          • FindClose.KERNEL32(00000000), ref: 0040B6B2
                          • FindClose.KERNEL32(00000000), ref: 0040B6D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$Close$File$FirstNext
                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                          • API String ID: 3527384056-432212279
                          • Opcode ID: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
                          • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                          • Opcode Fuzzy Hash: a71f50fce03a6b89e47498d88d246ee68c23d58d563221132017ac6cdd0e80fc
                          • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                          Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                            • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                            • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                          • API String ID: 726551946-3025026198
                          • Opcode ID: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
                          • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                          • Opcode Fuzzy Hash: 30da1d47b11118a268f62bc142a88eb8f37d6f01f4d3dd7acdbf78fe8c56f144
                          • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                          Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32 ref: 004159C7
                          • EmptyClipboard.USER32 ref: 004159D5
                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                          • GlobalLock.KERNEL32(00000000), ref: 004159FE
                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                          • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                          • CloseClipboard.USER32 ref: 00415A5A
                          • OpenClipboard.USER32 ref: 00415A61
                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                          • CloseClipboard.USER32 ref: 00415A89
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                          • String ID:
                          • API String ID: 3520204547-0
                          • Opcode ID: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
                          • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                          • Opcode Fuzzy Hash: 6ed8a15f85b4eda99e75bc68e9c644e8b427782961166fcaf36fdd4c8f2d64f9
                          • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                          Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0$1$2$3$4$5$6$7
                          • API String ID: 0-3177665633
                          • Opcode ID: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
                          • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                          • Opcode Fuzzy Hash: aa35b6c391b669857e709787408fc35d19a5eec55d3d5a0aced25700c68607bb
                          • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                          Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00409B3F
                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                          • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                          • GetKeyState.USER32(00000010), ref: 00409B5C
                          • GetKeyboardState.USER32(?), ref: 00409B67
                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                          • String ID: X[G
                          • API String ID: 1888522110-739899062
                          • Opcode ID: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
                          • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                          • Opcode Fuzzy Hash: e493efd0b8b4558b132da8245606e3aa1f2ec85b30bd84d249f064ae8ad69455
                          • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                          Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 00406788
                          • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Object_wcslen
                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                          • API String ID: 240030777-3166923314
                          • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                          • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                          • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                          • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                          Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                          • GetLastError.KERNEL32 ref: 00419945
                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                          • String ID:
                          • API String ID: 3587775597-0
                          • Opcode ID: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
                          • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                          • Opcode Fuzzy Hash: 3ac6ab5d256872219fc595c736f1fa07358be726c92bd725a469ceb362d7fbf0
                          • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                          Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                          • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                          • GetLastError.KERNEL32 ref: 00409A1B
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                          • TranslateMessage.USER32(?), ref: 00409A7A
                          • DispatchMessageA.USER32(?), ref: 00409A85
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                          • String ID: Keylogger initialization failure: error $`#v
                          • API String ID: 3219506041-3226811161
                          • Opcode ID: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
                          • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                          • Opcode Fuzzy Hash: 0b7731a1732448719b2bf699768c997a41862952e5444ada4ba6697cad37b533
                          • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                          Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                            • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                          • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                          • String ID:
                          • API String ID: 2341273852-0
                          • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                          • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                          • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                          • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                          Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                          • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCloseCreateLibraryLoadProcsend
                          • String ID: SHDeleteKeyW$Shlwapi.dll
                          • API String ID: 2127411465-314212984
                          • Opcode ID: b8065b9836623536c08516bc274bfd8a167c6865f6e9b73682af5f29f8a9cf8d
                          • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                          • Opcode Fuzzy Hash: b8065b9836623536c08516bc274bfd8a167c6865f6e9b73682af5f29f8a9cf8d
                          • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                          Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                          • GetLastError.KERNEL32 ref: 0040B261
                          Strings
                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                          • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                          • [Chrome StoredLogins not found], xrefs: 0040B27B
                          • UserProfile, xrefs: 0040B227
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteErrorFileLast
                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • API String ID: 2018770650-1062637481
                          • Opcode ID: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
                          • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                          • Opcode Fuzzy Hash: c40f0bbe6ac281c9bc18074575bfe4029dca0a9d2103736dcf0ec681c75a3121
                          • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                          Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                          • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                          • GetLastError.KERNEL32 ref: 00416B02
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                          • String ID: SeShutdownPrivilege
                          • API String ID: 3534403312-3733053543
                          • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                          • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                          • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                          • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                          Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 004089AE
                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                            • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                            • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                            • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                            • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                          • String ID:
                          • API String ID: 4043647387-0
                          • Opcode ID: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
                          • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                          • Opcode Fuzzy Hash: 960b8c1e0533c2719e906e86d7f414d90c0ed0de55d0b27db29086ff58eb8dfa
                          • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                          Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ManagerStart
                          • String ID:
                          • API String ID: 276877138-0
                          • Opcode ID: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                          • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                          • Opcode Fuzzy Hash: e25c39d92a846a462b53c10185a272e0ad60f5790e3d5b6c3523f631f015873d
                          • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                          Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                            • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Find$CreateFirstNext
                          • String ID: @CG$XCG$>G
                          • API String ID: 341183262-3030817687
                          • Opcode ID: 232651b6631de9661e01008884487fa2ba37f4a7870c2f2a45051fa367f78adf
                          • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                          • Opcode Fuzzy Hash: 232651b6631de9661e01008884487fa2ba37f4a7870c2f2a45051fa367f78adf
                          • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                          Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                            • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                            • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                            • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                            • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                          • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                          • GetProcAddress.KERNEL32(00000000), ref: 00415977
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                          • String ID: PowrProf.dll$SetSuspendState
                          • API String ID: 1589313981-1420736420
                          • Opcode ID: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
                          • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                          • Opcode Fuzzy Hash: ddda36ebdef431690859fd105a934bc1752b124657cc9f8586ecd1fce7ea85c4
                          • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                          Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                          • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: ACP$OCP
                          • API String ID: 2299586839-711371036
                          • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                          • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                          • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                          • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                          Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                          • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                          • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                          • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID: SETTINGS
                          • API String ID: 3473537107-594951305
                          • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                          • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                          • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                          • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                          Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                          • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                          • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                          • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                          • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                          • String ID:
                          • API String ID: 745075371-0
                          • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                          • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                          • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                          • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                          Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00407A91
                          • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstH_prologNext
                          • String ID:
                          • API String ID: 1157919129-0
                          • Opcode ID: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
                          • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                          • Opcode Fuzzy Hash: bb3c5c99637699bb9b35e74f8a42f5cb21015b095231c89f3e21d62b29b5eb8a
                          • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                          Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                          • _free.LIBCMT ref: 00448077
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          • _free.LIBCMT ref: 00448243
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                          • String ID:
                          • API String ID: 1286116820-0
                          • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                          • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                          • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                          • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                          Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: DownloadExecuteFileShell
                          • String ID: C:\Users\user\Desktop\Suppliers_Data.pif.exe$open
                          • API String ID: 2825088817-3245187058
                          • Opcode ID: e28f25d4d19b8d56baa702e1e00f9abcfc38949ec24a855979b27e8ae747898c
                          • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                          • Opcode Fuzzy Hash: e28f25d4d19b8d56baa702e1e00f9abcfc38949ec24a855979b27e8ae747898c
                          • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                          Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$FirstNextsend
                          • String ID: x@G$x@G
                          • API String ID: 4113138495-3390264752
                          • Opcode ID: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
                          • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                          • Opcode Fuzzy Hash: 0d824ddd483e098b3624018aa28cbd1eeab2459e1e0cc1af35d00935aeabc74c
                          • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                          Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                            • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                            • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                            • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateInfoParametersSystemValue
                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                          • API String ID: 4127273184-3576401099
                          • Opcode ID: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                          • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                          • Opcode Fuzzy Hash: a5c32248a9f687c15a35255313fa73033c651e0ffef1bc5fb235983aac5f5ce1
                          • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                          Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                          • _wcschr.LIBVCRUNTIME ref: 00450C01
                          • _wcschr.LIBVCRUNTIME ref: 00450C0F
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                          • String ID:
                          • API String ID: 4212172061-0
                          • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                          • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                          • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                          • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                          Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 00408DAC
                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$FirstH_prologNext
                          • String ID:
                          • API String ID: 301083792-0
                          • Opcode ID: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
                          • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                          • Opcode Fuzzy Hash: 63f9771ca86bd582bd3616e59cab3ba7d1ff64944245cac05fe2d569eb9bb920
                          • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                          Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorInfoLastLocale$_free$_abort
                          • String ID:
                          • API String ID: 2829624132-0
                          • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                          • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                          • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                          • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                          Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434413), ref: 0043A765
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434413), ref: 0043A76F
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434413), ref: 0043A77C
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                          • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                          • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                          • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                          Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 00442585
                          • TerminateProcess.KERNEL32(00000000,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000,?,00445408), ref: 0044258C
                          • ExitProcess.KERNEL32 ref: 0044259E
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                          • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                          • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                          • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                          Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: .
                          • API String ID: 0-248832578
                          • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                          • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                          • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                          • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                          Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: GetLocaleInfoEx
                          • API String ID: 2299586839-2904428671
                          • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                          • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                          • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                          • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                          Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free$InfoLocale_abort
                          • String ID:
                          • API String ID: 1663032902-0
                          • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                          • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                          • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                          • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                          Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                          • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                          • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                          • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                          Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale_abort_free
                          • String ID:
                          • API String ID: 2692324296-0
                          • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                          • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                          • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                          • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                          Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                          • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                          • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                          • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                          Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-0003D145,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                          • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalEnterEnumLocalesSectionSystem
                          • String ID:
                          • API String ID: 1272433827-0
                          • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                          • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                          • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                          • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                          Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                          • String ID:
                          • API String ID: 1084509184-0
                          • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                          • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                          • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                          • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                          Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                          • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                          • Opcode Fuzzy Hash: ca1801b0e7e1465037cdf6632266da67ea6c9527f0861a44216c95eff7fcfe3c
                          • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                          Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                          • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                          • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                          • Instruction Fuzzy Hash:
                          Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                          • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                          • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                          • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                          Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                          • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                            • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                          • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                          • DeleteDC.GDI32(?), ref: 0041806D
                          • DeleteDC.GDI32(00000000), ref: 00418070
                          • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                          • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                          • GetIconInfo.USER32(?,?), ref: 004180DB
                          • DeleteObject.GDI32(?), ref: 0041810A
                          • DeleteObject.GDI32(?), ref: 00418117
                          • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                          • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                          • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                          • DeleteDC.GDI32(?), ref: 0041828F
                          • DeleteDC.GDI32(00000000), ref: 00418292
                          • DeleteObject.GDI32(00000000), ref: 00418295
                          • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                          • DeleteObject.GDI32(00000000), ref: 00418354
                          • GlobalFree.KERNEL32(?), ref: 0041835B
                          • DeleteDC.GDI32(?), ref: 0041836B
                          • DeleteDC.GDI32(00000000), ref: 00418376
                          • DeleteDC.GDI32(?), ref: 004183A8
                          • DeleteDC.GDI32(00000000), ref: 004183AB
                          • DeleteObject.GDI32(?), ref: 004183B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                          • String ID: DISPLAY
                          • API String ID: 1765752176-865373369
                          • Opcode ID: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
                          • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                          • Opcode Fuzzy Hash: 2257ed1409e9a1961a9d9eafba920a0f4d075fe48bda2856ce6cfd6cf2fe1e18
                          • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                          Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                          • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                          • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                          • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                          • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                          • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                          • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                          • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                          • ResumeThread.KERNEL32(?), ref: 00417582
                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                          • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                          • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                          • GetLastError.KERNEL32 ref: 004175C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                          • API String ID: 4188446516-108836778
                          • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                          • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                          • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                          • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                          Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                          • ExitProcess.KERNEL32 ref: 0041151D
                            • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                            • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                            • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                            • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                          • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                            • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                            • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                          • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                          • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                            • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                            • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                            • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000), ref: 0041B61C
                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                          • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                          • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                            • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                          • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                          • API String ID: 4250697656-2665858469
                          • Opcode ID: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
                          • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                          • Opcode Fuzzy Hash: c9acd2e96293917bda9fc8cf2da187a2ece0c5837e987d224152d2e05bc2ec87
                          • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                          Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                            • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                          • ExitProcess.KERNEL32 ref: 0040C63E
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                          • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                          • API String ID: 1861856835-3168347843
                          • Opcode ID: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
                          • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                          • Opcode Fuzzy Hash: 6219edeefd560ff486394858dd9c1c9d22ab8a13fa2cd0cd7aa5e513517a661c
                          • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                          Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                            • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                          • ExitProcess.KERNEL32 ref: 0040C287
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                          • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                          • API String ID: 3797177996-1998216422
                          • Opcode ID: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
                          • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                          • Opcode Fuzzy Hash: 92fe1a40fcd02945d331df6cf61fadf3435f0996d79fe2ddfa73a677218823cf
                          • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                          Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                          • SetEvent.KERNEL32 ref: 0041A39A
                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                          • CloseHandle.KERNEL32 ref: 0041A3BB
                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                          • API String ID: 738084811-1408154895
                          • Opcode ID: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
                          • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                          • Opcode Fuzzy Hash: f25ac0aab84e41d79845b7fc1309ac5f9c6375715bc9538c063ff5da4453c961
                          • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                          Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                          • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                          • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                          • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Write$Create
                          • String ID: RIFF$WAVE$data$fmt
                          • API String ID: 1602526932-4212202414
                          • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                          • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                          • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                          • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                          Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\Suppliers_Data.pif.exe,00000001,004068B2,C:\Users\user\Desktop\Suppliers_Data.pif.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                          • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                          • GetProcAddress.KERNEL32(00000000), ref: 00406511
                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                          • GetProcAddress.KERNEL32(00000000), ref: 00406525
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                          • GetProcAddress.KERNEL32(00000000), ref: 00406539
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                          • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                          • GetProcAddress.KERNEL32(00000000), ref: 00406561
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: C:\Users\user\Desktop\Suppliers_Data.pif.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                          • API String ID: 1646373207-3464977557
                          • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                          • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                          • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                          • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                          Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                          Download Yara Rule
                          APIs
                          • _wcslen.LIBCMT ref: 0040BC75
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\Suppliers_Data.pif.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                          • _wcslen.LIBCMT ref: 0040BD54
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\Suppliers_Data.pif.exe,00000000,00000000), ref: 0040BDF2
                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                          • _wcslen.LIBCMT ref: 0040BE34
                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                          • ExitProcess.KERNEL32 ref: 0040BED0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                          • String ID: 6$C:\Users\user\Desktop\Suppliers_Data.pif.exe$del$open$BG$BG
                          • API String ID: 1579085052-1490490711
                          • Opcode ID: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
                          • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                          • Opcode Fuzzy Hash: 7e825e1316c52805ca15a361a92a31a639e789ac11549bf6dbe0440ae5e66784
                          • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                          Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?), ref: 0041B1E6
                          • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                          • lstrlenW.KERNEL32(?), ref: 0041B217
                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                          • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                          • _wcslen.LIBCMT ref: 0041B2EB
                          • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                          • GetLastError.KERNEL32 ref: 0041B323
                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                          • lstrcatW.KERNEL32(?,?), ref: 0041B369
                          • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                          • GetLastError.KERNEL32 ref: 0041B380
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                          • String ID: ?
                          • API String ID: 3941738427-1684325040
                          • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                          • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                          • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                          • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                          Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$EnvironmentVariable$_wcschr
                          • String ID:
                          • API String ID: 3899193279-0
                          • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                          • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                          • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                          • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                          Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                            • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                          • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                          • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                          • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                          • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                          • Sleep.KERNEL32(00000064), ref: 00412060
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                          • String ID: /stext "$HDG$HDG$>G$>G
                          • API String ID: 1223786279-3931108886
                          • Opcode ID: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
                          • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                          • Opcode Fuzzy Hash: 94246fb79c68cfcb53b25fd957ccf7951aa449ee5690919d5197481e681c450f
                          • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                          Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                          • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                          • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                          • LoadLibraryA.KERNEL32(?), ref: 00413F27
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                          • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                          • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                          • API String ID: 2490988753-744132762
                          • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                          • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                          • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                          • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                          Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                          • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnumOpen
                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                          • API String ID: 1332880857-3714951968
                          • Opcode ID: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
                          • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                          • Opcode Fuzzy Hash: 169ec82b56f5cfc94b0c0b7d9a60f187521d2f64dce5fc83bd669811bb3caad3
                          • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                          Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                          Download Yara Rule
                          APIs
                          • __Init_thread_footer.LIBCMT ref: 0040A456
                          • Sleep.KERNEL32(000001F4), ref: 0040A461
                          • GetForegroundWindow.USER32 ref: 0040A467
                          • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                          • Sleep.KERNEL32(000003E8), ref: 0040A574
                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                          • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                          • API String ID: 911427763-1497357211
                          • Opcode ID: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
                          • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                          • Opcode Fuzzy Hash: 08c6775225c1be704445fd44d44109dcec563c1a9d4bfb3f89d30f3a95787bd0
                          • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                          Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                          Download Yara Rule
                          APIs
                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                          • GetCursorPos.USER32(?), ref: 0041CB08
                          • SetForegroundWindow.USER32(?), ref: 0041CB11
                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                          • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                          • ExitProcess.KERNEL32 ref: 0041CB84
                          • CreatePopupMenu.USER32 ref: 0041CB8A
                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                          • String ID: Close
                          • API String ID: 1657328048-3535843008
                          • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                          • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                          • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                          • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                          Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$Info
                          • String ID:
                          • API String ID: 2509303402-0
                          • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                          • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                          • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                          • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                          Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                          • __aulldiv.LIBCMT ref: 00407FE9
                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                          • CloseHandle.KERNEL32(00000000), ref: 00408200
                          • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                          • CloseHandle.KERNEL32(00000000), ref: 00408256
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                          • API String ID: 1884690901-3066803209
                          • Opcode ID: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
                          • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                          • Opcode Fuzzy Hash: 142f1f72e0f29cad2ac4c499a5babf56d922c15ed98ea3bc8be458cd3ff9b4fd
                          • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                          Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00001388), ref: 00409E62
                            • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                            • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                            • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                            • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                            • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                          • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                          • API String ID: 3795512280-3163867910
                          • Opcode ID: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
                          • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                          • Opcode Fuzzy Hash: cb598f5ef60ca0eca7745399a51d84c8660353be19ff15f145444b1f1551c77f
                          • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                          Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 004500C1
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                            • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                          • _free.LIBCMT ref: 004500B6
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          • _free.LIBCMT ref: 004500D8
                          • _free.LIBCMT ref: 004500ED
                          • _free.LIBCMT ref: 004500F8
                          • _free.LIBCMT ref: 0045011A
                          • _free.LIBCMT ref: 0045012D
                          • _free.LIBCMT ref: 0045013B
                          • _free.LIBCMT ref: 00450146
                          • _free.LIBCMT ref: 0045017E
                          • _free.LIBCMT ref: 00450185
                          • _free.LIBCMT ref: 004501A2
                          • _free.LIBCMT ref: 004501BA
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                          • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                          • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                          • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                          Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • __EH_prolog.LIBCMT ref: 0041913D
                          • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                          • Sleep.KERNEL32(000003E8), ref: 0041927D
                          • GetLocalTime.KERNEL32(?), ref: 0041928C
                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                          • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                          • API String ID: 489098229-65789007
                          • Opcode ID: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
                          • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                          • Opcode Fuzzy Hash: 20ad9dcad6b4c7da979322c167eeb5490f5651d63a6c5e78ab6e583428f79961
                          • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                          Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                            • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                            • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                            • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                          • ExitProcess.KERNEL32 ref: 0040C832
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                          • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                          • API String ID: 1913171305-390638927
                          • Opcode ID: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
                          • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                          • Opcode Fuzzy Hash: 71ed8149d107c801a58795291cbbf560ec2e2514c0515b8670bbce909e4cd16b
                          • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                          Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                          • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                          • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                          • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                          Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                          • GetLastError.KERNEL32 ref: 00454AA6
                          • __dosmaperr.LIBCMT ref: 00454AAD
                          • GetFileType.KERNEL32(00000000), ref: 00454AB9
                          • GetLastError.KERNEL32 ref: 00454AC3
                          • __dosmaperr.LIBCMT ref: 00454ACC
                          • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                          • CloseHandle.KERNEL32(?), ref: 00454C36
                          • GetLastError.KERNEL32 ref: 00454C68
                          • __dosmaperr.LIBCMT ref: 00454C6F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: H
                          • API String ID: 4237864984-2852464175
                          • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                          • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                          • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                          • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                          Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 65535$udp
                          • API String ID: 0-1267037602
                          • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                          • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                          • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                          • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                          Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                          • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                          • __dosmaperr.LIBCMT ref: 004393DD
                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                          • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                          • __dosmaperr.LIBCMT ref: 0043941A
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                          • __dosmaperr.LIBCMT ref: 0043946E
                          • _free.LIBCMT ref: 0043947A
                          • _free.LIBCMT ref: 00439481
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                          • String ID:
                          • API String ID: 2441525078-0
                          • Opcode ID: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
                          • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                          • Opcode Fuzzy Hash: 7d52e2fbbdbfe11ab4c2d7ae9a425497261befc8dca55fd6b38b522b0d4b8486
                          • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                          Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • SetEvent.KERNEL32(?,?), ref: 00404E71
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                          • TranslateMessage.USER32(?), ref: 00404F30
                          • DispatchMessageA.USER32(?), ref: 00404F3B
                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                          • String ID: CloseChat$DisplayMessage$GetMessage
                          • API String ID: 2956720200-749203953
                          • Opcode ID: 873e6be46378f032ea069c5995f77c0816049facf75ee970e0dab14d7faad135
                          • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                          • Opcode Fuzzy Hash: 873e6be46378f032ea069c5995f77c0816049facf75ee970e0dab14d7faad135
                          • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                          Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                          • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                          • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                          • String ID: <$@$@FG$@FG$Temp
                          • API String ID: 1107811701-2245803885
                          • Opcode ID: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
                          • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                          • Opcode Fuzzy Hash: 7554bfeb40c4b2af2b7365563deb2cc3d5ba60fa6237755d2b448c11faa41bd7
                          • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                          Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                          • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\Suppliers_Data.pif.exe), ref: 00406705
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentProcess
                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                          • API String ID: 2050909247-4145329354
                          • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                          • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                          • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                          • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                          Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                          • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                          • Opcode Fuzzy Hash: 3abd86868e1217ea2d45c9c88d919e3d4f56aa0647f23c1260161372d98c8da3
                          • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                          Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00446DEF
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          • _free.LIBCMT ref: 00446DFB
                          • _free.LIBCMT ref: 00446E06
                          • _free.LIBCMT ref: 00446E11
                          • _free.LIBCMT ref: 00446E1C
                          • _free.LIBCMT ref: 00446E27
                          • _free.LIBCMT ref: 00446E32
                          • _free.LIBCMT ref: 00446E3D
                          • _free.LIBCMT ref: 00446E48
                          • _free.LIBCMT ref: 00446E56
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                          • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                          • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                          • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                          Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Eventinet_ntoa
                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                          • API String ID: 3578746661-4192532303
                          • Opcode ID: b4f73340190532a4d9c3b2c66da7f5fe2f1e4b8963c915d88a6d33283565f7c0
                          • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                          • Opcode Fuzzy Hash: b4f73340190532a4d9c3b2c66da7f5fe2f1e4b8963c915d88a6d33283565f7c0
                          • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                          Function 00455149 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecodePointer
                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                          • API String ID: 3527080286-3064271455
                          • Opcode ID: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                          • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                          • Opcode Fuzzy Hash: efaf98d5bece97301cb0be0d87691fc7541a968c6dbfa9ece40fee8aaf611780
                          • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                          Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                            • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                          • Sleep.KERNEL32(00000064), ref: 00416688
                          • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateDeleteExecuteShellSleep
                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                          • API String ID: 1462127192-2001430897
                          • Opcode ID: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
                          • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                          • Opcode Fuzzy Hash: a567638598e5f64f9f586ec3897bdd5cda464973c2cc93408e6715b44c417110
                          • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                          Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • _strftime.LIBCMT ref: 00401AD3
                            • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                          • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                          • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                          • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                          • API String ID: 3809562944-3643129801
                          • Opcode ID: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
                          • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                          • Opcode Fuzzy Hash: fe5b0cc2389bb4fc2f756cf4a4e177efe98d3315a5d12e8610d7df5e1ffe9f2e
                          • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                          Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                          • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                          • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                          • waveInStart.WINMM ref: 00401A81
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                          • String ID: XCG$`=G$x=G
                          • API String ID: 1356121797-903574159
                          • Opcode ID: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
                          • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                          • Opcode Fuzzy Hash: f7b885a57264b04ebf2febb913c7ab2768e2f0ab493ecec8a5d98043f26c65d4
                          • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                          Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                            • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                            • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                            • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                          • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                          • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                          • TranslateMessage.USER32(?), ref: 0041CA0B
                          • DispatchMessageA.USER32(?), ref: 0041CA15
                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                          • String ID: Remcos
                          • API String ID: 1970332568-165870891
                          • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                          • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                          • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                          • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                          Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
                          • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                          • Opcode Fuzzy Hash: 8724f9862cb7656745f569b65e9253ef66bccdbbb21ca01ab506061567e91e9c
                          • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                          Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                          • __alloca_probe_16.LIBCMT ref: 00452CA1
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                          • __alloca_probe_16.LIBCMT ref: 00452D4B
                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                            • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                          • __freea.LIBCMT ref: 00452DBA
                          • __freea.LIBCMT ref: 00452DC6
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                          • String ID:
                          • API String ID: 201697637-0
                          • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                          • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                          • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                          • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                          Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                            • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                            • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                            • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                          • _memcmp.LIBVCRUNTIME ref: 004446B3
                          • _free.LIBCMT ref: 00444724
                          • _free.LIBCMT ref: 0044473D
                          • _free.LIBCMT ref: 0044476F
                          • _free.LIBCMT ref: 00444778
                          • _free.LIBCMT ref: 00444784
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorLast$_abort_memcmp
                          • String ID: C
                          • API String ID: 1679612858-1037565863
                          • Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                          • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                          • Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                          • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                          Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: tcp$udp
                          • API String ID: 0-3725065008
                          • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                          • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                          • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                          • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                          Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                            • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                            • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                          • String ID: .part
                          • API String ID: 1303771098-3499674018
                          • Opcode ID: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                          • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                          • Opcode Fuzzy Hash: 66e691a74e7f006358ac760d03bec4908fddb3b051589708aa87838830b58802
                          • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                          Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                            • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                            • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                            • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                          • _wcslen.LIBCMT ref: 0041A906
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                          • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                          • API String ID: 37874593-703403762
                          • Opcode ID: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
                          • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                          • Opcode Fuzzy Hash: 27895bcfed94204bcab943ef82ac12f5f5e023aa0cf9efce9513ccb574d3e45a
                          • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                          Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                          • __alloca_probe_16.LIBCMT ref: 004499F2
                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                          • __alloca_probe_16.LIBCMT ref: 00449AD7
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                          • __freea.LIBCMT ref: 00449B47
                            • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          • __freea.LIBCMT ref: 00449B50
                          • __freea.LIBCMT ref: 00449B75
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                          • String ID:
                          • API String ID: 3864826663-0
                          • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                          • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                          • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                          • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                          Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32 ref: 00418B18
                          • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                          • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                            • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: InputSend$Virtual
                          • String ID:
                          • API String ID: 1167301434-0
                          • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                          • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                          • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                          • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                          Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32 ref: 00415A46
                          • EmptyClipboard.USER32 ref: 00415A54
                          • CloseClipboard.USER32 ref: 00415A5A
                          • OpenClipboard.USER32 ref: 00415A61
                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                          • CloseClipboard.USER32 ref: 00415A89
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                          • String ID:
                          • API String ID: 2172192267-0
                          • Opcode ID: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
                          • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                          • Opcode Fuzzy Hash: efbd044eff29c5abb4193f117459f8b4416f238a5e319341b58a3d79a3577e2f
                          • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                          Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: __freea$__alloca_probe_16
                          • String ID: a/p$am/pm$fD
                          • API String ID: 3509577899-1143445303
                          • Opcode ID: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
                          • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                          • Opcode Fuzzy Hash: a9dc0d208de5fd7d1fb00aaf9429c157d058a6ef8680621eaae3a775435586b8
                          • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                          Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00447ECC
                          • _free.LIBCMT ref: 00447EF0
                          • _free.LIBCMT ref: 00448077
                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                          • _free.LIBCMT ref: 00448243
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                          • String ID:
                          • API String ID: 314583886-0
                          • Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                          • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                          • Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                          • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                          Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                          • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                          • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                          • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                          Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          • _free.LIBCMT ref: 00444096
                          • _free.LIBCMT ref: 004440AD
                          • _free.LIBCMT ref: 004440CC
                          • _free.LIBCMT ref: 004440E7
                          • _free.LIBCMT ref: 004440FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$AllocateHeap
                          • String ID: Z7D
                          • API String ID: 3033488037-2145146825
                          • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                          • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                          • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                          • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                          Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A115
                          • __fassign.LIBCMT ref: 0044A190
                          • __fassign.LIBCMT ref: 0044A1AB
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1D1
                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                          • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                          • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                          • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                          • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                          Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                          Download Yara Rule
                          APIs
                          • ExitThread.KERNEL32 ref: 004017F4
                            • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                            • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                            • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                          • __Init_thread_footer.LIBCMT ref: 004017BC
                            • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                            • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                          • String ID: T=G$>G$>G
                          • API String ID: 1596592924-1617985637
                          • Opcode ID: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
                          • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                          • Opcode Fuzzy Hash: a544d0f604bfa20063d13062b7b3f0a692fa5257fc001f001da1a660e159a4e3
                          • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                          Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                            • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                            • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnumInfoOpenQuerysend
                          • String ID: TUFTUF$>G$DG$DG
                          • API String ID: 3114080316-344394840
                          • Opcode ID: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
                          • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                          • Opcode Fuzzy Hash: 5b34330ed71f65fa879f2c54c0df273489eed1ff039e681fa038a06f30a006a0
                          • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                          Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                          • _ValidateLocalCookies.LIBCMT ref: 00437B51
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                          • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                          • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                          • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                          • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                          Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                            • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                            • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                          • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                          • API String ID: 1133728706-4073444585
                          • Opcode ID: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
                          • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                          • Opcode Fuzzy Hash: 951235f85e48bb3d128a26db13e089d8687f47fe997c8e03be2a900eced236d5
                          • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                          Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
                          • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                          • Opcode Fuzzy Hash: 6a5ef57456b0df346b0486265a01e48adde46d03de536ae14a187a8f4c9f433e
                          • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                          Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                          • int.LIBCPMT ref: 0040FC0F
                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                          • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                          • String ID: p[G
                          • API String ID: 2536120697-440918510
                          • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                          • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                          • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                          • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                          Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                          • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                          • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                          Strings
                          • http://geoplugin.net/json.gp, xrefs: 0041A55E
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleOpen$FileRead
                          • String ID: http://geoplugin.net/json.gp
                          • API String ID: 3121278467-91888290
                          • Opcode ID: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
                          • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                          • Opcode Fuzzy Hash: d6f499ad1e8f2f32babf086a4b04f4711f6d8a57175f587e6094264b919902b7
                          • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                          Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                          • _free.LIBCMT ref: 0044FD39
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          • _free.LIBCMT ref: 0044FD44
                          • _free.LIBCMT ref: 0044FD4F
                          • _free.LIBCMT ref: 0044FDA3
                          • _free.LIBCMT ref: 0044FDAE
                          • _free.LIBCMT ref: 0044FDB9
                          • _free.LIBCMT ref: 0044FDC4
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                          • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                          • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                          • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                          Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\Suppliers_Data.pif.exe), ref: 00406835
                            • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                            • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                          • CoUninitialize.OLE32 ref: 0040688E
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: InitializeObjectUninitialize_wcslen
                          • String ID: C:\Users\user\Desktop\Suppliers_Data.pif.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                          • API String ID: 3851391207-3807559320
                          • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                          • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                          • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                          • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                          Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                          • int.LIBCPMT ref: 0040FEF2
                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                          • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                          • String ID: h]G
                          • API String ID: 2536120697-1579725984
                          • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                          • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                          • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                          • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                          Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                          • GetLastError.KERNEL32 ref: 0040B2EE
                          Strings
                          • [Chrome Cookies found, cleared!], xrefs: 0040B314
                          • UserProfile, xrefs: 0040B2B4
                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                          • [Chrome Cookies not found], xrefs: 0040B308
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteErrorFileLast
                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                          • API String ID: 2018770650-304995407
                          • Opcode ID: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
                          • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                          • Opcode Fuzzy Hash: d66ece4a976f4d448fc3a6911c1cd710a05d5aa7b72c80177d91237d75f1b396
                          • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                          Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                          • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Console$AllocOutputShowWindow
                          • String ID: Remcos v$5.3.0 Pro$CONOUT$
                          • API String ID: 2425139147-2527699604
                          • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                          • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                          • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                          • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                          Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: (CG$C:\Users\user\Desktop\Suppliers_Data.pif.exe$BG
                          • API String ID: 0-2484861165
                          • Opcode ID: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
                          • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                          • Opcode Fuzzy Hash: 436699010963ecd03ae3a912ac3b80d145bf64b66cbd996a99d31e723bd19539
                          • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                          Function 00419F42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                          • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                          • Sleep.KERNEL32(00002710), ref: 00419F89
                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: PlaySound$HandleLocalModuleSleepTime
                          • String ID: Alarm triggered$`#v
                          • API String ID: 614609389-3049340936
                          • Opcode ID: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
                          • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                          • Opcode Fuzzy Hash: ec93029a8d426c1f2d9bf456f9acac57abdb377192e8fa82d20351f1c069c2bf
                          • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                          Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 00439799
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                          • __allrem.LIBCMT ref: 004397CC
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                          • __allrem.LIBCMT ref: 00439801
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                          • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                          • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                          • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                          Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: __cftoe
                          • String ID:
                          • API String ID: 4189289331-0
                          • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                          • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                          • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                          • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                          Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 00403E8A
                            • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: H_prologSleep
                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                          • API String ID: 3469354165-462540288
                          • Opcode ID: b8e9e228615381c613a5fe4a24ae204d60489973bad034a9f17b21e91d3d6061
                          • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                          • Opcode Fuzzy Hash: b8e9e228615381c613a5fe4a24ae204d60489973bad034a9f17b21e91d3d6061
                          • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                          Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                          • String ID:
                          • API String ID: 493672254-0
                          • Opcode ID: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                          • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                          • Opcode Fuzzy Hash: b1a54bb8a8b8a5801daee02f654969ed363d70646ac738354a8241f6c324f73f
                          • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                          Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                          • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                          • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                          • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                          • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                          Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,0043E270,0043932C,0043E270,?,?,0043B965,FF8BC35D), ref: 00446ED3
                          • _free.LIBCMT ref: 00446F06
                          • _free.LIBCMT ref: 00446F2E
                          • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F3B
                          • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F47
                          • _abort.LIBCMT ref: 00446F4D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                          • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                          • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                          • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                          Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                          • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                          • Opcode Fuzzy Hash: 7cfb46db0bd01be278475ff74c7fe9cf9f01c1ce40244ff157d84eb2ddeeab7a
                          • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                          Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                          • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                          • Opcode Fuzzy Hash: bfc840ceb24970ac6f0157abf75dddf4ec976f1f73edc1b4d2479d4f1225fd6b
                          • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                          Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                          Download Yara Rule
                          APIs
                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Service$CloseHandle$Open$ControlManager
                          • String ID:
                          • API String ID: 221034970-0
                          • Opcode ID: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                          • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                          • Opcode Fuzzy Hash: b33f3c56d08176086889cf85995723947178cb2cbd7dc05acdbbeb3f21c9258b
                          • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                          Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Enum$InfoQueryValue
                          • String ID: [regsplt]$DG
                          • API String ID: 3554306468-1089238109
                          • Opcode ID: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
                          • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                          • Opcode Fuzzy Hash: 04be85a10a65fedb481150b8bc6c203764df31fda0f784146e603b05117797e8
                          • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                          Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                            • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                            • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                          • __Init_thread_footer.LIBCMT ref: 0040AEA7
                            • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                            • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                          • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                          • API String ID: 2974294136-4018440003
                          • Opcode ID: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
                          • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                          • Opcode Fuzzy Hash: d8cc1fc12807fd958afa10ea2d8e05a8c1945a4568a2f4f986646b09a49f41e4
                          • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                          Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                          • wsprintfW.USER32 ref: 0040A905
                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventLocalTimewsprintf
                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                          • API String ID: 1497725170-248792730
                          • Opcode ID: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
                          • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                          • Opcode Fuzzy Hash: c45d0d8330676a24f779125fc54340976b5d318e4a9b5b1d8d93ca89959c89e3
                          • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                          Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                          • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                          • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSizeSleep
                          • String ID: `AG
                          • API String ID: 1958988193-3058481221
                          • Opcode ID: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                          • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                          • Opcode Fuzzy Hash: 1410e1d813e280eb6b4e08600abbe884787e407ed37892b11411430ae0a0b870
                          • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                          Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                          • GetLastError.KERNEL32 ref: 0041CAA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ClassCreateErrorLastRegisterWindow
                          • String ID: 0$MsgWindowClass
                          • API String ID: 2877667751-2410386613
                          • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                          • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                          • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                          • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                          Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                          • CloseHandle.KERNEL32(?), ref: 00406A0F
                          • CloseHandle.KERNEL32(?), ref: 00406A14
                          Strings
                          • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$CreateProcess
                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                          • API String ID: 2922976086-4183131282
                          • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                          • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                          • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                          • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                          Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002), ref: 00442609
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,00445408,?,0044253A,00445408,0046DAE0,0000000C,00442691,00445408,00000002,00000000), ref: 0044263F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                          • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                          • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                          • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                          Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                          • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                          • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue
                          • String ID: pth_unenc$BG
                          • API String ID: 1818849710-2233081382
                          • Opcode ID: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                          • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                          • Opcode Fuzzy Hash: ac3e74df9ad923195b5f52d5b35913edee8cf0ee45e7d693bb7f493c4d6726f0
                          • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                          Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                          • String ID: KeepAlive | Disabled
                          • API String ID: 2993684571-305739064
                          • Opcode ID: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
                          • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                          • Opcode Fuzzy Hash: 1c4db9832243d0eda189149083a568db31be4b3a7f45c94ba510965dd7bed6b7
                          • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                          Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                          Strings
                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                          • API String ID: 3024135584-2418719853
                          • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                          • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                          • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                          • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                          Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                          • GetProcAddress.KERNEL32(00000000), ref: 00401441
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: GetCursorInfo$User32.dll$`#v
                          • API String ID: 1646373207-1032071883
                          • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                          • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                          • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                          • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                          Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                          • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                          • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                          • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                          Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                          • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                          • String ID:
                          • API String ID: 3525466593-0
                          • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                          • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                          • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                          • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                          Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                          • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                            • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                            • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                            • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                          • String ID:
                          • API String ID: 4269425633-0
                          • Opcode ID: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
                          • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                          • Opcode Fuzzy Hash: 9969269c57af8964515969a0aa7c84db142fe4f72ac327e049761c9b5f0d9465
                          • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                          Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                          • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                          • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                          • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                          Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                          • __alloca_probe_16.LIBCMT ref: 0044FF68
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                          • __freea.LIBCMT ref: 0044FFD4
                            • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                          • String ID:
                          • API String ID: 313313983-0
                          • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                          • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                          • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                          • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                          Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                            • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                          • _free.LIBCMT ref: 0044E1B0
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                          • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                          • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                          • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                          Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0044F7C5
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          • _free.LIBCMT ref: 0044F7D7
                          • _free.LIBCMT ref: 0044F7E9
                          • _free.LIBCMT ref: 0044F7FB
                          • _free.LIBCMT ref: 0044F80D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                          • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                          • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                          • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                          Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00443315
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          • _free.LIBCMT ref: 00443327
                          • _free.LIBCMT ref: 0044333A
                          • _free.LIBCMT ref: 0044334B
                          • _free.LIBCMT ref: 0044335C
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                          • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                          • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                          • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                          Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                          • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                          • IsWindowVisible.USER32(?), ref: 004167A1
                            • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                            • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProcessWindow$Open$TextThreadVisible
                          • String ID: (FG
                          • API String ID: 3142014140-2273637114
                          • Opcode ID: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
                          • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                          • Opcode Fuzzy Hash: c7f659c7f8dd07594aa0d58b43293f081d02aa6a155b2a5aace8fb7cb86be1bb
                          • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                          Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • _strpbrk.LIBCMT ref: 0044D4B8
                          • _free.LIBCMT ref: 0044D5D5
                            • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00434413,?,?,?,00434413,00000016,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                            • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,?,00434413), ref: 0043A888
                            • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000,?,00434413), ref: 0043A88F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                          • String ID: *?$.
                          • API String ID: 2812119850-3972193922
                          • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                          • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                          • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                          • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                          Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                            • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                          • String ID: XCG$`AG$>G
                          • API String ID: 2334542088-2372832151
                          • Opcode ID: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
                          • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                          • Opcode Fuzzy Hash: f37316863ccad659ca2bf97aa1cfe92418112d60c8e754e1c486478c198cb9ff
                          • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                          Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Suppliers_Data.pif.exe,00000104), ref: 00442724
                          • _free.LIBCMT ref: 004427EF
                          • _free.LIBCMT ref: 004427F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\Desktop\Suppliers_Data.pif.exe
                          • API String ID: 2506810119-447033285
                          • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                          • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                          • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                          • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                          Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                            • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                            • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                          • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                          • String ID: /sort "Visit Time" /stext "$8>G
                          • API String ID: 368326130-2663660666
                          • Opcode ID: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
                          • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                          • Opcode Fuzzy Hash: 0c297dda1a405b052cf5921024dcdcc024882d594569d29d210d62c2d05d7870
                          • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                          Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                          • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread$LocalTimewsprintf
                          • String ID: Offline Keylogger Started
                          • API String ID: 465354869-4114347211
                          • Opcode ID: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
                          • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                          • Opcode Fuzzy Hash: 5ea4053e1a56471162166040b7adf2f927a814dce7017fd5fa1547eff60e0d80
                          • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                          Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                          • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                          • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread$LocalTime$wsprintf
                          • String ID: Online Keylogger Started
                          • API String ID: 112202259-1258561607
                          • Opcode ID: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
                          • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                          • Opcode Fuzzy Hash: e9ef4b4ce2fe67d916c62a364ac3e8c7c3b8e9b8d94d7f8099fcb04cbe9a102f
                          • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                          Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                          • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                          • __dosmaperr.LIBCMT ref: 0044AB0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseErrorHandleLast__dosmaperr
                          • String ID: `@
                          • API String ID: 2583163307-951712118
                          • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                          • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                          • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                          • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                          Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                          • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                          • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandleObjectSingleWait
                          • String ID: Connection Timeout
                          • API String ID: 2055531096-499159329
                          • Opcode ID: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
                          • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                          • Opcode Fuzzy Hash: 0c4e7447b4df129858c303fea986e9e9d1e62a01682a0eac217bcd46973c6bc4
                          • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                          Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                            • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                            • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                          • String ID: bad locale name
                          • API String ID: 3628047217-1405518554
                          • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                          • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                          • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                          • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                          Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell
                          • String ID: /C $cmd.exe$open
                          • API String ID: 587946157-3896048727
                          • Opcode ID: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
                          • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                          • Opcode Fuzzy Hash: fc1d9d8a200ebad5940102133050edab2b9e71f7596d6ef5b18c1bd3a17f0ddd
                          • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                          Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                          Download Yara Rule
                          APIs
                          • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                          • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                          • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: TerminateThread$HookUnhookWindows
                          • String ID: pth_unenc
                          • API String ID: 3123878439-4028850238
                          • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                          • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                          • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                          • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                          Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                          • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetLastInputInfo$User32.dll
                          • API String ID: 2574300362-1519888992
                          • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                          • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                          • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                          • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                          Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: __alldvrm$_strrchr
                          • String ID:
                          • API String ID: 1036877536-0
                          • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                          • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                          • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                          • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                          Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _free
                          • String ID:
                          • API String ID: 269201875-0
                          • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                          • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                          • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                          • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                          Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                          • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                          • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                          • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                          Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                          • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                          • String ID:
                          • API String ID: 3360349984-0
                          • Opcode ID: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
                          • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                          • Opcode Fuzzy Hash: 54d56c26835f845e219b8fbcfbfaee96f182a1e2e5f8d4c6d7efe874cd7b3d0f
                          • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                          Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • Cleared browsers logins and cookies., xrefs: 0040B8EF
                          • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                          • API String ID: 3472027048-1236744412
                          • Opcode ID: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
                          • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                          • Opcode Fuzzy Hash: a560be4e93f7145764f14036b9ba5e851196c21c3d51501819e25b145e9be97c
                          • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                          Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                            • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                            • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                          • Sleep.KERNEL32(00000BB8), ref: 004115C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQuerySleepValue
                          • String ID: @CG$exepath$BG
                          • API String ID: 4119054056-3221201242
                          • Opcode ID: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
                          • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                          • Opcode Fuzzy Hash: 7e871a5e45cf0c5aa995f5861383ecd3664757752265a40acd77ba434a7e4b44
                          • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                          Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                            • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                            • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                          • Sleep.KERNEL32(000001F4), ref: 00409C95
                          • Sleep.KERNEL32(00000064), ref: 00409D1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$SleepText$ForegroundLength
                          • String ID: [ $ ]
                          • API String ID: 3309952895-93608704
                          • Opcode ID: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
                          • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                          • Opcode Fuzzy Hash: 98d6b66478057358495496a018cf8b974f91cae2485f626915356807bc928fff
                          • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                          Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5DE
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5FB
                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B60F
                          • CloseHandle.KERNEL32(00000000), ref: 0041B61C
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandlePointerWrite
                          • String ID:
                          • API String ID: 3604237281-0
                          • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                          • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                          • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                          • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                          Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                          • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                          • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                          • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                          Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                          • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                          • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                          • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                          Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                            • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                            • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                          • _UnwindNestedFrames.LIBCMT ref: 00438134
                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                          • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                          • String ID:
                          • API String ID: 737400349-0
                          • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                          • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                          • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                          • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                          Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                          • GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                          • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                          • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                          • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                          Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                          • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 3919263394-0
                          • Opcode ID: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
                          • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                          • Opcode Fuzzy Hash: 84c524a448c010b9be172ba78faf3346c00c98969e38f24d930284b8d2add881
                          • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                          Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemMetrics.USER32(0000004C), ref: 00418529
                          • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                          • GetSystemMetrics.USER32(0000004E), ref: 00418535
                          • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: MetricsSystem
                          • String ID:
                          • API String ID: 4116985748-0
                          • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                          • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                          • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                          • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                          Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandleOpenProcess
                          • String ID:
                          • API String ID: 39102293-0
                          • Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                          • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                          • Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                          • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                          Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: _memcmp
                          • String ID: 4[G$4[G
                          • API String ID: 2931989736-4028565467
                          • Opcode ID: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
                          • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                          • Opcode Fuzzy Hash: c0cf07660e95b0ee548887709ac0c844436c6f626d7fb978308fdfb467b77264
                          • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                          Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: CountEventTick
                          • String ID: >G
                          • API String ID: 180926312-1296849874
                          • Opcode ID: d40a123c09f5dd7fc33c7c8b938888b13362624a47d2b00da105bfab6dfd1d1d
                          • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                          • Opcode Fuzzy Hash: d40a123c09f5dd7fc33c7c8b938888b13362624a47d2b00da105bfab6dfd1d1d
                          • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                          Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: Info
                          • String ID: $vD
                          • API String ID: 1807457897-3636070802
                          • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                          • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                          • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                          • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                          Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ACP$OCP
                          • API String ID: 0-711371036
                          • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                          • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                          • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                          • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                          Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                          Strings
                          • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime
                          • String ID: KeepAlive | Enabled | Timeout:
                          • API String ID: 481472006-1507639952
                          • Opcode ID: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
                          • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                          • Opcode Fuzzy Hash: 55e8a268f478e9dd55dcba40bfbb0b748b5ff50574cd289cd160118e090ea358
                          • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                          Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime
                          • String ID: | $%02i:%02i:%02i:%03i
                          • API String ID: 481472006-2430845779
                          • Opcode ID: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
                          • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                          • Opcode Fuzzy Hash: d3ffcd1d0ca88ff003ebf63de90cbb52a1477b8a5ce084a0fda1429b811f37a5
                          • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                          Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                            • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                          • CloseHandle.KERNEL32(?), ref: 0040A7CA
                          • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                          • String ID: Online Keylogger Stopped
                          • API String ID: 1623830855-1496645233
                          • Opcode ID: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
                          • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                          • Opcode Fuzzy Hash: 441e50180230ba2ba05f386e367c5a536ce2e77025d1c3492b7828fca42d8fe8
                          • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                          Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                          • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: wave$BufferHeaderPrepare
                          • String ID: T=G
                          • API String ID: 2315374483-379896819
                          • Opcode ID: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
                          • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                          • Opcode Fuzzy Hash: 8fbe103bd9222016c2b4e2bc3eb0eb996b4ad057f7b910ac6b5a0adda4e0e2aa
                          • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                          Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: LocaleValid
                          • String ID: IsValidLocaleName$z=D
                          • API String ID: 1901932003-2791046955
                          • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                          • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                          • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                          • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                          Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: H_prolog
                          • String ID: T=G$T=G
                          • API String ID: 3519838083-3732185208
                          • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                          • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                          • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                          • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                          Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyState.USER32(00000011), ref: 0040AD5B
                            • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                            • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                            • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                            • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                            • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                          • String ID: [AltL]$[AltR]
                          • API String ID: 2738857842-2658077756
                          • Opcode ID: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                          • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                          • Opcode Fuzzy Hash: 3060760f9439b7e306d49c13d8f75930fa0495ce116598ddfd2946cd15ffa226
                          • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                          Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00448835
                            • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                            • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFreeHeapLast_free
                          • String ID: `@$`@
                          • API String ID: 1353095263-20545824
                          • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                          • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                          • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                          • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                          Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyState.USER32(00000012), ref: 0040ADB5
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: State
                          • String ID: [CtrlL]$[CtrlR]
                          • API String ID: 1649606143-2446555240
                          • Opcode ID: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                          • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                          • Opcode Fuzzy Hash: 5e7418163892c1745ec9138d14110a374d5f1712bd724f4894496e05d56ee1c7
                          • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                          Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                          Strings
                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteOpenValue
                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                          • API String ID: 2654517830-1051519024
                          • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                          • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                          • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                          • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                          Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteDirectoryFileRemove
                          • String ID: pth_unenc
                          • API String ID: 3325800564-4028850238
                          • Opcode ID: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                          • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                          • Opcode Fuzzy Hash: b9b9920c625181ca6de104178518fd5ce2cfe10458045dbf61cc06549d32ecb0
                          • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                          Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectProcessSingleTerminateWait
                          • String ID: pth_unenc
                          • API String ID: 1872346434-4028850238
                          • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                          • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                          • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                          • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                          Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                          • GetLastError.KERNEL32 ref: 0043FB12
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                          Memory Dump Source
                          • Source File: 00000005.00000002.4582279210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_Suppliers_Data.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast
                          • String ID:
                          • API String ID: 1717984340-0
                          • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                          • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                          • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                          • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759