Edit tour

Windows Analysis Report
Payment_Advice-pdf.exe

Overview

General Information

Sample name:	Payment_Advice-pdf.exe
Analysis ID:	1407051
MD5:	d5f853358e53cae39dba60601507842c
SHA1:	c76532dba79ec69659b4cdb8adddbc8417662d76
SHA256:	d202f0b84b0e2a15c1c90284d0286b8b497e245e6b083e7b98294e1227d52925
Tags:	agentteslaexezgrat
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment_Advice-pdf.exe (PID: 7348 cmdline: C:\Users\user\Desktop\Payment_Advice-pdf.exe MD5: D5F853358E53CAE39DBA60601507842C)

RegSvcs.exe (PID: 7400 cmdline: C:\Users\user\Desktop\Payment_Advice-pdf.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Payment_Advice-pdf.exe (PID: 7408 cmdline: C:\Users\user\Desktop\Payment_Advice-pdf.exe MD5: D5F853358E53CAE39DBA60601507842C)

RegSvcs.exe (PID: 7436 cmdline: C:\Users\user\Desktop\Payment_Advice-pdf.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "webmail.wapination.net", "Username": "work2@wapination.net", "Password": "sync@#1235"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x400fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4016d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x401f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40289:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x402f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40365:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x403fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4048b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.2911331278.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f213:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f285:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f30f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f3a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f40b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f47d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f513:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f5a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.Payment_Advice-pdf.exe.3b10000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.Payment_Advice-pdf.exe.3b10000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.5270000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5270000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5270000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5270000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x400fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4016d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x401f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40289:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x402f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40365:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x403fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4048b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Payment_Advice-pdf.exe.4330000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Payment_Advice-pdf.exe.4330000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.296fd06.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.296fd06.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.296fd06.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.296fd06.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d413:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d485:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d50f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d5a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d60b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d67d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d713:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d7a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5270000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5270000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5270000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5270000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e2fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e36d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e3f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e489:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e4f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e565:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e5fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e68b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 DC 88 44 24 2B 88 44 24 2F B0 05 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.296ee1e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.296ee1e.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.296ee1e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.296ee1e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x400fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4016d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x401f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40289:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x402f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40365:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x403fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4048b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.3c92d90.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3c92d90.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.3c92d90.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3c92d90.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d413:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d485:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d50f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d5a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d60b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d67d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d713:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d7a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.296fd06.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.296fd06.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.296fd06.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.296fd06.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f213:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f285:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f30f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f3a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f40b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f47d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f513:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f5a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.3c92d90.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3c92d90.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.3c92d90.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3c92d90.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f213:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f285:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f30f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f3a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f40b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f47d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f513:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f5a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.3c46458.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3c46458.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.3c46458.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3c46458.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d413:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d485:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d50f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d5a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d60b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d67d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d713:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d7a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.3c46458.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3c46458.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.3c46458.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3c46458.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f213:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8bb4b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f285:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8bbbd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f30f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8bc47:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f3a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8bcd9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f40b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8bd43:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f47d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8bdb5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f513:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8be4b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f5a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8bedb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.3c45570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3c45570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.3c45570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3c45570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x400fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8ca33:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4016d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8caa5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x401f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8cb2f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40289:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8cbc1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x402f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8cc2b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40365:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8cc9d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x403fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8cd33:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x4048b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8cdc3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5270ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5270ee8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5270ee8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5270ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d413:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d485:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d50f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d5a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d60b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d67d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d713:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d7a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.296ee1e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.296ee1e.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.296ee1e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.296ee1e.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e2fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e36d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e3f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e489:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e4f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e565:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e5fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e68b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.52c0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.52c0000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.52c0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.52c0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f213:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f285:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f30f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f3a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f40b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f47d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f513:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f5a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.5270ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.5270ee8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.5270ee8.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.5270ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f213:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f285:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f30f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f3a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f40b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f47d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f513:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f5a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.52c0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.52c0000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.52c0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.52c0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d413:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d485:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d50f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d5a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3d60b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3d67d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3d713:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3d7a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.3c45570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3c45570.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.3c45570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3c45570.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e2fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e36d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e3f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e489:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e4f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e565:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e5fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e68b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 67 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.179.234.136, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7436, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49729

Snort Signatures

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 108.179.234.136

Timestamp:	03/11/24-20:53:08.961460
SID:	2855542
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 108.179.234.136

Timestamp:	03/11/24-20:53:08.961460
SID:	2855245
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 108.179.234.136

Timestamp:	03/11/24-20:53:08.961460
SID:	2851779
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 108.179.234.136

Timestamp:	03/11/24-20:53:08.961460
SID:	2840032
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.4 - Destination IP: 108.179.234.136

Timestamp:	03/11/24-20:53:08.961460
SID:	2839723
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 108.179.234.136

Timestamp:	03/11/24-20:53:08.961460
SID:	2030171
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "webmail.wapination.net", "Username": "work2@wapination.net", "Password": "sync@#1235"}

Multi AV Scanner detection for submitted file

Source: Payment_Advice-pdf.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: Payment_Advice-pdf.exe

Joe Sandbox ML: detected

Source: Payment_Advice-pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment_Advice-pdf.exe, 00000000.00000003.1687668588.0000000004520000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000000.00000003.1687896314.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1715589602.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1716789021.0000000004230000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment_Advice-pdf.exe, 00000000.00000003.1687668588.0000000004520000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000000.00000003.1687896314.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1715589602.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1716789021.0000000004230000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FF4696
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FFC9C7
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFC93C FindFirstFileW,FindClose,	0_2_00FFC93C
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF200
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF35D
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFF65E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3A2B
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3D4E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFBF27

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49729 -> 108.179.234.136:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49729 -> 108.179.234.136:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49729 -> 108.179.234.136:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49729 -> 108.179.234.136:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49729 -> 108.179.234.136:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49729 -> 108.179.234.136:587

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 108.179.234.136:587

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 108.179.234.136:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_010025E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010025E2

Source: unknown

DNS traffic detected: queries for: webmail.wapination.net

Source: RegSvcs.exe, 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wapination.net
Source: RegSvcs.exe, 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webmail.wapination.net
Source: RegSvcs.exe, 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, n00.cs

.Net Code: tDNRtEPwKHh

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_0100425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0100425A

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_01004458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01004458

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

0_2_0100425A

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FF0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FF0219

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_0101CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0101CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.Payment_Advice-pdf.exe.3b10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment_Advice-pdf.exe.4330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F93B4C
Source: Payment_Advice-pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment_Advice-pdf.exe, 00000000.00000000.1660729703.0000000001045000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_181fccf8-b
Source: Payment_Advice-pdf.exe, 00000000.00000000.1660729703.0000000001045000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_88900613-4
Source: Payment_Advice-pdf.exe, 00000002.00000002.1717704814.0000000001045000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_47a21124-0
Source: Payment_Advice-pdf.exe, 00000002.00000002.1717704814.0000000001045000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3c24b215-8
Source: Payment_Advice-pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd1d7335-6
Source: Payment_Advice-pdf.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_28cc7be0-b

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment_Advice-pdf.exe

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FF40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00FF40B1

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FE8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FE8858

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FF545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FF545F

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00F9E800	0_2_00F9E800
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBDBB5	0_2_00FBDBB5
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00F9FE40	0_2_00F9FE40
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00F9E060	0_2_00F9E060
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_0101804A	0_2_0101804A
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA4140	0_2_00FA4140
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB2405	0_2_00FB2405
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FC6522	0_2_00FC6522
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FC267E	0_2_00FC267E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_01010665	0_2_01010665
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA6843	0_2_00FA6843
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB283A	0_2_00FB283A
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FC89DF	0_2_00FC89DF
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FC6A94	0_2_00FC6A94
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA8A0E	0_2_00FA8A0E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_01010AE2	0_2_01010AE2
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF8B13	0_2_00FF8B13
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FEEB07	0_2_00FEEB07
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBCD61	0_2_00FBCD61
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FC7006	0_2_00FC7006
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA3190	0_2_00FA3190
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA710E	0_2_00FA710E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00F91287	0_2_00F91287
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB33C7	0_2_00FB33C7
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBF419	0_2_00FBF419
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB16C4	0_2_00FB16C4
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA5680	0_2_00FA5680
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB78D3	0_2_00FB78D3
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FA58C0	0_2_00FA58C0
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB1BB8	0_2_00FB1BB8
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FC9D05	0_2_00FC9D05
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBBFE6	0_2_00FBBFE6
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB1FD0	0_2_00FB1FD0
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_019B3790	0_2_019B3790
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 2_2_021A3790	2_2_021A3790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418244	3_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401650	3_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004193C4	3_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418788	3_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0279D620	3_2_0279D620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0279CA08	3_2_0279CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02790FD0	3_2_02790FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02791030	3_2_02791030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0279CD50	3_2_0279CD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0586AF88	3_2_0586AF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0586E7C0	3_2_0586E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0586E068	3_2_0586E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05868C18	3_2_05868C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05860007	3_2_05860007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05865018	3_2_05865018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05860040	3_2_05860040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_062D56B0	3_2_062D56B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_062D95E0	3_2_062D95E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_062D4338	3_2_062D4338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_062D0638	3_2_062D0638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_062D78A8	3_2_062D78A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05868C0A	3_2_05868C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05866399	3_2_05866399

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: String function: 00FB8B40 appears 42 times
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: String function: 00FB0D27 appears 70 times
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: String function: 00F97F41 appears 35 times

Source: Payment_Advice-pdf.exe, 00000000.00000003.1687896314.00000000044A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_Advice-pdf.exe
Source: Payment_Advice-pdf.exe, 00000000.00000003.1687668588.000000000464D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_Advice-pdf.exe
Source: Payment_Advice-pdf.exe, 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameae4aab88-00c5-495e-a909-8e351a823b52.exe4 vs Payment_Advice-pdf.exe
Source: Payment_Advice-pdf.exe, 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameae4aab88-00c5-495e-a909-8e351a823b52.exe4 vs Payment_Advice-pdf.exe
Source: Payment_Advice-pdf.exe, 00000002.00000003.1716789021.0000000004353000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_Advice-pdf.exe
Source: Payment_Advice-pdf.exe, 00000002.00000003.1717022595.00000000044FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_Advice-pdf.exe

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Section loaded: wldp.dll	Jump to behavior

Source: Payment_Advice-pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.Payment_Advice-pdf.exe.3b10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment_Advice-pdf.exe.4330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, NpXw3kw.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@1/1

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FFA2D5 GetLastError,FormatMessageW,

0_2_00FFA2D5

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FE8713 AdjustTokenPrivileges,CloseHandle,		0_2_00FE8713
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FE8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FE8CC3

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FFB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FFB59E

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_0100F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0100F121

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FFC602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FFC602

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00F94FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F94FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

File created: C:\Users\user\AppData\Local\Temp\aut2D03.tmp

Jump to behavior

Source: Payment_Advice-pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment_Advice-pdf.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice-pdf.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Users\user\Desktop\Payment_Advice-pdf.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Users\user\Desktop\Payment_Advice-pdf.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Payment_Advice-pdf.exe

Static file information: File size 1210368 > 1048576

Source: Payment_Advice-pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment_Advice-pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment_Advice-pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment_Advice-pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment_Advice-pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment_Advice-pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment_Advice-pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment_Advice-pdf.exe, 00000000.00000003.1687668588.0000000004520000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000000.00000003.1687896314.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1715589602.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1716789021.0000000004230000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment_Advice-pdf.exe, 00000000.00000003.1687668588.0000000004520000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000000.00000003.1687896314.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1715589602.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, Payment_Advice-pdf.exe, 00000002.00000003.1716789021.0000000004230000.00000004.00001000.00020000.00000000.sdmp

Source: Payment_Advice-pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment_Advice-pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment_Advice-pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment_Advice-pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment_Advice-pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_0100C304 LoadLibraryA,GetProcAddress,

0_2_0100C304

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF8719 push FFFFFF8Bh; iretd	0_2_00FF871B
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBE94F push edi; ret	0_2_00FBE951
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBEA68 push esi; ret	0_2_00FBEA6A
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FB8B85 push ecx; ret	0_2_00FB8B98
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBEC43 push esi; ret	0_2_00FBEC45
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBED2C push edi; ret	0_2_00FBED2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00423149 push eax; ret	3_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004231C8 push eax; ret	3_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E21D push ecx; ret	3_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C6BE push ebx; ret	3_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040BB97 push dword ptr [ecx-75h]; iretd	3_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0279475F push ebx; retf	3_2_02794762

Source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'fd23WFlLRaXj9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'fd23WFlLRaXj9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'fd23WFlLRaXj9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'fd23WFlLRaXj9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'fd23WFlLRaXj9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00F94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F94A35
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_010155FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_010155FD

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FB33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FB33C7

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2290			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 495			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98435

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FF4696
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FFC9C7
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFC93C FindFirstFileW,FindClose,	0_2_00FFC93C
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF200
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF35D
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFF65E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3A2B
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FF3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3D4E
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FFBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFBF27

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00F94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F94AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2913306699.00000000055C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	API call chain: ExitProcess graph end node	graph_0-97769
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	API call chain: ExitProcess graph end node	graph_0-97835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_010041FD BlockInput,

0_2_010041FD

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00F93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F93B4C

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FC5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FC5CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

3_2_004019F0

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_0100C304 LoadLibraryA,GetProcAddress,

0_2_0100C304

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_019B3680 mov eax, dword ptr fs:[00000030h]	0_2_019B3680
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_019B3620 mov eax, dword ptr fs:[00000030h]	0_2_019B3620
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_019B1ED0 mov eax, dword ptr fs:[00000030h]	0_2_019B1ED0
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 2_2_021A3680 mov eax, dword ptr fs:[00000030h]	2_2_021A3680
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 2_2_021A3620 mov eax, dword ptr fs:[00000030h]	2_2_021A3620
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 2_2_021A1ED0 mov eax, dword ptr fs:[00000030h]	2_2_021A1ED0

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FE81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FE81F7

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FBA395
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_00FBA364 SetUnhandledExceptionFilter,	0_2_00FBA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 82A008

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FE8C93 LogonUserW,

0_2_00FE8C93

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00F93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F93B4C

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00F94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F94A35

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FF4EF5 mouse_event,

0_2_00FF4EF5

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe			Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\Desktop\Payment_Advice-pdf.exe			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

0_2_00FE81F7

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FF4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FF4C03

Source: Payment_Advice-pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment_Advice-pdf.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FB886B cpuid

0_2_00FB886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

3_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FC50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FC50D7

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FD2230 GetUserNameW,

0_2_00FD2230

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00FC418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FC418A

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe

Code function: 0_2_00F94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F94AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payment_Advice-pdf.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Advice-pdf.exe.4330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Payment_Advice-pdf.exe	Binary or memory string: WIN_81
Source: Payment_Advice-pdf.exe	Binary or memory string: WIN_XP
Source: Payment_Advice-pdf.exe	Binary or memory string: WIN_XPe
Source: Payment_Advice-pdf.exe	Binary or memory string: WIN_VISTA
Source: Payment_Advice-pdf.exe	Binary or memory string: WIN_7
Source: Payment_Advice-pdf.exe	Binary or memory string: WIN_8
Source: Payment_Advice-pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7436, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296fd06.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c92d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c46458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.296ee1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.5270ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.52c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3c45570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Payment_Advice-pdf.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Advice-pdf.exe.4330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_01006596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01006596
Source: C:\Users\user\Desktop\Payment_Advice-pdf.exe	Code function: 0_2_01006A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01006A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment_Advice-pdf.exe	39%	ReversingLabs	Win32.Spyware.RedLine
Payment_Advice-pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://wapination.net	0%	Avira URL Cloud	safe
http://webmail.wapination.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wapination.net	108.179.234.136	true	true		unknown
webmail.wapination.net	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	RegSvcs.exe, 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://wapination.net	RegSvcs.exe, 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://webmail.wapination.net	RegSvcs.exe, 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.179.234.136	wapination.net	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1407051
Start date and time:	2024-03-11 20:52:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment_Advice-pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 63 Number of non-executed functions: 262
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Payment_Advice-pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
20:53:06	API Interceptor	14x Sleep call for process: RegSvcs.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	Quotation MEW Tender 2024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	50.87.186.52
	RFQ__ PO-7647454645_PDF.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209
	copia TT allegata.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209
	ADSFDGHJs#U034fx#U034fl#U034fx#U034f..exe	Get hash	malicious	FormBook	Browse	162.144.32.209
	N270-10-MR-1671-01.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	50.87.186.52
	OUTSTANDING PO.exe	Get hash	malicious	FormBook	Browse	162.144.32.209
	ENQUIRY FOR QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209
	PAYMENT.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209
	Urgent request for a quote.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209

Process:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	264840
Entropy (8bit):	7.979091056058801
Encrypted:	false
SSDEEP:	6144:AXRz06bY2/m1cbRvarB/y66KQQDGiYEIq6xHSP2JXs:AB4yY2/WByVuDaECs
MD5:	D8492D83BD53179EC16D989EFD544AAA
SHA1:	CA4C609A72604D54A5AB76D610B7C38E6C0331F1
SHA-256:	1E111E592DD3BC208C69D986A684479A2CEFE6A485022B1334B1C476152F1BD2
SHA-512:	A2F8341B65C33671085E37D2C43B9F5DB2E3040D02476197E3047148DE0242EC8A2864225361A8CABF74B7B1B2C60FB7AC498CAD1F1C84EB73CB3F7EE7971790
Malicious:	false
Reputation:	low
Preview:	EA06..........Q...T..T.Sf....g...5j...;4 ....Oe..}.._..~.HFn.g...V)L.w#..%7i.J.,.M.3I...@.].........r.Dn.[.....,..m7..f.n.j$....g...e.....I.q.V..~uz.v).....w.L.3]..........n.N.`..BQ!... ..."u...0h...y..4\|..".9..F!2..)u..2.M......(.8W@.....8.Vj.@...V...3A....Y.T(..u..Q...\..f..q...gB..1bJ...boD...T..OE.P.2.Z-6R...ei5J...s......I..&.y...8........p...JH.W...U.1...A6..T........@.G....`...J.#..l..E......:......Q1....GP..'Z...[7.U.......Q....@%...;..?..b4..~g4.m.S:.?.'....y...A.L..M.bk.....v7...f1...#5..I....g...Q...MFg>.Ph..6...n.Y......T.......E9...g.5.N.Yj..-...2..2.5..u.9...M...+G.V....e.M...(X9.^....p.pH..4.C+u.g3{.....j_..G.]9.nD........K.7...r.\+.I........w..m&.F...jM7....,....}..Ph..&.....W..._._h[.?..D.S.B...M}...1.'w]<.....R....../..A..Vz..d.i..k....&.. \|.n.Q..`.Z.b_Q..ZH.S.O.I..gg.o.6;.i...Z.W...L.....&tp....S(.../ .M(.x....s.WY=V...O..H. ...s.@..~!`...@..;......F>cD...2=`.z...Z......R+..s(T.......W...=e.U...%6oD..a.h'+..........~.@.J

C:\Users\user\AppData\Local\Temp\aut2D52.tmp

Download File

Process:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	13304
Entropy (8bit):	7.697592806507836
Encrypted:	false
SSDEEP:	384:vQyiU2jt8U6p8NYTdAStRkOg3Pi7zjqlZs:oyiU25KXeStRng/i7zjAS
MD5:	91E0641787386F0C21B7B6D779B0495D
SHA1:	31D8E3679EC80C28CC9126D5866FFCB4191C8ECF
SHA-256:	367F1FC0E0F877C80302AA511C99ACD7099999A747A8446FAC23657E7D680D20
SHA-512:	37DE19DC6379E47D66E2CEC3E6AA198949BF001CFFD6AB831FC0580FB8F975463C24C1F8DA4128B6365286885A50C64FFC88EDD9A935EA8084075C8DA0BDDD3D
Malicious:	false
Reputation:	low
Preview:	EA06.....g....{6....y..`."Lf@....=.L......."m1..@...t.@......p.@.......R.@....m3.u..H.qN..2.o.Lf3..n.f.....[..9..9t...,.p.....J.S....@.Z........~.+32..@......U......U...b.S.....S...&.U ..........c......K.....`.........e.....~.p..L.(.....V.............h...7.O...?..O..<6.+.x.`............N..............z@.....A4..../..-..(d........@7.P'?...S@7?..Q.........@#).+....1.a............p..@. eL....`.........8.........w...........&...Ho.j....Xd.....k~.Yy....3PMO...........5....<.6.....s8...f.._.........._..z..;.....2..`u..........`u.......A....hX.....-..%b`...),M.=...V..=..I.V...6..........U..?.x...W....;....`.......X..r.. ...'..............s..'..S..L.9s....'!..X}~&.(..`r..Q..........:..0.. ...`...)....O... .....f.9..X..@. ..b#-.g.....}.\|.@..o\.......<....._..G....+..'>@g....A...R..n.'.......n.{...L.'....f.W..9..Nn....f..Nt.....h.@O6.?........a...p'#.........&.'....[.'.h=v..{5.......=..;\|.....l)g...*..%. .........}....@.....f '...ICs....^`._....s`...M. N......p...`.c.....

C:\Users\user\AppData\Local\Temp\aut37A1.tmp

Download File

Process:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	264840
Entropy (8bit):	7.979091056058801
Encrypted:	false
SSDEEP:	6144:AXRz06bY2/m1cbRvarB/y66KQQDGiYEIq6xHSP2JXs:AB4yY2/WByVuDaECs
MD5:	D8492D83BD53179EC16D989EFD544AAA
SHA1:	CA4C609A72604D54A5AB76D610B7C38E6C0331F1
SHA-256:	1E111E592DD3BC208C69D986A684479A2CEFE6A485022B1334B1C476152F1BD2
SHA-512:	A2F8341B65C33671085E37D2C43B9F5DB2E3040D02476197E3047148DE0242EC8A2864225361A8CABF74B7B1B2C60FB7AC498CAD1F1C84EB73CB3F7EE7971790
Malicious:	false
Reputation:	low
Preview:	EA06..........Q...T..T.Sf....g...5j...;4 ....Oe..}.._..~.HFn.g...V)L.w#..%7i.J.,.M.3I...@.].........r.Dn.[.....,..m7..f.n.j$....g...e.....I.q.V..~uz.v).....w.L.3]..........n.N.`..BQ!... ..."u...0h...y..4\|..".9..F!2..)u..2.M......(.8W@.....8.Vj.@...V...3A....Y.T(..u..Q...\..f..q...gB..1bJ...boD...T..OE.P.2.Z-6R...ei5J...s......I..&.y...8........p...JH.W...U.1...A6..T........@.G....`...J.#..l..E......:......Q1....GP..'Z...[7.U.......Q....@%...;..?..b4..~g4.m.S:.?.'....y...A.L..M.bk.....v7...f1...#5..I....g...Q...MFg>.Ph..6...n.Y......T.......E9...g.5.N.Yj..-...2..2.5..u.9...M...+G.V....e.M...(X9.^....p.pH..4.C+u.g3{.....j_..G.]9.nD........K.7...r.\+.I........w..m&.F...jM7....,....}..Ph..&.....W..._._h[.?..D.S.B...M}...1.'w]<.....R....../..A..Vz..d.i..k....&.. \|.n.Q..`.Z.b_Q..ZH.S.O.I..gg.o.6;.i...Z.W...L.....&tp....S(.../ .M(.x....s.WY=V...O..H. ...s.@..~!`...@..;......F>cD...2=`.z...Z......R+..s(T.......W...=e.U...%6oD..a.h'+..........~.@.J

C:\Users\user\AppData\Local\Temp\aut37E1.tmp

Download File

Process:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	13304
Entropy (8bit):	7.697592806507836
Encrypted:	false
SSDEEP:	384:vQyiU2jt8U6p8NYTdAStRkOg3Pi7zjqlZs:oyiU25KXeStRng/i7zjAS
MD5:	91E0641787386F0C21B7B6D779B0495D
SHA1:	31D8E3679EC80C28CC9126D5866FFCB4191C8ECF
SHA-256:	367F1FC0E0F877C80302AA511C99ACD7099999A747A8446FAC23657E7D680D20
SHA-512:	37DE19DC6379E47D66E2CEC3E6AA198949BF001CFFD6AB831FC0580FB8F975463C24C1F8DA4128B6365286885A50C64FFC88EDD9A935EA8084075C8DA0BDDD3D
Malicious:	false
Reputation:	low
Preview:	EA06.....g....{6....y..`."Lf@....=.L......."m1..@...t.@......p.@.......R.@....m3.u..H.qN..2.o.Lf3..n.f.....[..9..9t...,.p.....J.S....@.Z........~.+32..@......U......U...b.S.....S...&.U ..........c......K.....`.........e.....~.p..L.(.....V.............h...7.O...?..O..<6.+.x.`............N..............z@.....A4..../..-..(d........@7.P'?...S@7?..Q.........@#).+....1.a............p..@. eL....`.........8.........w...........&...Ho.j....Xd.....k~.Yy....3PMO...........5....<.6.....s8...f.._.........._..z..;.....2..`u..........`u.......A....hX.....-..%b`...),M.=...V..=..I.V...6..........U..?.x...W....;....`.......X..r.. ...'..............s..'..S..L.9s....'!..X}~&.(..`r..Q..........:..0.. ...`...)....O... .....f.9..X..@. ..b#-.g.....}.\|.@..o\.......<....._..G....+..'>@g....A...R..n.'.......n.{...L.'....f.W..9..Nn....f..Nt.....h.@O6.?........a...p'#.........&.'....[.'.h=v..{5.......=..;\|.....l)g...*..%. .........}....@.....f '...ICs....^`._....s`...M. N......p...`.c.....

C:\Users\user\AppData\Local\Temp\exhilaratingly

Download File

Process:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	267264
Entropy (8bit):	7.868775736098433
Encrypted:	false
SSDEEP:	6144:sQc1xh58eIUyUoe9IAmQC+kMi7tr1vrEdswnsK/GmOYguJZj4QrtT8LN:w39IAmskBF1gOtYguJ+Q5yN
MD5:	497FA5301AC5D916495D18670923C0DA
SHA1:	E9441F19940BBD36BFC59FFF400668043DE1E82C
SHA-256:	3797FF1F0D912EB8D64E2DCE9C375B9FCCFD54874042D944A84952CB6EEAEF32
SHA-512:	EE8266DA4B242C88AE29C1F5954007223C264B76AA576DF4AC34E71AEFF096518A996EB9B39AD0AE1C76C87DF6060B4E657D4D41F04211261ED146BFC0F82999
Malicious:	false
Reputation:	low
Preview:	...M6DVQ73BA..VT.M5DVQ33.ABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM.DVQ=,.OB._.e.4..pg[+2b)$;#?T)v2R],.6y41d?@v8]....y;; (.I[[.3BABYVT,].iz .Mn0.'z%.3.g)/.B.?I..o<.:z .M.0.'dw3)5./..+?.(.vnN:{ .M.(!1z%.35DVQ33BABYVTDM5D.:.VBABY..DMyERQG.B.BYVTDM5D.Q.2I@KYV.EM5<TQ33BAm.VTD]5DV.23BA.YVDDM5FVQ63BABYVTAM5DVQ33B!FYVPDM..TQ13B.BYFTD]5DVQ#3BQBYVTDM%DVQ33BABYVT.X7D.Q33B!@Y..EM5DVQ33BABYVTDM5DVQ33BABY..EM)DVQ33BABYVTDM5DVQ33BABYVTDM.ITQs3BABYVTDM5DV.23.@BYVTDM5DVQ33BABYVTDM5DVQ33l5'!"TDM-.WQ3#BAB.WTDI5DVQ33BABYVTDM.DV1.A& 68VT. 5DV.23B/BYV.EM5DVQ33BABYVT.M5.x5RG#ABY.dDM5dTQ3%BABSTTDM5DVQ33BABY.TD..6%#P3BA:.WTD-7DV.23Ba@YVTDM5DVQ33BA.YV.DM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5DVQ33BABYVTDM5D

C:\Users\user\AppData\Local\Temp\windigos

Download File

Process:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	99057
Entropy (8bit):	2.9239386184333815
Encrypted:	false
SSDEEP:	384:w99wg2MNx29vfRr+2ZAyFbwv6VXufORYtwqhWjy4/xr0O6BvS7A8kjyR3qDAngCI:Xe1ickopPcb/R+j
MD5:	ACB314098226E039CD35539EF13D4D9D
SHA1:	D120830B09C51F376BFDB3D58D5592EE16B18FC8
SHA-256:	C15D83951A2635629BE605C41278B933036F5CB2D0AECD9F6C67575AD0EA92CC
SHA-512:	0AA300B3A036440A580858795183E92F9CDA5FDEDAB499E0AF37FFED420BEF3B6CF026ADFCC0A017B7596F6C94DEA5D8E7E8CD87ED0275E4D868462C60DEBDB6
Malicious:	false
Reputation:	low
Preview:	59=131=64=64=67=109=112=110=67=60=112=110=110=110=59=61=59=59=59=59=64=65=64=66=109=67=65=109=59=59=59=59=59=59=65=65=67=68=63=64=67=63=109=68=65=64=59=59=59=59=59=59=65=65=67=68=63=111=67=65=109=108=66=61=59=59=59=59=59=59=65=65=67=68=64=64=67=67=109=67=65=112=59=59=59=59=59=59=65=65=67=68=63=64=67=108=109=68=65=64=59=59=59=59=59=59=65=65=67=68=63=111=67=110=109=108=65=110=59=59=59=59=59=59=65=65=67=68=64=64=67=112=109=67=62=62=59=59=59=59=59=59=65=65=67=68=63=64=68=59=109=68=62=61=59=59=59=59=59=59=65=65=67=68=63=111=68=61=109=108=61=112=59=59=59=59=59=59=65=65=67=68=64=64=68=63=109=67=65=63=59=59=59=59=59=59=65=65=67=68=63=64=68=65=109=68=65=110=59=59=59=59=59=59=65=65=67=68=63=111=68=67=109=108=65=110=59=59=59=59=59=59=65=65=67=68=64=64=68=108=62=62=110=59=65=65=67=68=63=64=68=110=109=68=65=112=59=59=59=59=59=59=65=65=67=68=67=111=63=63=113=113=113=113=113=113=109=108=66=63=59=59=59=59=59=59=65=65=67=68=68=64=63=65=113=113=113=113=113=113=109=67=65=63=59=59=59=59=59=59=65=65=67=68=

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.164680290352159
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment_Advice-pdf.exe
File size:	1'210'368 bytes
MD5:	d5f853358e53cae39dba60601507842c
SHA1:	c76532dba79ec69659b4cdb8adddbc8417662d76
SHA256:	d202f0b84b0e2a15c1c90284d0286b8b497e245e6b083e7b98294e1227d52925
SHA512:	04d13c04ee6a88b10ca0fe7d08fe8e0114b2c20aa792cd238830d1971ef3488df0a51821d077cc491b1b99a86f9f726512c1c449c07aacb96c9bb4e03e129f1e
SSDEEP:	24576:UAHnh+eWsN3skA4RV1Hom2KXMmHaedfN2ffZ/socXiFi5:jh+ZkldoPK8Yaed1mZ/socSK
TLSH:	5A45BE0273D2D036FFAB92739B6AF64156BD78254123852F13981DB9BC701B2273E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65EA4FEC [Thu Mar 7 23:38:20 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F89691DA15Dh
jmp 00007F89691CCF14h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F89691CD09Ah
cmp edi, eax
jc 00007F89691CD3FEh
bt dword ptr [004C41FCh], 01h
jnc 00007F89691CD099h
rep movsb
jmp 00007F89691CD3ACh
cmp ecx, 00000080h
jc 00007F89691CD264h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F89691CD0A0h
bt dword ptr [004BF324h], 01h
jc 00007F89691CD570h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F89691CD23Dh
test edi, 00000003h
jne 00007F89691CD24Eh
test esi, 00000003h
jne 00007F89691CD22Dh
bt edi, 02h
jnc 00007F89691CD09Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F89691CD0A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F89691CD0F5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5d04c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5d04c	0x5d200	0a43a637996f4f34962d23376501991c	False	0.9289691694630873	data	7.898230753466024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x54314	data			1.000336376184566
RT_GROUP_ICON	0x124acc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x124b44	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x124b58	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124b6c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x124b80	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124c5c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/11/24-20:53:08.961460	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49729	587	192.168.2.4	108.179.234.136
03/11/24-20:53:08.961460	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49729	587	192.168.2.4	108.179.234.136
03/11/24-20:53:08.961460	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49729	587	192.168.2.4	108.179.234.136
03/11/24-20:53:08.961460	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49729	587	192.168.2.4	108.179.234.136
03/11/24-20:53:08.961460	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49729	587	192.168.2.4	108.179.234.136
03/11/24-20:53:08.961460	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49729	587	192.168.2.4	108.179.234.136

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2024 20:53:07.842181921 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:07.951601982 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:07.951839924 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.171597004 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.172678947 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.282459021 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.284110069 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.394023895 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.397258043 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.550033092 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.621875048 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.625274897 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.737864971 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.737966061 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.738245010 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.849808931 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.850052118 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.959672928 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.959705114 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:08.961460114 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.961460114 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.961561918 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:08.961608887 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:53:09.071417093 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:09.071439981 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:09.072422028 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:53:09.121288061 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:54:47.621552944 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:54:47.771707058 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:54:47.932261944 CET	587	49729	108.179.234.136	192.168.2.4
Mar 11, 2024 20:54:47.932394028 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:54:47.932563066 CET	49729	587	192.168.2.4	108.179.234.136
Mar 11, 2024 20:54:48.042071104 CET	587	49729	108.179.234.136	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2024 20:53:07.611465931 CET	63544	53	192.168.2.4	1.1.1.1
Mar 11, 2024 20:53:07.830135107 CET	53	63544	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 11, 2024 20:53:07.611465931 CET	192.168.2.4	1.1.1.1	0x7941	Standard query (0)	webmail.wapination.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 11, 2024 20:53:07.830135107 CET	1.1.1.1	192.168.2.4	0x7941	No error (0)	webmail.wapination.net	wapination.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 11, 2024 20:53:07.830135107 CET	1.1.1.1	192.168.2.4	0x7941	No error (0)	wapination.net		108.179.234.136	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 11, 2024 20:53:08.171597004 CET	587	49729	108.179.234.136	192.168.2.4	220-gator4249.hostgator.com ESMTP Exim 4.96.2 #2 Mon, 11 Mar 2024 14:53:08 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 11, 2024 20:53:08.172678947 CET	49729	587	192.168.2.4	108.179.234.136	EHLO 103386
Mar 11, 2024 20:53:08.282459021 CET	587	49729	108.179.234.136	192.168.2.4	250-gator4249.hostgator.com Hello 103386 [191.96.150.227] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 11, 2024 20:53:08.284110069 CET	49729	587	192.168.2.4	108.179.234.136	AUTH login d29yazJAd2FwaW5hdGlvbi5uZXQ=
Mar 11, 2024 20:53:08.394023895 CET	587	49729	108.179.234.136	192.168.2.4	334 UGFzc3dvcmQ6
Mar 11, 2024 20:53:08.621875048 CET	587	49729	108.179.234.136	192.168.2.4	235 Authentication succeeded
Mar 11, 2024 20:53:08.625274897 CET	49729	587	192.168.2.4	108.179.234.136	MAIL FROM:<work2@wapination.net>
Mar 11, 2024 20:53:08.737966061 CET	587	49729	108.179.234.136	192.168.2.4	250 OK
Mar 11, 2024 20:53:08.738245010 CET	49729	587	192.168.2.4	108.179.234.136	RCPT TO:<work2@wapination.net>
Mar 11, 2024 20:53:08.849808931 CET	587	49729	108.179.234.136	192.168.2.4	250 Accepted
Mar 11, 2024 20:53:08.850052118 CET	49729	587	192.168.2.4	108.179.234.136	DATA
Mar 11, 2024 20:53:08.959705114 CET	587	49729	108.179.234.136	192.168.2.4	354 Enter message, ending with "." on a line by itself
Mar 11, 2024 20:53:08.961608887 CET	49729	587	192.168.2.4	108.179.234.136	.
Mar 11, 2024 20:53:09.072422028 CET	587	49729	108.179.234.136	192.168.2.4	250 OK id=1rjlhs-0000wR-2u
Mar 11, 2024 20:54:47.621552944 CET	49729	587	192.168.2.4	108.179.234.136	QUIT
Mar 11, 2024 20:54:47.932261944 CET	587	49729	108.179.234.136	192.168.2.4	221 gator4249.hostgator.com closing connection

Target ID:	0
Start time:	20:52:59
Start date:	11/03/2024
Path:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
Imagebase:	0xf90000
File size:	1'210'368 bytes
MD5 hash:	D5F853358E53CAE39DBA60601507842C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1690019977.0000000004330000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:53:02
Start date:	11/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
Imagebase:	0x240000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:53:02
Start date:	11/03/2024
Path:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
Imagebase:	0xf90000
File size:	1'210'368 bytes
MD5 hash:	D5F853358E53CAE39DBA60601507842C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1718278629.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:53:04
Start date:	11/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment_Advice-pdf.exe
Imagebase:	0x7b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.2910016483.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2912325728.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.2912925365.0000000005270000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2911331278.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2911041529.000000000292E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2911331278.0000000002C97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.2913029107.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2911331278.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	163

Executed Functions

Function 00F93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F93B7A
IsDebuggerPresent.KERNEL32 ref: 00F93B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,010562F8,010562E0,?,?), ref: 00F93BFD

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

Part of subcall function 00FA0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F93C26,010562F8,?,?,?), ref: 00FA0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00F93C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010493F0,00000010), ref: 00FCD4BC
SetCurrentDirectoryW.KERNEL32(?,010562F8,?,?,?), ref: 00FCD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01045D40,010562F8,?,?,?), ref: 00FCD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00FCD581

Part of subcall function 00F93A58: GetSysColorBrush.USER32(0000000F), ref: 00F93A62
Part of subcall function 00F93A58: LoadCursorW.USER32(00000000,00007F00), ref: 00F93A71
Part of subcall function 00F93A58: LoadIconW.USER32(00000063), ref: 00F93A88
Part of subcall function 00F93A58: LoadIconW.USER32(000000A4), ref: 00F93A9A
Part of subcall function 00F93A58: LoadIconW.USER32(000000A2), ref: 00F93AAC
Part of subcall function 00F93A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F93AD2
Part of subcall function 00F93A58: RegisterClassExW.USER32(?), ref: 00F93B28

Part of subcall function 00F939E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F93A15
Part of subcall function 00F939E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F93A36
Part of subcall function 00F939E7: ShowWindow.USER32(00000000,?,?), ref: 00F93A4A
Part of subcall function 00F939E7: ShowWindow.USER32(00000000,?,?), ref: 00F93A53

Part of subcall function 00F943DB: _memset.LIBCMT ref: 00F94401
Part of subcall function 00F943DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F944A6

Strings

runas, xrefs: 00FCD575
This is a third-party compiled AutoIt script., xrefs: 00FCD4B4

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 0c699337c8022153e314e51f8ab0f2df358c9133d488ceab16483b176d1e5229
Instruction ID: aeb082e232b870da709e9371a8e5df1221da0f4d35d56e8f7c41c3cd5756649d
Opcode Fuzzy Hash: 0c699337c8022153e314e51f8ab0f2df358c9133d488ceab16483b176d1e5229
Instruction Fuzzy Hash: 7B513731D04749ABEF21EBB4DC06EFE7BB8AF04350F004169F891A6142DA3F5A45EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F94AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F94B2B

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

GetCurrentProcess.KERNEL32(?,0101FAEC,00000000,00000000,?), ref: 00F94BF8
IsWow64Process.KERNEL32(00000000), ref: 00F94BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F94C45
FreeLibrary.KERNEL32(00000000), ref: 00F94C50
GetSystemInfo.KERNEL32(00000000), ref: 00F94C81
GetSystemInfo.KERNEL32(00000000), ref: 00F94C8D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: ea4f4952ed12aa10e14536956b7559056196ed01eaaf06616d248f28210c408b
Instruction ID: 42258be8ef15870a311f2d5b93a65d9ada67d72efcdb7e3bdb0c0f485e503468
Opcode Fuzzy Hash: ea4f4952ed12aa10e14536956b7559056196ed01eaaf06616d248f28210c408b
Instruction Fuzzy Hash: B691F73194A7C1DEDB31DB788551AAAFFE4AF76310B444DADD0CB83A41D224F908E719

Uniqueness

Uniqueness Score: -1.00%

Function 00F94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F94EEE,?,?,00000000,00000000), ref: 00F94FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F94EEE,?,?,00000000,00000000), ref: 00F95010
LoadResource.KERNEL32(?,00000000,?,?,00F94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F94F8F), ref: 00FCDD60
SizeofResource.KERNEL32(?,00000000,?,?,00F94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F94F8F), ref: 00FCDD75
LockResource.KERNEL32(00F94EEE,?,?,00F94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F94F8F,00000000), ref: 00FCDD88

Strings

SCRIPT, xrefs: 00F95006

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: be78f94081306edd7e436d2553d8e43148d2377ad7af77ff6d9e3ad4edb525e6
Instruction ID: f8d57cb275e866735a0fcc57dd2dab3e367903db6539b0a8f6e6bc878872a50b
Opcode Fuzzy Hash: be78f94081306edd7e436d2553d8e43148d2377ad7af77ff6d9e3ad4edb525e6
Instruction Fuzzy Hash: 7D119A71600B02AFEB318B25DC48F677BB9EBC9B11F20416CF44686260DB7AE8049760

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 6d026bf438d3411ea999e2ec042e937d1dd39b5d7c448a6dac726f0f8e7a028d
Instruction ID: a493b44c51104e7427c4c4509de4269574bf1a5999390322861e24efa8171d6e
Opcode Fuzzy Hash: 6d026bf438d3411ea999e2ec042e937d1dd39b5d7c448a6dac726f0f8e7a028d
Instruction Fuzzy Hash: AE926DB5A083418FD720DF14D480B6AB7E1BF85314F18896DF88A8B361DB75EC45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FCE7C1), ref: 00FF46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00FF46B7
FindClose.KERNEL32(00000000), ref: 00FF46C7

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 30e32ae44c8d0f351c01b31d1274d89e6eee5f8462341a1055cdbda46671e2c3
Instruction ID: e07d2d0418ed33838930facaac89805bc48773ca7753874cf5a637b0e21dcacc
Opcode Fuzzy Hash: 30e32ae44c8d0f351c01b31d1274d89e6eee5f8462341a1055cdbda46671e2c3
Instruction Fuzzy Hash: 55E020328104065B4220A638EC4D4FBB75CDE06335F100715FA75C11E0FBBC6D5497D5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00FD428C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 19880f4242b37d7194b0244a6dd04ef5449b02f54cd644f2df6d353d28ea4d5f
Instruction ID: 7c39156fc54fd67ee352ef865f91b3e240653761cc9833cdcc2ffe4a946a5b2b
Opcode Fuzzy Hash: 19880f4242b37d7194b0244a6dd04ef5449b02f54cd644f2df6d353d28ea4d5f
Instruction Fuzzy Hash: 2BA27C75E00205CBEF24CF58C480AAAB7B2FF48314F68805AE956AB351D735AD46EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA0BBB
timeGetTime.WINMM ref: 00FA0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA0FB3
TranslateMessage.USER32(?), ref: 00FA0FC7
DispatchMessageW.USER32(?), ref: 00FA0FD5
Sleep.KERNEL32(0000000A), ref: 00FA0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00FA105A
DestroyWindow.USER32 ref: 00FA1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FA1080
Sleep.KERNEL32(0000000A,?,?), ref: 00FD52AD
TranslateMessage.USER32(?), ref: 00FD608A
DispatchMessageW.USER32(?), ref: 00FD6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD60AC

Strings

@TRAY_ID, xrefs: 00FD5BB9
@COM_EVENTOBJ, xrefs: 00FD591A
@GUI_CTRLID, xrefs: 00FD5364
@GUI_WINHANDLE, xrefs: 00FD53B9
@GUI_CTRLHANDLE, xrefs: 00FD540E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: ff324fbe5c99b5fa565bb2fb434b17aefdd0fdc2f7f5ce431ca10585ab763f7f
Instruction ID: 24063fb25c4c17ae666e15f6da80aae374bf10e7c47ab9033294ca461bce7523
Opcode Fuzzy Hash: ff324fbe5c99b5fa565bb2fb434b17aefdd0fdc2f7f5ce431ca10585ab763f7f
Instruction Fuzzy Hash: 59B2C370A08741DFDB24DF24C884BAAB7E5BF85714F18491EF48987391DB79E844EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FF93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF91E9: __time64.LIBCMT ref: 00FF91F3

Part of subcall function 00F95045: _fseek.LIBCMT ref: 00F9505D

__wsplitpath.LIBCMT ref: 00FF94BE

Part of subcall function 00FB432E: __wsplitpath_helper.LIBCMT ref: 00FB436E

_wcscpy.LIBCMT ref: 00FF94D1
_wcscat.LIBCMT ref: 00FF94E4
__wsplitpath.LIBCMT ref: 00FF9509
_wcscat.LIBCMT ref: 00FF951F
_wcscat.LIBCMT ref: 00FF9532

Part of subcall function 00FF922F: _memmove.LIBCMT ref: 00FF9268
Part of subcall function 00FF922F: _memmove.LIBCMT ref: 00FF9277

_wcscmp.LIBCMT ref: 00FF9479

Part of subcall function 00FF99BE: _wcscmp.LIBCMT ref: 00FF9AAE
Part of subcall function 00FF99BE: _wcscmp.LIBCMT ref: 00FF9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FF96DC
_wcsncpy.LIBCMT ref: 00FF974F
DeleteFileW.KERNEL32(?,?), ref: 00FF9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FF979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF97BE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 9e7a955fd5ad6f3e1e7409ea8cf485c07cf5cfe7de2d5e3f228a7d80133be217
Instruction ID: 107fc7790b3278e094d52994477d62964dc068a3a940bc74515d77e24a3e71ad
Opcode Fuzzy Hash: 9e7a955fd5ad6f3e1e7409ea8cf485c07cf5cfe7de2d5e3f228a7d80133be217
Instruction Fuzzy Hash: C1C15BB1D0021DAADF21DF95CC85EEEB7BDEF44310F0040AAF609E6161EB749A449F65

Uniqueness

Uniqueness Score: -1.00%

Function 00F93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93074
RegisterClassExW.USER32(00000030), ref: 00F9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
LoadIconW.USER32(000000A9), ref: 00F930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

+, xrefs: 00F9305D
TaskbarCreated, xrefs: 00F930A4
AutoIt v3 GUI, xrefs: 00F93090
0, xrefs: 00F93056

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 374f87347123bf0618b29fe5f9151f22864f98a3ae6e3acc4c4dd5ea95197aa0
Instruction ID: 9624b570e633f8dfc1f7fa2868dfbacb0ca48288f47dbe9fa23db968fe1a95df
Opcode Fuzzy Hash: 374f87347123bf0618b29fe5f9151f22864f98a3ae6e3acc4c4dd5ea95197aa0
Instruction Fuzzy Hash: 78316BB184530AEFDB61DFA4D889ADABBF0FB09310F10465AE5C0E6284D3BE0549CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93074
RegisterClassExW.USER32(00000030), ref: 00F9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
LoadIconW.USER32(000000A9), ref: 00F930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

+, xrefs: 00F9305D
TaskbarCreated, xrefs: 00F930A4
AutoIt v3 GUI, xrefs: 00F93090
0, xrefs: 00F93056

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: acfddc9521c400b2d5b6550fcdeb1f081d6c4cd6ff83c4d3069aec207c752952
Instruction ID: 740b3af39e6dc80c767a4026bdd818f3172301dc19283b68d8caa9ddaf1bebd3
Opcode Fuzzy Hash: acfddc9521c400b2d5b6550fcdeb1f081d6c4cd6ff83c4d3069aec207c752952
Instruction Fuzzy Hash: A921C7B1D01319AFDB20DFA4E849B9EBBF4FB08710F40421AF591E6284D7BB45488F91

Uniqueness

Uniqueness Score: -1.00%

Function 00F971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F94864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010562F8,?,00F937C0,?), ref: 00F94882

Part of subcall function 00FB074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F972C5), ref: 00FB0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F97308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FCECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FCED32
RegCloseKey.ADVAPI32(?), ref: 00FCED70
_wcscat.LIBCMT ref: 00FCEDC9

Strings

\, xrefs: 00FCEDEC
Software\AutoIt v3\AutoIt, xrefs: 00F972FE
Include, xrefs: 00FCECE8, 00FCED29
\Include\, xrefs: 00F972C5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: f3e1efa10e06bf1fd4addc3f0a8459d0efe1bca0fb8222c6fa98711c1b67315c
Instruction ID: 71608b777fca1ddaf6ca68d3035884a9b7fad106f52417d38acd7850e8e4538c
Opcode Fuzzy Hash: f3e1efa10e06bf1fd4addc3f0a8459d0efe1bca0fb8222c6fa98711c1b67315c
Instruction Fuzzy Hash: 7D71A2715083019ED724EF25EC819AFB7F8FF94790F80052EF48587164DB399948EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93A62
LoadCursorW.USER32(00000000,00007F00), ref: 00F93A71
LoadIconW.USER32(00000063), ref: 00F93A88
LoadIconW.USER32(000000A4), ref: 00F93A9A
LoadIconW.USER32(000000A2), ref: 00F93AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F93AD2
RegisterClassExW.USER32(?), ref: 00F93B28

Part of subcall function 00F93041: GetSysColorBrush.USER32(0000000F), ref: 00F93074
Part of subcall function 00F93041: RegisterClassExW.USER32(00000030), ref: 00F9309E
Part of subcall function 00F93041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
Part of subcall function 00F93041: InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
Part of subcall function 00F93041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
Part of subcall function 00F93041: LoadIconW.USER32(000000A9), ref: 00F930F2
Part of subcall function 00F93041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

0, xrefs: 00F93B06
AutoIt v3, xrefs: 00F93B17
#, xrefs: 00F93B0D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c5ee5496a0d2c9a9dddff74dffee134c50bed98a43b885d68f0d00fc2fd82da7
Instruction ID: 8e2b09ae6964010061b3e8910faad1a30ca84ce2f91ff275e47ce034aa9dc7ca
Opcode Fuzzy Hash: c5ee5496a0d2c9a9dddff74dffee134c50bed98a43b885d68f0d00fc2fd82da7
Instruction Fuzzy Hash: 1F214871D00309BFEB209FA4E809B9E7BB4FB08750F40012AF584A6294D3BF5A589F84

Uniqueness

Uniqueness Score: -1.00%

Function 00F93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F936D2
KillTimer.USER32(?,00000001), ref: 00F936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F9372A
CreatePopupMenu.USER32 ref: 00F9373E
PostQuitMessage.USER32(00000000), ref: 00F9375F

Strings

TaskbarCreated, xrefs: 00F93725

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5ad683a5023211bec546a903a0ebbea43e04705dfaa8d6f6be51fdd5f13fb4d1
Instruction ID: 9d903f48bd9b2218a9a1667f9b49e1b1ca58169515ea03b8f50fae3c9d2bdd69
Opcode Fuzzy Hash: 5ad683a5023211bec546a903a0ebbea43e04705dfaa8d6f6be51fdd5f13fb4d1
Instruction Fuzzy Hash: 894125B2608606BBFF345BA8DC09F7A3755FB01310F040119FA82C6295CA6FAE04B763

Uniqueness

Uniqueness Score: -1.00%

Function 00F93778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00F9380D
/AutoIt3OutputDebug, xrefs: 00F938A4
/AutoIt3ExecuteLine, xrefs: 00F938B9
/AutoIt3ExecuteScript, xrefs: 00F938CE
CMDLINE, xrefs: 00F93834
/ErrorStdOut, xrefs: 00F9388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F937C0

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 351fde34739c14597391ddafc1e628cef36c227a3860f51cecb7d6ad4bbc6c78
Instruction ID: 33701d39d44c92bc57fc1f3d47d24994a494ab8555dcb9fc1f7d014772f07543
Opcode Fuzzy Hash: 351fde34739c14597391ddafc1e628cef36c227a3860f51cecb7d6ad4bbc6c78
Instruction Fuzzy Hash: B5A16E72C142199AEF15FFA4CC92EEEB778BF14340F440029F452A7191DF796A09EB60

Uniqueness

Uniqueness Score: -1.00%

Function 019B2770 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 019B2841
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 019B2A67

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 56d4a07515a69c217c6e9093a4c978e985ec34eac0ef6790ae7a8c87854d9146
Instruction ID: 361dd1d5868264216593228e5788a3ccc672ecbd38fdb1c7e7c9c6ada2de8c8e
Opcode Fuzzy Hash: 56d4a07515a69c217c6e9093a4c978e985ec34eac0ef6790ae7a8c87854d9146
Instruction Fuzzy Hash: 5BA13B70E00209EBDB14CFA4CA98BEEBBB5FF48705F208559E109BB281C775AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F93A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F93A36
ShowWindow.USER32(00000000,?,?), ref: 00F93A4A
ShowWindow.USER32(00000000,?,?), ref: 00F93A53

Strings

AutoIt v3, xrefs: 00F93A0D, 00F93A12, 00F93A13
edit, xrefs: 00F93A30

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: de7042a2534a8cfd79fd0ecfea5c0bf27a883363b44c9e56cce257beafb0384e
Instruction ID: 6c47b83be5f0562e952a6276f7a93702ef45573cba0b55f9ab4085d69ea5a828
Opcode Fuzzy Hash: de7042a2534a8cfd79fd0ecfea5c0bf27a883363b44c9e56cce257beafb0384e
Instruction Fuzzy Hash: 93F03A716407907EEB311663AC08E272E7DE7C6F90B40001EB944E2158C2AF1800CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 019B24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 019B265F
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 019B2694
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 019B26B7
ExitProcess.KERNEL32(00000000), ref: 019B2718

Strings

VTDM5DVQ33BABY, xrefs: 019B26C2, 019B26C5

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: File$AllocCreateExitProcessReadVirtual
String ID: VTDM5DVQ33BABY
API String ID: 1333605300-107314074
Opcode ID: 81e2674dc8d4a359a6632efcdf41dd23f0c743a9f7998e0a89ec9c1782ec5f3e
Instruction ID: a5b8e9cd30fe0421baea7c6b74e33a7c75466f00550a0d620bb9a8ec800a08aa
Opcode Fuzzy Hash: 81e2674dc8d4a359a6632efcdf41dd23f0c743a9f7998e0a89ec9c1782ec5f3e
Instruction Fuzzy Hash: F261A030E14248DBEF11DBB4C994BEEBB79EF58700F004599E609BB2C0D7B96A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00F9410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FCD5EC

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

_memset.LIBCMT ref: 00F9418D
_wcscpy.LIBCMT ref: 00F941E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F941F1

Strings

Line: , xrefs: 00FCD615

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 1453c6b71354abcc64cdfdf42b82ffd1053eec7546b0df9c9fa1e67a81835455
Instruction ID: 82ab693da7509545e61e2e7492ff8168ba9dfad5a76bd06b426985147216078e
Opcode Fuzzy Hash: 1453c6b71354abcc64cdfdf42b82ffd1053eec7546b0df9c9fa1e67a81835455
Instruction Fuzzy Hash: 9231EF71408304AAEB31FB60DC46FDB77E8AF54310F10491EF1C592091EF79A689EB96

Uniqueness

Uniqueness Score: -1.00%

Function 00FB564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FB56AB
_memcpy_s.LIBCMT ref: 00FB571D
__read_nolock.LIBCMT ref: 00FB577B
__filbuf.LIBCMT ref: 00FB579E
_memset.LIBCMT ref: 00FB57E2

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 7b18aa6b19bb5e1102499a7ba43ea174d86b94104dab1097dd37e5e835b70316
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 11519671F00B09DBDB249E6AC8847EE77A6AF44B30F348729E825961D0DB789D51AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00F94F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94F6F

_free.LIBCMT ref: 00FCE68C
_free.LIBCMT ref: 00FCE6D3

Part of subcall function 00F96BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F96D0D

Strings

Bad directive syntax error, xrefs: 00FCE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00FCE462

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 2800544fde017d4739e406dea5808d0fe84cde94fa7fa1b6326e8dbf2f6fe11c
Instruction ID: daff3086e61e8acf20a8fd85e3207e21e26e878c8c645dd64a8dd3b54bc84545
Opcode Fuzzy Hash: 2800544fde017d4739e406dea5808d0fe84cde94fa7fa1b6326e8dbf2f6fe11c
Instruction Fuzzy Hash: 59916E7192021A9FDF04EFA4CD92EEDB7B4FF14314F144469F815AB2A1DB38A905EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F935A1,SwapMouseButtons,00000004,?), ref: 00F935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F935A1,SwapMouseButtons,00000004,?,?,?,?,00F92754), ref: 00F935F5
RegCloseKey.KERNELBASE(00000000,?,?,00F935A1,SwapMouseButtons,00000004,?,?,?,?,00F92754), ref: 00F93617

Strings

Control Panel\Mouse, xrefs: 00F935D2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 948a8f1f7ed899bc5172cd81e95f5a3c35f8f8a9f57f8b7a57ff7ab292d7e5e4
Instruction ID: a616b7d14dea52aa66eb175a01fd702a99dae6a909f8b43c19398f6d2f2ad6d5
Opcode Fuzzy Hash: 948a8f1f7ed899bc5172cd81e95f5a3c35f8f8a9f57f8b7a57ff7ab292d7e5e4
Instruction Fuzzy Hash: 57115A71910208BFEF21CFA8D844EAFBBB8EF04750F004459F805D7200D2719F44A760

Uniqueness

Uniqueness Score: -1.00%

Function 019B1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019B1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019B1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019B1B73
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 019B1E7C

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: ccd039124fc6c1cbba10b731756dcae81c5b697fabd5e9f0d3ea8e9e0934fa5f
Instruction ID: 3a91b9c64d22b791929de37f83c991e2453e634ff294cb147b90be96cfcdd307
Opcode Fuzzy Hash: ccd039124fc6c1cbba10b731756dcae81c5b697fabd5e9f0d3ea8e9e0934fa5f
Instruction Fuzzy Hash: 5A622B30A14258DBEB24CFA4D990BDEB376EF58300F1091A9D20DEB394E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00FF97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F95045: _fseek.LIBCMT ref: 00F9505D

Part of subcall function 00FF99BE: _wcscmp.LIBCMT ref: 00FF9AAE
Part of subcall function 00FF99BE: _wcscmp.LIBCMT ref: 00FF9AC1

_free.LIBCMT ref: 00FF992C
_free.LIBCMT ref: 00FF9933
_free.LIBCMT ref: 00FF999E

Part of subcall function 00FB2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FB9C64), ref: 00FB2FA9
Part of subcall function 00FB2F95: GetLastError.KERNEL32(00000000,?,00FB9C64), ref: 00FB2FBB

_free.LIBCMT ref: 00FF99A6

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: fd18de759458e21508ccb8b902dfc4ac475c3880c7526805842eb646ad61b447
Instruction ID: bbe973e8634009bb5126316796ebf14e8913d04044732a339d4ca2ba2b670eda
Opcode Fuzzy Hash: fd18de759458e21508ccb8b902dfc4ac475c3880c7526805842eb646ad61b447
Instruction Fuzzy Hash: 55516EB1D04618AFDF249F65CC85BAEBBB9EF48310F0004AEB209A7251DB755E80DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00FB493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB49D0
__flush.LIBCMT ref: 00FB49F0
__write.LIBCMT ref: 00FB4A23
__flsbuf.LIBCMT ref: 00FB4A51

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 8f5666d3976ddc6023546a1469f63158e13e4bee23cde4562e831f7878319838
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: F341D671A407059BDF18CEABCA809EF7BA9EF80360B24813DE855C7642D774BD40AF44

Uniqueness

Uniqueness Score: -1.00%

Function 00F973E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCEE62
GetOpenFileNameW.COMDLG32(?), ref: 00FCEEAC

Part of subcall function 00F948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F948A1,?,?,00F937C0,?), ref: 00F948CE

Part of subcall function 00FB09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB09F4

Strings

X, xrefs: 00FCEE7A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 3451eaa05043bb5ca1e95265c39eec7944a7fa88eb816b977333ac234af05831
Instruction ID: 867871f903368c42a1343a4280bc27e8ac521aa895da12a882123426e6a1dd91
Opcode Fuzzy Hash: 3451eaa05043bb5ca1e95265c39eec7944a7fa88eb816b977333ac234af05831
Instruction Fuzzy Hash: BB21D571A103589BDF15EF94CC45BEE7BF8AF49314F00405AF408A7241DBB859899FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF9036
__fread_nolock.LIBCMT ref: 00FF904B

Strings

EA06, xrefs: 00FF907D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f3fe2b14f65f4fe372eff6679c84534cef8feafa335a2ea7136d18a74f76ecbf
Instruction ID: 50f4ae8f3c890aa5511825487885e98640cca9d342dba4b0d50070701f35d263
Opcode Fuzzy Hash: f3fe2b14f65f4fe372eff6679c84534cef8feafa335a2ea7136d18a74f76ecbf
Instruction Fuzzy Hash: C001F972904218AEDB28C6A9CC56FFE7BF89F05701F00419EF552D6181E9B9E604DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FF9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FF9B99

Strings

aut, xrefs: 00FF9B93

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a13bf8397775e60dcef0da82482992ecf9306778124b4be687c78351d5262d02
Instruction ID: 78e19d832bd971b9b4f8ff2f85a495cce1388e020403931c7aea47186c96abab
Opcode Fuzzy Hash: a13bf8397775e60dcef0da82482992ecf9306778124b4be687c78351d5262d02
Instruction Fuzzy Hash: F5D05E7958030EABDB20DA90DC4EFDA776CE744700F0042A1FE9496091DEB955988B91

Uniqueness

Uniqueness Score: -1.00%

Function 0100CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2dfb71fc9b3031f1fa7cdee8b536c09c249ee82269b46ea0869d4b7b1d1cbd
Instruction ID: d61007308235114033ff76e207fb32cd076a67465c71ddf731d5c62d8b5aea44
Opcode Fuzzy Hash: 9e2dfb71fc9b3031f1fa7cdee8b536c09c249ee82269b46ea0869d4b7b1d1cbd
Instruction Fuzzy Hash: 21F169709083019FDB11DF68C880A6EBBE5FF88314F04896EF8999B291D775E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB03D3
Part of subcall function 00FB03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB03DB
Part of subcall function 00FB03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB03E6
Part of subcall function 00FB03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB03F1
Part of subcall function 00FB03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB03F9
Part of subcall function 00FB03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB0401

Part of subcall function 00FA6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F9FA90), ref: 00FA62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F9FB2D
OleInitialize.OLE32(00000000), ref: 00F9FBAA
CloseHandle.KERNEL32(00000000), ref: 00FD49F2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 919d39a1670882a22e1b65c4f12fae1e80674a3932e77f6cf75300e59551821f
Instruction ID: afbfa68b29e5d78ea95c8bda82f3dabb4373c0b782e8ad9bf919c4f167820f05
Opcode Fuzzy Hash: 919d39a1670882a22e1b65c4f12fae1e80674a3932e77f6cf75300e59551821f
Instruction Fuzzy Hash: 2881B7B09013408FCBA4EF69E9546277EE6FB99314790826AD499C735AEF3F4408DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F943DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F94401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F944A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F944C3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 27f985b95b04f3bb28a202a5139bef466ad6936dd95575f76539910a6d23fbcd
Instruction ID: 880e6631a0cba0d10561183359aaeeadc725675b55ee8bbd80a19a263c0a372e
Opcode Fuzzy Hash: 27f985b95b04f3bb28a202a5139bef466ad6936dd95575f76539910a6d23fbcd
Instruction Fuzzy Hash: 1B3161719047019FEB31DF24D884B9BBBE8FB58354F00092EE9DA83241D77AA949DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FB594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FB5963

Part of subcall function 00FBA3AB: __NMSG_WRITE.LIBCMT ref: 00FBA3D2
Part of subcall function 00FBA3AB: __NMSG_WRITE.LIBCMT ref: 00FBA3DC

__NMSG_WRITE.LIBCMT ref: 00FB596A

Part of subcall function 00FBA408: GetModuleFileNameW.KERNEL32(00000000,010543BA,00000104,?,00000001,00000000), ref: 00FBA49A
Part of subcall function 00FBA408: ___crtMessageBoxW.LIBCMT ref: 00FBA548

Part of subcall function 00FB32DF: ___crtCorExitProcess.LIBCMT ref: 00FB32E5
Part of subcall function 00FB32DF: ExitProcess.KERNEL32 ref: 00FB32EE

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

RtlAllocateHeap.NTDLL(019F0000,00000000,00000001,00000000,?,?,?,00FB1013,?), ref: 00FB598F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a5e3102c75dd75601366a23798351c89d152b41023f935e4e1b684cd5286ac71
Instruction ID: 94fa278707f6fc36811b0ecc91bcf5b9a5995d5cecdca9ad36af57b4248f7f47
Opcode Fuzzy Hash: a5e3102c75dd75601366a23798351c89d152b41023f935e4e1b684cd5286ac71
Instruction Fuzzy Hash: 2701D236740B16DEE7212B27EC42BEE72988F82BB0F10002AF504DA1C1DA7D9D41BF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FF97D2,?,?,?,?,?,00000004), ref: 00FF9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FF97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FF9B5B
CloseHandle.KERNEL32(00000000,?,00FF97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FF9B62

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 50ef976ee2de616d5d275d31c65966be25bb40a3f01be302bade492d73ebc48e
Instruction ID: 59485ae4057c0c4775b26c8f93f1356ff9f78d8ff4ba320e96fa32a5beef2e7e
Opcode Fuzzy Hash: 50ef976ee2de616d5d275d31c65966be25bb40a3f01be302bade492d73ebc48e
Instruction Fuzzy Hash: 8DE08632580615B7D7311A94EC09FDA7B18AB06771F108210FB64690E0C7BA26159798

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF8FA5

Part of subcall function 00FB2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FB9C64), ref: 00FB2FA9
Part of subcall function 00FB2F95: GetLastError.KERNEL32(00000000,?,00FB9C64), ref: 00FB2FBB

_free.LIBCMT ref: 00FF8FB6
_free.LIBCMT ref: 00FF8FC8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7ae2d2e3dd28ae231ba4dfbfc9ff98cbdd3434907fe9d12881c55d2a38818b0b
Instruction ID: 2b349a70ec0e9ab5a0d0aa3608da3cdd618f741d9c9926f04ead0d9b1f1db463
Opcode Fuzzy Hash: 7ae2d2e3dd28ae231ba4dfbfc9ff98cbdd3434907fe9d12881c55d2a38818b0b
Instruction Fuzzy Hash: 08E0C2A1B087014ECA20A539ED04AF327EE0F483A0708080DB509DB182CE28E842A424

Uniqueness

Uniqueness Score: -1.00%

Function 00F9AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00FD002B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ae499ca0a3108ae038207e43e06dd10a30f2f5b393e36f48743d4a42dbd31fcd
Instruction ID: 00e2a718adb842092949578f661a6666fad49fb02db9448718cf9f9c226c7987
Opcode Fuzzy Hash: ae499ca0a3108ae038207e43e06dd10a30f2f5b393e36f48743d4a42dbd31fcd
Instruction Fuzzy Hash: 4A224A71908341CFDB24DF14C994B6ABBE1BF85310F15895DE8868B361DB35EC85EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F94DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F94E1A

Strings

EA06, xrefs: 00FCDCF5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: c1f95829b6e78243aa01c0d8332adea7ba64b16b970ebeddc41641bd876934f9
Instruction ID: f02cc171741fc4ddb8d57150a735a8df338006ac4cc02362e98bd6ed69b2f9d8
Opcode Fuzzy Hash: c1f95829b6e78243aa01c0d8332adea7ba64b16b970ebeddc41641bd876934f9
Instruction Fuzzy Hash: E5417D32E041545BFF16AF648C51FBF7FA6AF61310F184075F8829B282D525AD42B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019B2460 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 019B24BA

Strings

D, xrefs: 019B2474

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: cc5cc974fc25a74a4e4796500e7ee75bd57132378abb324dc9bdb49e0f57563c
Instruction ID: 6b4f475d171eb5d5bc4a2b69654a503edbf6e79fc5b879c8b4b5089aca4ae4e1
Opcode Fuzzy Hash: cc5cc974fc25a74a4e4796500e7ee75bd57132378abb324dc9bdb49e0f57563c
Instruction Fuzzy Hash: D6011D7190030CABDB20DBE0CD89FFE777DEF44B01F508549BB199A180EB78A6488B65

Uniqueness

Uniqueness Score: -1.00%

Function 019B12FD Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019B1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019B1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019B1B73
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 019B1E7C

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 3d1e4b3f166ec283fe2d5bf78a98f7b519b979f5ada0f0792ca7e624af7e183c
Instruction ID: 56d4f5de3e9ac1f83de0e743c8ef1378e0ada04718f5fadc7ab51fff6781409a
Opcode Fuzzy Hash: 3d1e4b3f166ec283fe2d5bf78a98f7b519b979f5ada0f0792ca7e624af7e183c
Instruction Fuzzy Hash: 6A12ED24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A5F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00F9492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F94992

Part of subcall function 00FB35AC: __lock.LIBCMT ref: 00FB35B2
Part of subcall function 00FB35AC: DecodePointer.KERNEL32(00000001,?,00F949A7,00FE81BC), ref: 00FB35BE
Part of subcall function 00FB35AC: EncodePointer.KERNEL32(?,?,00F949A7,00FE81BC), ref: 00FB35C9

Part of subcall function 00F94A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F94A73
Part of subcall function 00F94A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F94A88

Part of subcall function 00F93B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F93B7A
Part of subcall function 00F93B4C: IsDebuggerPresent.KERNEL32 ref: 00F93B8C
Part of subcall function 00F93B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010562F8,010562E0,?,?), ref: 00F93BFD
Part of subcall function 00F93B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00F93C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F949D2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: d0c7d17597af3c2cfe12d861f902a63d569de3e8473c631a93441c22b9686723
Instruction ID: 6cae0d43de16e6ba178f297d0277daab41048ce9fce4a2bdbd2f998e8c749781
Opcode Fuzzy Hash: d0c7d17597af3c2cfe12d861f902a63d569de3e8473c631a93441c22b9686723
Instruction Fuzzy Hash: 86119D719083119BD720EF29D80590BFFE8EF94750F40451EF085832A1DBBA9945EB96

Uniqueness

Uniqueness Score: -1.00%

Function 00F95DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00F95981,?,?,?,?), ref: 00F95E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00F95981,?,?,?,?), ref: 00FCE19C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58d42f9fbd9c4228ff9d4f67d9eadd2c4ac0d8793b3bfbe353b93cf3e9a64160
Instruction ID: d8854f1fe57e3887066480a204246d6f73b94bba54eacf8cb03b55ed36030c16
Opcode Fuzzy Hash: 58d42f9fbd9c4228ff9d4f67d9eadd2c4ac0d8793b3bfbe353b93cf3e9a64160
Instruction Fuzzy Hash: 5501B571684709BEF7351E24CC8AF763B9CEB01B78F108318BAE55A1D0C6B51E499B54

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB594C: __FF_MSGBANNER.LIBCMT ref: 00FB5963
Part of subcall function 00FB594C: __NMSG_WRITE.LIBCMT ref: 00FB596A
Part of subcall function 00FB594C: RtlAllocateHeap.NTDLL(019F0000,00000000,00000001,00000000,?,?,?,00FB1013,?), ref: 00FB598F

std::exception::exception.LIBCMT ref: 00FB102C
__CxxThrowException@8.LIBCMT ref: 00FB1041

Part of subcall function 00FB87DB: RaiseException.KERNEL32(?,?,?,0104BAF8,00000000,?,?,?,?,00FB1046,?,0104BAF8,?,00000001), ref: 00FB8830

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: ac9949fce0d8eeb0196f841316dee7180c2fefc01f991863c400ed550c80ad95
Instruction ID: e36651bde352a5752cd4c063d1a8114c584557cda41e2064d72db84f17c5e819
Opcode Fuzzy Hash: ac9949fce0d8eeb0196f841316dee7180c2fefc01f991863c400ed550c80ad95
Instruction Fuzzy Hash: FAF0283560021DA7CB24BB9AEC159EF7BACAF003A0F600025F80496141DF748AC1EAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB585C
__lock_file.LIBCMT ref: 00FB587D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: a0018593f3207123756c9f8984395f0dc1a699aed70cfc31ea47b7b4a11dd7d0
Instruction ID: 8bb2ff675603c1fa2e5da9b8f1f21f4fdda7464129ef858cbeaba7ff5988fc3f
Opcode Fuzzy Hash: a0018593f3207123756c9f8984395f0dc1a699aed70cfc31ea47b7b4a11dd7d0
Instruction Fuzzy Hash: 17012171C41609EBCF12AF6B8C06ADE7B65AF847A0F148215B8245A161DB3DCA12FF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

__lock_file.LIBCMT ref: 00FB561B

Part of subcall function 00FB6E4E: __lock.LIBCMT ref: 00FB6E71

__fclose_nolock.LIBCMT ref: 00FB5626

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b21e41c7f3f812b725b67e09d5b491655db1b476b3f175b7ef84da2e39e06b9c
Instruction ID: dad6e17bede72c3b31c64de4b37a81565bd10fc2e49b86ef5bf2f28868f09fb3
Opcode Fuzzy Hash: b21e41c7f3f812b725b67e09d5b491655db1b476b3f175b7ef84da2e39e06b9c
Instruction Fuzzy Hash: 52F0BB71D01A059ADB206F778C427EE77965F80B74F598109E414AB1C1CF7C8902FF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f0360fd6b5ce51ee145cfd5e6bca4795f1b895eab87aa817454bdb198c9661
Instruction ID: b3b2e5db780df0463f0f8c475063f69cbd77eb88106343ebce0782f844ee132d
Opcode Fuzzy Hash: e2f0360fd6b5ce51ee145cfd5e6bca4795f1b895eab87aa817454bdb198c9661
Instruction Fuzzy Hash: A9519035B00604AFDF14EB58CD91B6E73A6AF85720F148069F906AB392CA38ED04AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F9774A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ed94a90ccae69cae9cb555ecd5d7f51dcb5fee43a85c2cb21309b51c0c1bb69a
Instruction ID: c499fd32dd85d315da6d2e99874b1699f1f4fc592ede6ba5b5a05cd448554c71
Opcode Fuzzy Hash: ed94a90ccae69cae9cb555ecd5d7f51dcb5fee43a85c2cb21309b51c0c1bb69a
Instruction Fuzzy Hash: 2131D679618B02DFDB24AF59C491A22F7A0FF08320714C56DE959CB365EB30E881EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00F95C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00F95CF6

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 12683ca949f027adae1fa558499ba7dd870208dddbb852fd6b2ca6382d319ba5
Instruction ID: 83852b2c1e5e276de4b9917c54c35ec2ce61ab55703db58d515f9a8db03a9f5b
Opcode Fuzzy Hash: 12683ca949f027adae1fa558499ba7dd870208dddbb852fd6b2ca6382d319ba5
Instruction Fuzzy Hash: 5D315A71A00B0AABDF19CF69C484A6DB7B5FF48720F14862AE81993710D731B960EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FD00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FD00E1

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dd43ac1229ba7beac26d7072dc3abc60932cbb81a469b1c21a8cba1118c525cf
Instruction ID: c8e86c0b6aa896312b40046658791e0006bb01722085e0f53428cd75f55931b6
Opcode Fuzzy Hash: dd43ac1229ba7beac26d7072dc3abc60932cbb81a469b1c21a8cba1118c525cf
Instruction Fuzzy Hash: 7C411574908341CFEB24DF14C884B1ABBE1BF45318F19889DE8894B362C736EC85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F95B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F95B61

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 69cdbe8ee7cb3e7b345037ed30cbed7a36d82b1038eedb6d1f3bebfa05318599
Instruction ID: 57cae944b260298a390d3f85dc344890f13e5871f06168fb4134cb0668fcff4e
Opcode Fuzzy Hash: 69cdbe8ee7cb3e7b345037ed30cbed7a36d82b1038eedb6d1f3bebfa05318599
Instruction Fuzzy Hash: 7921E771A00A09EBEF205F51EA86B6A7FB8FF50750F21846DE4C5C1005EB7694E0FB45

Uniqueness

Uniqueness Score: -1.00%

Function 00F94F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94D13: FreeLibrary.KERNEL32(00000000,?), ref: 00F94D4D

Part of subcall function 00FB548B: __wfsopen.LIBCMT ref: 00FB5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94F6F

Part of subcall function 00F94CC8: FreeLibrary.KERNEL32(00000000), ref: 00F94D02

Part of subcall function 00F94DD0: _memmove.LIBCMT ref: 00F94E1A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 6e5eff033afcfd94d24c5fa457a34f083a0eaf3dc595e75379ff68d87594ad2f
Instruction ID: 0085e556ccfea8d063800b5ee6e102c5612330ef8b77a1e33a34a68ff823f8ee
Opcode Fuzzy Hash: 6e5eff033afcfd94d24c5fa457a34f083a0eaf3dc595e75379ff68d87594ad2f
Instruction Fuzzy Hash: 24112B31A00607AADF10FF70CC02FAD77A49F50711F10842DF541A7181DA796A06BB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FD01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00FD01BB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 77eac14fbc186f66092349f6638d21e4f0d50ba810ca6294b2c8c5ba105515fa
Instruction ID: c6fb382e35481d06c650a673ec428c6ed1b06ce58e69434db3bbc995703adb65
Opcode Fuzzy Hash: 77eac14fbc186f66092349f6638d21e4f0d50ba810ca6294b2c8c5ba105515fa
Instruction Fuzzy Hash: F92124B4908341CFDB24EF65C884B1ABBE1BF84314F05896CE88A47761D735E849EF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB09F4

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 1eb2b5ce544e870d2ed84240686ca0ec49cb052191e25962b534fbff65ecc0c8
Instruction ID: 7c5fcb934317c1e6863c57d806df12ff2a38cf48e5d4a444d8ae48b920384401
Opcode Fuzzy Hash: 1eb2b5ce544e870d2ed84240686ca0ec49cb052191e25962b534fbff65ecc0c8
Instruction Fuzzy Hash: BE019E3268E1C08FC713C7B089AA6C47FA6DE4302432C14DED8C69B123EC55140BEB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F95D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00F95807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00F95D76

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6709aa82a97015d6dddb7553274eaaca17731ea5463f2ae3fb08b6975f365d94
Instruction ID: 93de67bf0319829e6e0ae9773d765562ac9d8d25b1d89805e40e0914563dcddb
Opcode Fuzzy Hash: 6709aa82a97015d6dddb7553274eaaca17731ea5463f2ae3fb08b6975f365d94
Instruction Fuzzy Hash: A7116A31608B019FEB328F05D884B62B7E4EF45B20F10C92EE8AA86A50D771E945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F95BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FCE141

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: be6167496cc4740c6d9da7acf3f0c0ba068c2a6c1c8c658fa0631b0a7a007119
Instruction ID: 8691449354179e59edae6a9656e22f6ebe84e5e3d127a4f020232e486ec11ad8
Opcode Fuzzy Hash: be6167496cc4740c6d9da7acf3f0c0ba068c2a6c1c8c658fa0631b0a7a007119
Instruction Fuzzy Hash: C4018FB9600542AFC706EB69C852E66FBA9FF9A3543148159F819C7702DB34EC21DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEFC4D Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FEFC88

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eeb64eb574f01b22aa695f3b50d3141ecae89211bb67cced2229092baaebf909
Instruction ID: d0c0c5c967207647d1b5e11c8ebaf0ca757431002d255d3b230617bae6347746
Opcode Fuzzy Hash: eeb64eb574f01b22aa695f3b50d3141ecae89211bb67cced2229092baaebf909
Instruction Fuzzy Hash: BD01A9722012656BCB24DF2EDC919BBB7A9EFC5364724443EFD0ACB245E631E901D790

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FB4AD6

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 16e3d55ee46d440212ef709604a2d73738f21f83e3f96012c8f5b4b82f94a68b
Instruction ID: 07849e00a584724613e470a6bef59b551716b3c560099879a5f8d34b6be1b5db
Opcode Fuzzy Hash: 16e3d55ee46d440212ef709604a2d73738f21f83e3f96012c8f5b4b82f94a68b
Instruction Fuzzy Hash: D0F0FF31900209ABDF61AF76CD023EE36A8AF40365F088114B424AA1D3CB7CCA11FF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F94FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94FDE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 95bd361b93a48c079a3259415c70b44f6acca154ec42e119f2f964b44343403a
Instruction ID: 44c136c220bf559baa80e0262f52186a07a923833d568962fb772e44cf46182e
Opcode Fuzzy Hash: 95bd361b93a48c079a3259415c70b44f6acca154ec42e119f2f964b44343403a
Instruction Fuzzy Hash: 17F01572505712CFDB349F64E494D12BBE1BF2432E3248A2EE5DA83A10C776A845EF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FB09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB09F4

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 3a553e4dac2bb3dbd2a3e69ef8c979e6a6260beb9118027fbbd0474e35caeda1
Instruction ID: e9175e3910fa3ea0b8de205b8630211ae0426ff64a4cde0d83c4ca378c85117e
Opcode Fuzzy Hash: 3a553e4dac2bb3dbd2a3e69ef8c979e6a6260beb9118027fbbd0474e35caeda1
Instruction Fuzzy Hash: FDE0CD3690432957D720E5589C06FFA77EDDFC9790F0401B6FC4CD7209DD699C918690

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FF914B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 6ab9962a4b96a5a3c42565abfc3452ae5a2a0d6acc18fb5912e7be12a7949b40
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 09E092B0508B045FDB348A24D810BE373E0AF06315F00091CF29A93351EBA2B841DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00F95DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00FCE16B,?,?,00000000), ref: 00F95DBF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 28dc13e76146c9078118954fd5f62cbf370c5962ea87daf95d204fd68c577a00
Instruction ID: a0e533a0df7a933d7e3bbfaf3cb2b4fb51510164fe1897608edcae2ec87acf1c
Opcode Fuzzy Hash: 28dc13e76146c9078118954fd5f62cbf370c5962ea87daf95d204fd68c577a00
Instruction Fuzzy Hash: 54D0C77464020CBFE710DB80DC46FA9777CD705710F100194FD0456290D6B27D548795

Uniqueness

Uniqueness Score: -1.00%

Function 00FB548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FB5496

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 03206b46e76550dd62b3efd97d4ae563fc8873762e5a230b969af3f51e7303d7
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8DB09B7544010C77DE011D82EC02B553B195740774F404010FB0C18161957795605585

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00FFD46A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 091ddb4901c808cbdeb535e39f96d05982ea8869b4aa4334419906b1d2ad4d8b
Instruction ID: e1b6bdf019cea051260fa0fd0c5db12bfd212e84ed9074c5f590351e975cbe72
Opcode Fuzzy Hash: 091ddb4901c808cbdeb535e39f96d05982ea8869b4aa4334419906b1d2ad4d8b
Instruction Fuzzy Hash: F27195306083058FDB14EF28C8D1A6EB7E1AF84714F08456DF5968B3A1DB78ED09EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00FB0EF7

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6695df00e39c7207d91c62b2c47fb08095fbb0d4f686e9fba03818fedc5e620d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8031B571A00106DFD718DF5AD480AAAF7A6FF59310B648AA5E409CF651DB31EDC1EF80

Uniqueness

Uniqueness Score: -1.00%

Function 019B29BB Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 019B2A67

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a2f09042e8b8218b62577ab9939fd8ad4f1ab35591ca5a7ca790d0063d9bd37b
Instruction ID: f127fd1bf5633adbcaf078fd0899f1e199ce1cc7996cf7d37b16bff0ec002a13
Opcode Fuzzy Hash: a2f09042e8b8218b62577ab9939fd8ad4f1ab35591ca5a7ca790d0063d9bd37b
Instruction Fuzzy Hash: 18010035E40208EFEB64CBA4CA94BDDBBB5EF44701F208199E605A72C1C775AE40DF50

Uniqueness

Uniqueness Score: -1.00%

Function 019B2300 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 019B2312

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: 79e5459a163ea7634a3cbd2f27ace150dac760c8155b1f1c953cb1af8f77dc4e
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: EDF0C43194110EAFCF00EFA4CA89AEEBBB4FF04711F504555FA1AA2180DB30AA51CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0101CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0101CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0101CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0101CF00
SendMessageW.USER32 ref: 0101CF29
_wcsncpy.LIBCMT ref: 0101CFA1
GetKeyState.USER32(00000011), ref: 0101CFC2
GetKeyState.USER32(00000009), ref: 0101CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101CFE5
GetKeyState.USER32(00000010), ref: 0101CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0101D018
SendMessageW.USER32 ref: 0101D03F
SendMessageW.USER32(?,00001030,?,0101B602), ref: 0101D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0101D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0101D16E
SetCapture.USER32(?), ref: 0101D177
ClientToScreen.USER32(?,?), ref: 0101D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0101D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0101D203
ReleaseCapture.USER32 ref: 0101D20E
GetCursorPos.USER32(?), ref: 0101D248
ScreenToClient.USER32(?,?), ref: 0101D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0101D2B1
SendMessageW.USER32 ref: 0101D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0101D31C
SendMessageW.USER32 ref: 0101D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0101D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0101D37B
GetCursorPos.USER32(?), ref: 0101D39B
ScreenToClient.USER32(?,?), ref: 0101D3A8
GetParent.USER32(?), ref: 0101D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0101D431
SendMessageW.USER32 ref: 0101D462
ClientToScreen.USER32(?,?), ref: 0101D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0101D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0101D51A
SendMessageW.USER32 ref: 0101D53D
ClientToScreen.USER32(?,?), ref: 0101D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0101D5C3

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

GetWindowLongW.USER32(?,000000F0), ref: 0101D65F

Strings

F, xrefs: 0101D543
@GUI_DRAGID, xrefs: 0101D1AA

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: c94c95665696870461306824d335959c7f57b08b15dc4a841d301e7e6c8f6831
Instruction ID: b7ce96e1d8a27d62fdb393db986e90fe98c35801a99ecd9f2c8cb10d0e2b0be7
Opcode Fuzzy Hash: c94c95665696870461306824d335959c7f57b08b15dc4a841d301e7e6c8f6831
Instruction Fuzzy Hash: 5642BE74244341AFEB25CF68C948AAABFE5FF48314F040A5DF6D5872A5C73AD844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0101804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0101873F

Strings

%d/%02d/%02d, xrefs: 01018478

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: bbefc9eab1b8285252dee1e78423b200679b89fc98e0d47c02e6ab86ab8a8b5c
Instruction ID: 1ccd7231ae5c3a8c49360ea5304775726cfad1496bf3f93bfa1a19d03b43ddba
Opcode Fuzzy Hash: bbefc9eab1b8285252dee1e78423b200679b89fc98e0d47c02e6ab86ab8a8b5c
Instruction Fuzzy Hash: 1112E371500204AFEB258F68CC49FAF7BF8FF49350F10855AFA95EA299DB788641CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FA710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA75C2
_memset.LIBCMT ref: 00FA76B1
_memmove.LIBCMT ref: 00FA7C4B
_memmove.LIBCMT ref: 00FA7E4F

Strings

\b(?=\w), xrefs: 00FE3C34
\b(?<=\w), xrefs: 00FE3C41
[:>:]], xrefs: 00FA760A
[:<:]], xrefs: 00FA75F1
Q\E, xrefs: 00FA81C1
DEFINE, xrefs: 00FE25AF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 593d3c5c36ede660b12b9c33add000d16db523cb06c572b563d9803b5c8d1764
Instruction ID: 1b3d63a0f4ead1bc8f8546725f7bb58897225d369729454e89b9b8e324cbe604
Opcode Fuzzy Hash: 593d3c5c36ede660b12b9c33add000d16db523cb06c572b563d9803b5c8d1764
Instruction Fuzzy Hash: 7E93A272E00255DFDB24DF59C885BADB7B1FF48320F25816AE945EB280E7749E81EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F94A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F94A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FCDA8E
IsIconic.USER32(?), ref: 00FCDA97
ShowWindow.USER32(?,00000009), ref: 00FCDAA4
SetForegroundWindow.USER32(?), ref: 00FCDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCDAC4
GetCurrentThreadId.KERNEL32 ref: 00FCDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FCDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FCDAF8
SetForegroundWindow.USER32(?), ref: 00FCDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCDB10
keybd_event.USER32(00000012,00000000), ref: 00FCDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCDB25
keybd_event.USER32(00000012,00000000), ref: 00FCDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCDB33
keybd_event.USER32(00000012,00000000), ref: 00FCDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCDB42
keybd_event.USER32(00000012,00000000), ref: 00FCDB47
SetForegroundWindow.USER32(?), ref: 00FCDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00FCDB71

Strings

Shell_TrayWnd, xrefs: 00FCDA89

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e0bcff19e90f735fa9ea117b5fec24141f0b9e07fecc071bcea7dcada998524e
Instruction ID: 108335eb75f8ec30ff7f5013709016ed56062b08438bb76f5d35973007523ac9
Opcode Fuzzy Hash: e0bcff19e90f735fa9ea117b5fec24141f0b9e07fecc071bcea7dcada998524e
Instruction Fuzzy Hash: 1A316771A40319BBEB315FA19D4AF7F7E6CEB44B60F114029FA04E61C1C6795D01ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00FE8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE8D0D
Part of subcall function 00FE8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8D3A
Part of subcall function 00FE8CC3: GetLastError.KERNEL32 ref: 00FE8D47

_memset.LIBCMT ref: 00FE889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FE88ED
CloseHandle.KERNEL32(?), ref: 00FE88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FE8915
GetProcessWindowStation.USER32 ref: 00FE892E
SetProcessWindowStation.USER32(00000000), ref: 00FE8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FE8952

Part of subcall function 00FE8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE8851), ref: 00FE8728
Part of subcall function 00FE8713: CloseHandle.KERNEL32(?,?,00FE8851), ref: 00FE873A

Strings

, xrefs: 00FE88AA
default, xrefs: 00FE894D
winsta0, xrefs: 00FE8910

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e4d6a72952a04a191f1620f3006b298c5243440e4c2fd6295df3b8f8e5e535e8
Instruction ID: fa96b8369571c478a7751b580a57d2eb449ed87278fda2c75619017e8913a0da
Opcode Fuzzy Hash: e4d6a72952a04a191f1620f3006b298c5243440e4c2fd6295df3b8f8e5e535e8
Instruction Fuzzy Hash: CC817071D00249BFDF21EFA5CC44AEE7B78EF04754F14412AF914B6160DB398E06AB60

Uniqueness

Uniqueness Score: -1.00%

Function 0100425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0101F910), ref: 01004284
IsClipboardFormatAvailable.USER32(0000000D), ref: 01004292
GetClipboardData.USER32(0000000D), ref: 0100429A
CloseClipboard.USER32 ref: 010042A6
GlobalLock.KERNEL32(00000000), ref: 010042C2
CloseClipboard.USER32 ref: 010042CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 010042E1
IsClipboardFormatAvailable.USER32(00000001), ref: 010042EE
GetClipboardData.USER32(00000001), ref: 010042F6
GlobalLock.KERNEL32(00000000), ref: 01004303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 01004337
CloseClipboard.USER32 ref: 01004447

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 2f76fa389e1e9e3a85a0f38696c35fc43d5cd20a45257a3dc3c0b626feefe6c1
Instruction ID: c9564272aed8b30c10702d57c5e9ceb1985e30b31e7038359803bedc5f1cdd02
Opcode Fuzzy Hash: 2f76fa389e1e9e3a85a0f38696c35fc43d5cd20a45257a3dc3c0b626feefe6c1
Instruction Fuzzy Hash: A7519E31304302ABE712FF64EC85FAE77A8AB84B00F004519F6D6D21E1DF79D9088B66

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFC9F8
FindClose.KERNEL32(00000000), ref: 00FFCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FFCAAF
__swprintf.LIBCMT ref: 00FFCAFB
__swprintf.LIBCMT ref: 00FFCB3E

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

__swprintf.LIBCMT ref: 00FFCB92

Part of subcall function 00FB38D8: __woutput_l.LIBCMT ref: 00FB3931

__swprintf.LIBCMT ref: 00FFCBE0

Part of subcall function 00FB38D8: __flsbuf.LIBCMT ref: 00FB3953
Part of subcall function 00FB38D8: __flsbuf.LIBCMT ref: 00FB396B

__swprintf.LIBCMT ref: 00FFCC2F
__swprintf.LIBCMT ref: 00FFCC7E
__swprintf.LIBCMT ref: 00FFCCCD

Strings

%02d, xrefs: 00FFCB86, 00FFCB90, 00FFCBDE, 00FFCC2D, 00FFCC7C, 00FFCCCB
%4d, xrefs: 00FFCB38
%4d%02d%02d%02d%02d%02d, xrefs: 00FFCAF5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 41185cffbf69f36d31ed59cf7e63a1d764bac5ae3e92b5690793348f28b74201
Instruction ID: c3696a3dd54ab0814bbcec692c50e7bfa2c849061bb6794786b0939162642b93
Opcode Fuzzy Hash: 41185cffbf69f36d31ed59cf7e63a1d764bac5ae3e92b5690793348f28b74201
Instruction Fuzzy Hash: 16A14FB2508305ABDB10EB65CD85DAFB7ECEF94700F40091DF586C3191EA78EA08DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FFF221
_wcscmp.LIBCMT ref: 00FFF236
_wcscmp.LIBCMT ref: 00FFF24D
GetFileAttributesW.KERNEL32(?), ref: 00FFF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00FFF279
FindNextFileW.KERNEL32(00000000,?), ref: 00FFF291
FindClose.KERNEL32(00000000), ref: 00FFF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00FFF2B8
_wcscmp.LIBCMT ref: 00FFF2DF
_wcscmp.LIBCMT ref: 00FFF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFF308
SetCurrentDirectoryW.KERNEL32(0104A5A0), ref: 00FFF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFF330
FindClose.KERNEL32(00000000), ref: 00FFF33D
FindClose.KERNEL32(00000000), ref: 00FFF34F

Strings

*.*, xrefs: 00FFF2B3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 39d44c63e3884f4940c1635ef0d1049e524987c94f650f9600c9d81fca68a5dd
Instruction ID: b4ff948312c6ed3bfa64e325febbd8a434ae5d805305afddaa0b463a601e9bf1
Opcode Fuzzy Hash: 39d44c63e3884f4940c1635ef0d1049e524987c94f650f9600c9d81fca68a5dd
Instruction Fuzzy Hash: CB31D876A0021E6BDB20DEB5DC88AEE77AC9F08370F104165F944D30A0DB79DA49DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01010AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01010BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0101F910,00000000,?,00000000,?,?), ref: 01010C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01010C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01010D1D
RegCloseKey.ADVAPI32(?), ref: 0101103D
RegCloseKey.ADVAPI32(00000000), ref: 0101104A

Strings

REG_QWORD, xrefs: 01010F8B
REG_MULTI_SZ, xrefs: 01010E05
REG_EXPAND_SZ, xrefs: 01010CBA
REG_SZ, xrefs: 01010D5B
REG_DWORD, xrefs: 01010F0E
REG_BINARY, xrefs: 01010FD8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cd5294bfa9dc5907ccf88c028f5b20bb58ea15ca9d907468cd6ae799a0c74df1
Instruction ID: faf376b396994fb2b7664c091567be305a1c63dc731f8ce9437762a9a4bd3e9f
Opcode Fuzzy Hash: cd5294bfa9dc5907ccf88c028f5b20bb58ea15ca9d907468cd6ae799a0c74df1
Instruction Fuzzy Hash: CB02BF756046019FDB15EF29C881E2ABBE5FF88710F05845DF98A9B362CB78EC40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FFF37E
_wcscmp.LIBCMT ref: 00FFF393
_wcscmp.LIBCMT ref: 00FFF3AA

Part of subcall function 00FF45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FF45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00FFF3D9
FindClose.KERNEL32(00000000), ref: 00FFF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00FFF400
_wcscmp.LIBCMT ref: 00FFF427
_wcscmp.LIBCMT ref: 00FFF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFF450
SetCurrentDirectoryW.KERNEL32(0104A5A0), ref: 00FFF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFF478
FindClose.KERNEL32(00000000), ref: 00FFF485
FindClose.KERNEL32(00000000), ref: 00FFF497

Strings

*.*, xrefs: 00FFF3FB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ae071eb06d600341f226a32924ba87b577783de5bc3706a7d841390f0281494f
Instruction ID: e31bfe8ddb41ecf212f6b25984e2f68e5f47d10f68668566954023c4d84e1c66
Opcode Fuzzy Hash: ae071eb06d600341f226a32924ba87b577783de5bc3706a7d841390f0281494f
Instruction Fuzzy Hash: FD31E97290111E6BDB20DE65DC88AEF77AC9F05370F144165E940E31A0DB79DE4CDB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FE81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE8766
Part of subcall function 00FE874A: GetLastError.KERNEL32(?,00FE822A,?,?,?), ref: 00FE8770
Part of subcall function 00FE874A: GetProcessHeap.KERNEL32(00000008,?,?,00FE822A,?,?,?), ref: 00FE877F
Part of subcall function 00FE874A: HeapAlloc.KERNEL32(00000000,?,00FE822A,?,?,?), ref: 00FE8786
Part of subcall function 00FE874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE879D

Part of subcall function 00FE87E7: GetProcessHeap.KERNEL32(00000008,00FE8240,00000000,00000000,?,00FE8240,?), ref: 00FE87F3
Part of subcall function 00FE87E7: HeapAlloc.KERNEL32(00000000,?,00FE8240,?), ref: 00FE87FA
Part of subcall function 00FE87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FE8240,?), ref: 00FE880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE825B
_memset.LIBCMT ref: 00FE8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE828F
GetLengthSid.ADVAPI32(?), ref: 00FE82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00FE82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE82F9
GetLengthSid.ADVAPI32(?), ref: 00FE8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FE8325
HeapAlloc.KERNEL32(00000000), ref: 00FE832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE834D
CopySid.ADVAPI32(00000000), ref: 00FE8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE83BF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: edb737e2ed0da32b0bc0797554059b38d4ee1e292fbeb538035bd8ee71b5d69d
Instruction ID: 2436af4f256162d0d01efc2b481cbf3753e5dd842ee25a84bef9bb128c6a68cb
Opcode Fuzzy Hash: edb737e2ed0da32b0bc0797554059b38d4ee1e292fbeb538035bd8ee71b5d69d
Instruction Fuzzy Hash: D2617E7190024AEFDF11EFA1DC44AEEBBB9FF04750F148119F919A7290DB399A06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00FE16FA
BSR_ANYCRLF), xrefs: 00FE1757
LIMIT_MATCH=, xrefs: 00FE15A9
ANY), xrefs: 00FE1717
NO_AUTO_POSSESS), xrefs: 00FE1567
BSR_UNICODE), xrefs: 00FE1771
CR), xrefs: 00FE16C0
NO_START_OPT), xrefs: 00FE1588
ANYCRLF), xrefs: 00FE1734
UTF), xrefs: 00FE1533
LIMIT_RECURSION=, xrefs: 00FE1635
UCP), xrefs: 00FE1546
LF), xrefs: 00FE16DD
UTF16), xrefs: 00FE1508

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 5de03b4691d64512eb609b7a2c1787f236cc095f1d30eef75d725f46a2973583
Instruction ID: 1827bab72eb94aa0d078de478e3c102efdb0495fa159e2dfd2ecff3502a08bc7
Opcode Fuzzy Hash: 5de03b4691d64512eb609b7a2c1787f236cc095f1d30eef75d725f46a2973583
Instruction Fuzzy Hash: 677282B5E002599BDF24CF5AC8807EEB7B5FF49720F14816AE845EB280D7749D81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01010665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 010110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01010038,?,?), ref: 010110BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01010737

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 010107D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0101086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01010AAD
RegCloseKey.ADVAPI32(00000000), ref: 01010ABA

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c166ebeeaa909230acd4b9a2d2701e07e9f0bf58d04e95c791f63414f00daf7a
Instruction ID: 00069a52bd20a7f5a3d377848d07c5847ff3784e3ee9465994bd8d35df6bbfe1
Opcode Fuzzy Hash: c166ebeeaa909230acd4b9a2d2701e07e9f0bf58d04e95c791f63414f00daf7a
Instruction Fuzzy Hash: 1FE19D31604200AFDB14DF28C880E2EBBE9FF89714F04896DF48ADB265DB38E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FF0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FF0241
GetAsyncKeyState.USER32(000000A0), ref: 00FF02C2
GetKeyState.USER32(000000A0), ref: 00FF02DD
GetAsyncKeyState.USER32(000000A1), ref: 00FF02F7
GetKeyState.USER32(000000A1), ref: 00FF030C
GetAsyncKeyState.USER32(00000011), ref: 00FF0324
GetKeyState.USER32(00000011), ref: 00FF0336
GetAsyncKeyState.USER32(00000012), ref: 00FF034E
GetKeyState.USER32(00000012), ref: 00FF0360
GetAsyncKeyState.USER32(0000005B), ref: 00FF0378
GetKeyState.USER32(0000005B), ref: 00FF038A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 872a2677f3f2e9f6d6cbb263e067f61067d5fe39c30304f8cfa037c1ac1370c0
Instruction ID: 253e24929577fb5dcca2d563ec67344cf074986b4edd7904414fc2633858f16c
Opcode Fuzzy Hash: 872a2677f3f2e9f6d6cbb263e067f61067d5fe39c30304f8cfa037c1ac1370c0
Instruction Fuzzy Hash: 5841AA34D047CE6EFF319A6484087B5BEA06F12364F48409EDBC6461D3EFD959C8A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01004458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0100447F
EmptyClipboard.USER32 ref: 01004485
GlobalAlloc.KERNEL32(00000002,?), ref: 0100449A
CloseClipboard.USER32 ref: 01004539

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ff31eab0fc0b51e187179ed955f2cb6992696beef994530ae293fdb48c882499
Instruction ID: 080374d97f8eb661ae6ccbe7d1416ebd80d1a6e9b4d42c7b2154b29da622f89a
Opcode Fuzzy Hash: ff31eab0fc0b51e187179ed955f2cb6992696beef994530ae293fdb48c882499
Instruction Fuzzy Hash: C921F9353002119FEB219F64EC09B6D77A8EF04751F01805AF9C6D72A2CB7EAD00DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F948A1,?,?,00F937C0,?), ref: 00F948CE

Part of subcall function 00FF4CD3: GetFileAttributesW.KERNEL32(?,00FF3947), ref: 00FF4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00FF3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FF3B87
MoveFileW.KERNEL32(?,?), ref: 00FF3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FF3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FF3BF5

Strings

\*.*, xrefs: 00FF3A8A, 00FF3A93, 00FF3AA8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: bd8e7ead44660f7e53923dbdc373a5b03d2b6f718a8a1819c60c0863a5db3dd4
Instruction ID: 75c61db80325afd65a624959dcaba6c324302575f4d46214f8f31482905d2dcc
Opcode Fuzzy Hash: bd8e7ead44660f7e53923dbdc373a5b03d2b6f718a8a1819c60c0863a5db3dd4
Instruction Fuzzy Hash: 57517E31C0524DAADF15FBA0CD929FDB778AF54300F2441A9E542771A1EF296F09EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FFF6AB
Sleep.KERNEL32(0000000A), ref: 00FFF6DB
_wcscmp.LIBCMT ref: 00FFF6EF
_wcscmp.LIBCMT ref: 00FFF70A
FindNextFileW.KERNEL32(?,?), ref: 00FFF7A8
FindClose.KERNEL32(00000000), ref: 00FFF7BE

Strings

*.*, xrefs: 00FFF690

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: aa376a3b43b43b5c18f35242be0b76f56bde3e55478efcd96ac36beea7fd7f5a
Instruction ID: 52f1825c6a6ec245169c5132677b59c30d2e879854fcf84770afd4ca7a657508
Opcode Fuzzy Hash: aa376a3b43b43b5c18f35242be0b76f56bde3e55478efcd96ac36beea7fd7f5a
Instruction Fuzzy Hash: 5C417F7290420E9BDF21EF64CC85AEEBBB4FF05310F144566E915A71A1EB349E48DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FA4520
ERCP, xrefs: 00FA421F
VUUU, xrefs: 00FD7B0C
VUUU, xrefs: 00FA44ED
VUUU, xrefs: 00FA44DB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 19ef9540a2708d081aadf0c17fc2060332cd3e6571dbcd30d6e3cb5da20c38f0
Instruction ID: 6907d630284fe4f979585e1332a93f201ce34f5b48944ad6e192471ef909ff45
Opcode Fuzzy Hash: 19ef9540a2708d081aadf0c17fc2060332cd3e6571dbcd30d6e3cb5da20c38f0
Instruction Fuzzy Hash: 9FA293B1D0421ACBDF24DF58C9407ADB7B2BF95324F1481AAD855AB380E774AD81EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA5A05
_memmove.LIBCMT ref: 00FA5A55
_memmove.LIBCMT ref: 00FA5ABB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 68d73a07f09205da6a9975495170bc877aa1d000bfd62c24a09a58f0f55cb215
Instruction ID: c8ad63f6acc098d873c5c46d5842d18d9964a5f4e5652eb5ed918575545a1fb4
Opcode Fuzzy Hash: 68d73a07f09205da6a9975495170bc877aa1d000bfd62c24a09a58f0f55cb215
Instruction Fuzzy Hash: 9C129BB0A00609DFDF14DFA5D981AEEB7B5FF48700F104129E446E7251EB3AAD51EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE8D0D
Part of subcall function 00FE8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8D3A
Part of subcall function 00FE8CC3: GetLastError.KERNEL32 ref: 00FE8D47

ExitWindowsEx.USER32(?,00000000), ref: 00FF549B

Strings

SeShutdownPrivilege, xrefs: 00FF546B
, xrefs: 00FF5489
@, xrefs: 00FF548E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e7e0d75e0aa74017c1d4a14f5a6ff9fd3de9f94587ae0f64a6bc070791035f26
Instruction ID: e38435cc0221a69907075f22a8d3c763a5483f6c47ac23d0af497cfd6568fb11
Opcode Fuzzy Hash: e7e0d75e0aa74017c1d4a14f5a6ff9fd3de9f94587ae0f64a6bc070791035f26
Instruction Fuzzy Hash: 64014C72E54E196AE738E674DC5ABB67258EF01B63F300021FF47D60F3E5990C80A290

Uniqueness

Uniqueness Score: -1.00%

Function 01006596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010065EF
WSAGetLastError.WSOCK32(00000000), ref: 010065FE
bind.WSOCK32(00000000,?,00000010), ref: 0100661A
listen.WSOCK32(00000000,00000005), ref: 01006629
WSAGetLastError.WSOCK32(00000000), ref: 01006643
closesocket.WSOCK32(00000000,00000000), ref: 01006657

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3a964970f70987c2c80456e7326d2a6131ddb50a9836c6c91a2f0058ae244d93
Instruction ID: 6fceb01cc516e409e91882843a0801fd947fabd9810bef292b6d5c68e09cb0f8
Opcode Fuzzy Hash: 3a964970f70987c2c80456e7326d2a6131ddb50a9836c6c91a2f0058ae244d93
Instruction Fuzzy Hash: 4821EC306002119FEB10EF28CC85A2EB7EAEF48320F118199F996E73C1CB79AC059B51

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0FF6: std::exception::exception.LIBCMT ref: 00FB102C
Part of subcall function 00FB0FF6: __CxxThrowException@8.LIBCMT ref: 00FB1041

_memmove.LIBCMT ref: 00FE062F
_memmove.LIBCMT ref: 00FE0744
_memmove.LIBCMT ref: 00FE07EB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 625c528c684bd45d8da5599c83e5723b1d0692638941387e226123bf269fba9e
Instruction ID: eea9d1a999499ae80be691bf816b774b09426bdc4d91fa07ef336cc674613b0a
Opcode Fuzzy Hash: 625c528c684bd45d8da5599c83e5723b1d0692638941387e226123bf269fba9e
Instruction Fuzzy Hash: 9B02DFB0E00209DFDF04DF65D981AAEBBB5FF45300F148069E806DB295EB39DA51EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F91287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F919FA
GetSysColor.USER32(0000000F), ref: 00F91A4E
SetBkColor.GDI32(?,00000000), ref: 00F91A61

Part of subcall function 00F91290: DefDlgProcW.USER32(?,00000020,?), ref: 00F912D8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 285276841f87d92f990423768825cd98deed278033fcd39a98ff69207f6e5a13
Instruction ID: fccf95b9248f1e2e869d25b98919bcf4b8dd0adbd7488dd484836668e87b99ec
Opcode Fuzzy Hash: 285276841f87d92f990423768825cd98deed278033fcd39a98ff69207f6e5a13
Instruction Fuzzy Hash: BCA14772505547BAFF38AA294D46FBF365DFB82361F140129F442D6185CA2ECC01F675

Uniqueness

Uniqueness Score: -1.00%

Function 01006A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 010080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010080CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 01006AB1
WSAGetLastError.WSOCK32(00000000), ref: 01006ADA
bind.WSOCK32(00000000,?,00000010), ref: 01006B13
WSAGetLastError.WSOCK32(00000000), ref: 01006B20
closesocket.WSOCK32(00000000,00000000), ref: 01006B34

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b0eef3280bc5ef9ee5bfd93cde901b47facdfe894ca5c8ce65be1fc786f50498
Instruction ID: 4fbb8eecf96e130b96a42ca23011f56684eb2c7f57073c56d4d2092e55740b2c
Opcode Fuzzy Hash: b0eef3280bc5ef9ee5bfd93cde901b47facdfe894ca5c8ce65be1fc786f50498
Instruction Fuzzy Hash: D941D475A00610AFFF10BF68DC86F6E77A9EB45710F01805CFA5AAB3C2CA799D019791

Uniqueness

Uniqueness Score: -1.00%

Function 010155FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0101564C
IsWindowEnabled.USER32 ref: 0101565A
GetForegroundWindow.USER32(?,?,00000001), ref: 01015667
IsIconic.USER32 ref: 01015675
IsZoomed.USER32 ref: 01015683

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 311e1c367294e3c485c1f4ec893f17fa2254f0ccef533b9321dd0bab3b08f740
Instruction ID: 1ba7deae7734fb2d455d73d1a98b37c0ede52b1d5bf3982b8cb10fadf9823130
Opcode Fuzzy Hash: 311e1c367294e3c485c1f4ec893f17fa2254f0ccef533b9321dd0bab3b08f740
Instruction Fuzzy Hash: AA11C4317006116FEB211F2AEC44A2F7BD8FF89761B014829F986DB245CB7D99018AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FFC69D
CoCreateInstance.OLE32(01022D6C,00000000,00000001,01022BDC,?), ref: 00FFC6B5

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

CoUninitialize.OLE32 ref: 00FFC922

Strings

.lnk, xrefs: 00FFC631, 00FFC659, 00FFC663

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: abd5fef2d979905f30d4417154f9bc337dbb5f3cd8a08d8b86c94feeba464985
Instruction ID: e3c2b0176a0339dc4f160d9ff9cdfa087c2409b809f692fc076a978335117000
Opcode Fuzzy Hash: abd5fef2d979905f30d4417154f9bc337dbb5f3cd8a08d8b86c94feeba464985
Instruction Fuzzy Hash: 14A12B71108305AFE700EF64CC81EABB7E8EF94714F00491CF196971A1EBB5AA49DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0100C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FD1D88,?), ref: 0100C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0100C324

Strings

GetSystemWow64DirectoryW, xrefs: 0100C31E
kernel32.dll, xrefs: 0100C30D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c0b34dae0001c83b3ee345021912cfb1d58d0496323b9b7f3e7225cedd58058a
Instruction ID: 2ec5af9c7e59e8f48eee8ecead8390b3e2a3901051ec542ad23908bbe29b5c19
Opcode Fuzzy Hash: c0b34dae0001c83b3ee345021912cfb1d58d0496323b9b7f3e7225cedd58058a
Instruction Fuzzy Hash: 79E08C746107038FFB324E2ED554A4677D4EF09205F8084ADE8C5C6240E778D440CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 3d83d1848baa2dbe14701456fccb0e8a69cd3d9227a8677a50e1a09a9df06460
Instruction ID: 008ffdbd531b9d2361591e580cb3614fc2778c52f8e1912584eb043eb81fadc2
Opcode Fuzzy Hash: 3d83d1848baa2dbe14701456fccb0e8a69cd3d9227a8677a50e1a09a9df06460
Instruction Fuzzy Hash: B822BDB19083019FD724EF18C881B6FB7E5AF85710F04491DF8969B391EB75EA04EB92

Uniqueness

Uniqueness Score: -1.00%

Function 0100F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0100F151
Process32FirstW.KERNEL32(00000000,?), ref: 0100F15F

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Process32NextW.KERNEL32(00000000,?), ref: 0100F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0100F22E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8d79dcd0bb9693a40281949594643d8a078aec2e0543def6bf206fae4cfc9ecc
Instruction ID: 6c12df11b6f8f1a61d3f36b3fc1e3f30cbac84a9ba36071fbd639f6052d06c06
Opcode Fuzzy Hash: 8d79dcd0bb9693a40281949594643d8a078aec2e0543def6bf206fae4cfc9ecc
Instruction Fuzzy Hash: C0519D71508301AFE721EF24DC81E6BBBE8FF85710F10481DF595972A1EB78A908DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FF40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00FF40D1
_memset.LIBCMT ref: 00FF40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00FF4144
CloseHandle.KERNEL32(00000000), ref: 00FF414D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 7b873fed798cf4bea9b83b7629de174c2cfbd12212c9f53b7948fba5ccf0d41a
Instruction ID: 1bb60fa58475e1d5adbdb6a580253ef6090214259fd107fe6652732f44a7547b
Opcode Fuzzy Hash: 7b873fed798cf4bea9b83b7629de174c2cfbd12212c9f53b7948fba5ccf0d41a
Instruction Fuzzy Hash: 2411E775D0122C7AE7309AA5AC4DFEBBB7CEF44760F10429AF908D7190D6784E848BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FEEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FEEB19

Strings

(, xrefs: 00FEEB5F
|, xrefs: 00FEEB49

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 15f8b260d9bb4b2628c4ada953300dc661916b01cea707a425cf9ab5ac35f8b6
Instruction ID: e09b76aa3e6080976b237e5f3db2e1a5cd2ffc025faa780a032abf65123e1172
Opcode Fuzzy Hash: 15f8b260d9bb4b2628c4ada953300dc661916b01cea707a425cf9ab5ac35f8b6
Instruction Fuzzy Hash: 40324775A007459FC728CF1AD481A6AB7F1FF48320B15C56EE89ADB3A1E770E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010025E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 010026D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0100270C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 80dccd7e9b2cafe0cff79a8b640ab7f21275c069ba2f81021f31aaa904227ed1
Instruction ID: 4462a7f8a8c6e72b4456f5caa56c54ffb44825bf7f6cee8d778b1e905f6c268e
Opcode Fuzzy Hash: 80dccd7e9b2cafe0cff79a8b640ab7f21275c069ba2f81021f31aaa904227ed1
Instruction Fuzzy Hash: 8141F671500609FFFB22DA59CC88EBFB7FCEB44714F0040AAF685A6181DB759E419A50

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FFB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FFB655

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 298588dfd0ed562936f8ff5104af66d1d68a00445ec5db3a1ec7d7c3a7a25442
Instruction ID: 654941f5d11d3708eb052dacff3aa36e59c930c6ce73997f36d8d70be8c3e8c9
Opcode Fuzzy Hash: 298588dfd0ed562936f8ff5104af66d1d68a00445ec5db3a1ec7d7c3a7a25442
Instruction Fuzzy Hash: 27219D35A00108EFCB00EFA5D880AAEBBB8FF48310F0480A9E945EB351CB39A915DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0FF6: std::exception::exception.LIBCMT ref: 00FB102C
Part of subcall function 00FB0FF6: __CxxThrowException@8.LIBCMT ref: 00FB1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8D3A
GetLastError.KERNEL32 ref: 00FE8D47

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 4b82bcf702adb484939875c1326a2808015b78e7166be07ae4dda77578b38986
Instruction ID: bbfbf994787a7dfd785027023711c04180fb5ce4d4243da4f0096742e312e4d3
Opcode Fuzzy Hash: 4b82bcf702adb484939875c1326a2808015b78e7166be07ae4dda77578b38986
Instruction Fuzzy Hash: 1F11C1B1914209AFD728EF55DC85DABB7FCFB44750B20852EF45A83240EF34AC419B20

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FF4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FF4C43
FreeSid.ADVAPI32(?), ref: 00FF4C53

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8365464a8d7a7fd15046fc547af38ff733adb4d19bb012596f78d40a73cc6997
Instruction ID: 694715e3465b00ad1c6b8488604ba6e43175cc4b160e4acfccc8619fa3e17728
Opcode Fuzzy Hash: 8365464a8d7a7fd15046fc547af38ff733adb4d19bb012596f78d40a73cc6997
Instruction Fuzzy Hash: CFF04F7591130DBFDF04DFF0D889ABEB7BCEF08211F004469A601E2180D6796A048B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79de08e5ce3b88bba44337a78b1862ea9ab14b0756b51f0599c28ff907a6d38
Instruction ID: 6a4962e04173f67df10e201675ce645dc89caaa3e61a4391e6c746966aa41512
Opcode Fuzzy Hash: c79de08e5ce3b88bba44337a78b1862ea9ab14b0756b51f0599c28ff907a6d38
Instruction Fuzzy Hash: 3422AD75E00215DFEF24DF58C880BAEBBB1FF04310F18816AE9569B351E734A985EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFC966
FindClose.KERNEL32(00000000), ref: 00FFC996

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c27a806db113b19a196103b106d32eb8eb13ecb0705a59203ffea20e0518b442
Instruction ID: 25a98630bfa76b61f1ddae41fc7e5e49c0cda573e93cc404d795b2b0f546deda
Opcode Fuzzy Hash: c27a806db113b19a196103b106d32eb8eb13ecb0705a59203ffea20e0518b442
Instruction Fuzzy Hash: BD11C4326046149FDB10EF29C845A2EF7E9FF84320F01851EF9A9D72A1DB78AC04DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0100977D,?,0101FB84,?), ref: 00FFA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0100977D,?,0101FB84,?), ref: 00FFA314

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d21861763a156f821cb7f9919595cad1dbb9ddf57144bbfadd9d0d760c3eeabf
Instruction ID: ded9bc1df7d962d6248da2e12909bd69d611f39ea3648cc6dd54f0e29192b91b
Opcode Fuzzy Hash: d21861763a156f821cb7f9919595cad1dbb9ddf57144bbfadd9d0d760c3eeabf
Instruction Fuzzy Hash: CBF0E23150432EABEB20AFA4CC48FEA736CBF08361F008155F908D3281D6359914DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE8851), ref: 00FE8728
CloseHandle.KERNEL32(?,?,00FE8851), ref: 00FE873A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 11eec700a9f6c4f23e7a0d910454317a9e351a9491a5985504d24f502c6199b9
Instruction ID: 0ddf76e24885efd47b21966c15e373b62e8353ac1971a34ffe3079653ccd5d2b
Opcode Fuzzy Hash: 11eec700a9f6c4f23e7a0d910454317a9e351a9491a5985504d24f502c6199b9
Instruction Fuzzy Hash: 05E0EC76010651EFE7363B61EC09DB77BE9FF043A0724892DF49A80474DB6AAC91EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FB8F97,?,?,?,00000001), ref: 00FBA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FBA3A3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cdacae2c5618557d1393d2f88768d501b482cd304f78aa070c0cc4cfa65fee63
Instruction ID: e0f05faf073ad3a3923c5e5fa775d51f840c21a8a3cee4904f5e6a61fdcae2c1
Opcode Fuzzy Hash: cdacae2c5618557d1393d2f88768d501b482cd304f78aa070c0cc4cfa65fee63
Instruction Fuzzy Hash: 71B0923105420AEBCA102B91E809B883F68FB44BAAF408010F64D84054CBEB54548B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0babee5e4072b4fd2a1c4b026fe22e7e3e261562fc52b9663738700668724c
Instruction ID: c454718569b389f06fa0bfcc4839e8e442df3dd204e6db7b72577f49ce4ea495
Opcode Fuzzy Hash: 1b0babee5e4072b4fd2a1c4b026fe22e7e3e261562fc52b9663738700668724c
Instruction Fuzzy Hash: 32321272D29F014DD7339939D832336A648AFB73D4F25D737E819B5A9AEB29C4831600

Uniqueness

Uniqueness Score: -1.00%

Function 00FC267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1a90634b24f20aa23999167c806d474d8e57c4cfc750f350ffe12c6186785
Instruction ID: 34ed988b36c7b3b49046c0822d4e8a3d74f2b87f62e5e76dfd2cf10b0173b2fd
Opcode Fuzzy Hash: 63d1a90634b24f20aa23999167c806d474d8e57c4cfc750f350ffe12c6186785
Instruction Fuzzy Hash: CAB1F030E2AF418DD6339A398931336B64CAFBB2D5F61D71BFC6671D16EB2685834240

Uniqueness

Uniqueness Score: -1.00%

Function 00FF8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FF8B25

Part of subcall function 00FB543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FF91F8,00000000,?,?,?,?,00FF93A9,00000000,?), ref: 00FB5443
Part of subcall function 00FB543A: __aulldiv.LIBCMT ref: 00FB5463

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f9a76402f950b4868e70ec1c06bdcbd64b397fd2fb7c88d428da6df9924e2e63
Instruction ID: 14e271cf5e8967dc84ff276ea745c39c4ccaec5ce5622957a710da42ac9ada58
Opcode Fuzzy Hash: f9a76402f950b4868e70ec1c06bdcbd64b397fd2fb7c88d428da6df9924e2e63
Instruction Fuzzy Hash: 8521E472635610CBC729CF25D441B62B3E1EFA4321B688E2CD1E5CB2D0CA79B905DB94

Uniqueness

Uniqueness Score: -1.00%

Function 010041FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 01004218

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 26dee1069e760096566d984d34d5e7d5cbd92ec5f6eedd3fa14d7f6f99ef9f55
Instruction ID: 69f0179aa5088342ffd3a1ef3d8411f965fe5b63fb364020b49e87cbde4645cb
Opcode Fuzzy Hash: 26dee1069e760096566d984d34d5e7d5cbd92ec5f6eedd3fa14d7f6f99ef9f55
Instruction Fuzzy Hash: 9AE048313441155FD710EF5DD844A5AF7D8EF54760F018419FD89C7352DAB5E8408B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FF4F18

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e99614c121e532248e2783650fa7912c6ed92cb2fdda1fbe7dca4f2ba6b5523a
Instruction ID: 7b060473d9b8b6f94ae7a3a35399a9200b252e46f492d0d0652d70cddf837d13
Opcode Fuzzy Hash: e99614c121e532248e2783650fa7912c6ed92cb2fdda1fbe7dca4f2ba6b5523a
Instruction Fuzzy Hash: A6D05EB156420D78FE284B24AC0FF771108FB807A1F844989330A876E1D9E97800B434

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FE88D1), ref: 00FE8CB3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 84ebcd8fb24b9595508431e855afdfcd50c115fcc2541c820480c2dcfbb79701
Instruction ID: 122744b433ebcb08f95c47114d23e6face2e78a2f6a847968da9b02631f7128f
Opcode Fuzzy Hash: 84ebcd8fb24b9595508431e855afdfcd50c115fcc2541c820480c2dcfbb79701
Instruction Fuzzy Hash: F6D05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C77AD835AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FD2242

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 51bda89da2352eba1b9d9f8c0f9953770ae11aac059ec9e7621c11783e8b181a
Instruction ID: 45b09728b96073c8c2e6cbab15b63057738c14712bceb8db4af61f926f50a98a
Opcode Fuzzy Hash: 51bda89da2352eba1b9d9f8c0f9953770ae11aac059ec9e7621c11783e8b181a
Instruction Fuzzy Hash: F3C04CF1800109DBDB15DB90D588DEE77BCBB04304F144156A141F2100D7789B449B71

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FBA36A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a4a9e3b56d92bbaa17f589da26803c894000140f5d4cb01504f2205dbd686e55
Instruction ID: 6f706cf793e105f839add71619735bbf3e003852f542974d1f45facf7aef3522
Opcode Fuzzy Hash: a4a9e3b56d92bbaa17f589da26803c894000140f5d4cb01504f2205dbd686e55
Instruction Fuzzy Hash: F4A0113000020EAB8A002A82E808888BFACEA002A8B008020F80C80022CBBBA8208A80

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db3dede2492997226aad41791063291b97dc5e8d8309622fedc853ba727331c
Instruction ID: d24e0246a8e795f3d6bdcd0af1df9568d6c87ec41c7977cc2bfb17b017f331ed
Opcode Fuzzy Hash: 8db3dede2492997226aad41791063291b97dc5e8d8309622fedc853ba727331c
Instruction Fuzzy Hash: 452246F1D01656CBDF288E15C0C077D77A1EF427A8F28446AD8468B291DBB49E92FF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 79ce5b8ce149ea66b0c18f1393d53afae3fa37aacad2ba5e402c0732192dbff0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: BDC1943260505309DF6D863BD4341BEBBE16AA27B136A075DE4B3CB9C5EF20D524FA20

Uniqueness

Uniqueness Score: -1.00%

Function 00FB283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 83dc0a52ab10e2fbfd1928095501dcaaf77e9ea145fa2637c32db0b653e437d7
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 6EC1B43360519309DF6D463B94341BEBBE16BA27B135A076DE4B2DB4D4EF20D524FA20

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: bf1b6e01f8c337dcab567efe98938933882e991beefc086d842c2fc38c1fd001
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C6C1653260519309DF6D463B94341BEBBE17AA27B139A076DE4B3CB5D4EF20D524FA20

Uniqueness

Uniqueness Score: -1.00%

Function 019B3790 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6576c37216f2c47909824e019f3166769cd3015db2156ad97ec74030ae8bb671
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 3D41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 019B3680 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: debd5da060aea29c13ffe85859cc8ccbde3b7c0a40177c60a00117c21d512fc5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 6D019278A01109EFCB44DF98C6919AEF7B5FB88310F208599D809A7301E730AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 019B3620 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: de28c5ade2b7b7b5c4c800b199922627b01b9095fb93459342c3ae958dd3a980
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 40019278A01109EFCB48DF98C6919AEF7B5FB48310F208599D809A7301E730AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 019B1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689324764.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19b0000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 01007B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01007B70
DeleteObject.GDI32(00000000), ref: 01007B82
DestroyWindow.USER32 ref: 01007B90
GetDesktopWindow.USER32 ref: 01007BAA
GetWindowRect.USER32(00000000), ref: 01007BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 01007CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 01007D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007D4A
GetClientRect.USER32(00000000,?), ref: 01007D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01007D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007DF8
GlobalFree.KERNEL32(00000000), ref: 01007E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01022CAC,00000000), ref: 01007E2B
GlobalFree.KERNEL32(00000000), ref: 01007E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01007E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01007E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0100808F

Strings

, xrefs: 01008015
static, xrefs: 01007D8A, 01007EE1
AutoIt v3, xrefs: 01007D42
DISPLAY, xrefs: 01007EF2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: dad2968178a91009f0a9b7cfd43245f67d3f67208a9d45fbcc7d3f7f9446abf4
Instruction ID: aadd03dd8c2479971c8ba8df0f1ba15fd4b45ac4890ec0acff68e5d287d8b11c
Opcode Fuzzy Hash: dad2968178a91009f0a9b7cfd43245f67d3f67208a9d45fbcc7d3f7f9446abf4
Instruction Fuzzy Hash: 5F028271900109EFEB15DFA8CC89EAE7BB9FF48310F048558F9859B295CB79AD00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010137F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0101F910), ref: 010138AF
IsWindowVisible.USER32(?), ref: 010138D3

Strings

SELECTSTRING, xrefs: 01013A8E
GETSELECTED, xrefs: 01013B2B
FINDSTRING, xrefs: 010139FE
UNCHECK, xrefs: 01013B0B
ISENABLED, xrefs: 010138F3
GETCURRENTCOL, xrefs: 01013BB0
CHECK, xrefs: 01013AF5
SETCURRENTSELECTION, xrefs: 01013A3E
SHOWDROPDOWN, xrefs: 01013968
DELSTRING, xrefs: 010139D1
GETLINECOUNT, xrefs: 01013B4E
EDITPASTE, xrefs: 01013BE7
GETLINE, xrefs: 01013C23
GETCURRENTSELECTION, xrefs: 01013A6B
ISVISIBLE, xrefs: 010138BF
ISCHECKED, xrefs: 01013AC1
GETCURRENTLINE, xrefs: 01013B75
CURRENTTAB, xrefs: 01013945
ADDSTRING, xrefs: 0101399E
SENDCOMMANDID, xrefs: 01013C62
HIDEDROPDOWN, xrefs: 01013988
TABLEFT, xrefs: 0101390F
TABRIGHT, xrefs: 01013925

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: ef6dc5af72fe4957e4822c6d66b508be9f44b8d6eb6641851d9c7187b5863155
Instruction ID: 7fd4e6ff57b8e64f1d3c58436f35ac59ebbb8265a006d4b3930a0e62ff9bcc01
Opcode Fuzzy Hash: ef6dc5af72fe4957e4822c6d66b508be9f44b8d6eb6641851d9c7187b5863155
Instruction Fuzzy Hash: B0D160702083069BDB14EF25C891AAE7BE5BF94354F00845CB9C65F2E6CF69E90ADF41

Uniqueness

Uniqueness Score: -1.00%

Function 0101A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0101A89F
GetSysColorBrush.USER32(0000000F), ref: 0101A8D0
GetSysColor.USER32(0000000F), ref: 0101A8DC
SetBkColor.GDI32(?,000000FF), ref: 0101A8F6
SelectObject.GDI32(?,?), ref: 0101A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0101A930
GetSysColor.USER32(00000010), ref: 0101A938
CreateSolidBrush.GDI32(00000000), ref: 0101A93F
FrameRect.USER32(?,?,00000000), ref: 0101A94E
DeleteObject.GDI32(00000000), ref: 0101A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0101A9A0
FillRect.USER32(?,?,?), ref: 0101A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0101A9FD

Part of subcall function 0101AB60: GetSysColor.USER32(00000012), ref: 0101AB99
Part of subcall function 0101AB60: SetTextColor.GDI32(?,?), ref: 0101AB9D
Part of subcall function 0101AB60: GetSysColorBrush.USER32(0000000F), ref: 0101ABB3
Part of subcall function 0101AB60: GetSysColor.USER32(0000000F), ref: 0101ABBE
Part of subcall function 0101AB60: GetSysColor.USER32(00000011), ref: 0101ABDB
Part of subcall function 0101AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101ABE9
Part of subcall function 0101AB60: SelectObject.GDI32(?,00000000), ref: 0101ABFA
Part of subcall function 0101AB60: SetBkColor.GDI32(?,00000000), ref: 0101AC03
Part of subcall function 0101AB60: SelectObject.GDI32(?,?), ref: 0101AC10
Part of subcall function 0101AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0101AC2F
Part of subcall function 0101AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101AC46
Part of subcall function 0101AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0101AC5B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 44da9c20ccced51113b5f5c7a7ec999eebd2aba99f0e9572f68043be5dc7261c
Instruction ID: e65518167bcd3dceff700e3e203d6c903e9eaec1af14e65ea033b48efe2f287b
Opcode Fuzzy Hash: 44da9c20ccced51113b5f5c7a7ec999eebd2aba99f0e9572f68043be5dc7261c
Instruction Fuzzy Hash: 29A1AE72109342EFD7219F64DC08A6B7BE9FF89321F100A19FAA297195D73ED848CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F92C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F92CA2
DeleteObject.GDI32(00000000), ref: 00F92CE8
DeleteObject.GDI32(00000000), ref: 00F92CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F92CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F92D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FCC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FCC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FCCAED

Part of subcall function 00F91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F92036,?,00000000,?,?,?,?,00F916CB,00000000,?), ref: 00F91B9A

SendMessageW.USER32(?,00001053), ref: 00FCCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FCCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FCCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FCCB62

Strings

0, xrefs: 00FCC981

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8417b8b9c80a48cd027eece272b2251d7ddfbc2744826c9fc47924c8b8c787c9
Instruction ID: d7b590f186efc4abfcae3feb354da245d4db083e070126bee3431c18c97fa5a4
Opcode Fuzzy Hash: 8417b8b9c80a48cd027eece272b2251d7ddfbc2744826c9fc47924c8b8c787c9
Instruction Fuzzy Hash: 7812AC30A00202AFDB65CF24C989FA9BBE5FF44320F54456DE589DB652C735EC45EB90

Uniqueness

Uniqueness Score: -1.00%

Function 010077BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010077F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 010078B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010078EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 01007900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01007946
GetClientRect.USER32(00000000,?), ref: 01007952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01007996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 010079A5
GetStockObject.GDI32(00000011), ref: 010079B5
SelectObject.GDI32(00000000,00000000), ref: 010079B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010079C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010079D2
DeleteDC.GDI32(00000000), ref: 010079DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01007A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 01007A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01007A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01007A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 01007A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 01007AAE
GetStockObject.GDI32(00000011), ref: 01007AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01007AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 01007ACE

Strings

static, xrefs: 01007990, 01007AA8
AutoIt v3, xrefs: 0100793E
DISPLAY, xrefs: 0100799B
msctls_progress32, xrefs: 01007A4F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 51aafd0bba76ed73060b72f135f7c0ceec6aad2bca05f50c8c30e35376320add
Instruction ID: c4b6bda5995e3090c9582da280ddbbf71dc5e7074906281d83ed33599912d442
Opcode Fuzzy Hash: 51aafd0bba76ed73060b72f135f7c0ceec6aad2bca05f50c8c30e35376320add
Instruction Fuzzy Hash: 94A17171A40605BFEB24DBA8DC4AFAF7BB9EB44710F004118FA55A72D0D7B9AD44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFAF89
GetDriveTypeW.KERNEL32(?,0101FAC0,?,\\.\,0101F910), ref: 00FFB066
SetErrorMode.KERNEL32(00000000,0101FAC0,?,\\.\,0101F910), ref: 00FFB1C4

Strings

USB, xrefs: 00FFB15B
RAMDisk, xrefs: 00FFB090
ATAPI, xrefs: 00FFB138
SAS, xrefs: 00FFB170
SSA, xrefs: 00FFB14D
Fibre, xrefs: 00FFB154
FileBackedVirtual, xrefs: 00FFB193
Network, xrefs: 00FFB0A4
iSCSI, xrefs: 00FFB169
SATA, xrefs: 00FFB177
Virtual, xrefs: 00FFB18C
SCSI, xrefs: 00FFB131
SSD, xrefs: 00FFB0F1
CDROM, xrefs: 00FFB09A
1394, xrefs: 00FFB146
RAID, xrefs: 00FFB162
MMC, xrefs: 00FFB185
Fixed, xrefs: 00FFB0AE
ATA, xrefs: 00FFB13F
\\.\, xrefs: 00FFAFDB
Unknown, xrefs: 00FFB086, 00FFB12A
Removable, xrefs: 00FFB0B8
PhysicalDrive, xrefs: 00FFB012

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 431b6dd99346c0120097e38257b49bedbea0b8d05b964f629c149e0b8a6b600f
Instruction ID: 704cf5c590c5248adc4a2634f8c2f383256024c6050e42b6881ae63e165e2852
Opcode Fuzzy Hash: 431b6dd99346c0120097e38257b49bedbea0b8d05b964f629c149e0b8a6b600f
Instruction Fuzzy Hash: 35518D71BC430EEB9B14EF11CD92AB973B0BF547557204029E64BAB270CB69AD41FB41

Uniqueness

Uniqueness Score: -1.00%

Function 00F96A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F96A91
__wcsnicmp.LIBCMT ref: 00F96AA9
__wcsnicmp.LIBCMT ref: 00F96AC1
__wcsnicmp.LIBCMT ref: 00F96AD9
__wcsnicmp.LIBCMT ref: 00F96AF1
__wcsnicmp.LIBCMT ref: 00F96B09
__wcsnicmp.LIBCMT ref: 00F96B21
__wcsnicmp.LIBCMT ref: 00F96B35
__wcsnicmp.LIBCMT ref: 00F96B76
__wcsnicmp.LIBCMT ref: 00F96B8A
__wcsnicmp.LIBCMT ref: 00F96B9E
__wcsnicmp.LIBCMT ref: 00F96BB2

Strings

#comments-end, xrefs: 00F96B98
#pragma compile, xrefs: 00F96A8B
#include-once, xrefs: 00F96AEB
#notrayicon, xrefs: 00F96AA3
#cs, xrefs: 00F96B2F, 00F96B84
#OnAutoItStartRegister, xrefs: 00F96AD3
#requireadmin, xrefs: 00F96ABB
Bad directive syntax error, xrefs: 00FCE743
#comments-start, xrefs: 00F96B1B, 00F96B70
#include, xrefs: 00F96B03
#ce, xrefs: 00F96BAC
Unterminated group of comments, xrefs: 00FCE82C
Cannot parse #include, xrefs: 00FCE819

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d27931bcf598941a0fb2fc2b073649533849c86fdc8864b96fd1ce9081580b07
Instruction ID: b5108b49dee36b119da2b2ce2c65159754775287825dfc1c0844dc989220ce81
Opcode Fuzzy Hash: d27931bcf598941a0fb2fc2b073649533849c86fdc8864b96fd1ce9081580b07
Instruction Fuzzy Hash: 178139B1A40316ABEF21BF61CD93FAE7758AF14710F044028FD45EA192EB68DA45F690

Uniqueness

Uniqueness Score: -1.00%

Function 0101AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0101AB99
SetTextColor.GDI32(?,?), ref: 0101AB9D
GetSysColorBrush.USER32(0000000F), ref: 0101ABB3
GetSysColor.USER32(0000000F), ref: 0101ABBE
CreateSolidBrush.GDI32(?), ref: 0101ABC3
GetSysColor.USER32(00000011), ref: 0101ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101ABE9
SelectObject.GDI32(?,00000000), ref: 0101ABFA
SetBkColor.GDI32(?,00000000), ref: 0101AC03
SelectObject.GDI32(?,?), ref: 0101AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0101AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0101AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0101ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0101ACEC
DrawFocusRect.USER32(?,?), ref: 0101ACF7
GetSysColor.USER32(00000011), ref: 0101AD05
SetTextColor.GDI32(?,00000000), ref: 0101AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0101AD21
SelectObject.GDI32(?,0101A869), ref: 0101AD38
DeleteObject.GDI32(?), ref: 0101AD43
SelectObject.GDI32(?,?), ref: 0101AD49
DeleteObject.GDI32(?), ref: 0101AD4E
SetTextColor.GDI32(?,?), ref: 0101AD54
SetBkColor.GDI32(?,?), ref: 0101AD5E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 05ad0975739cbf988ed14fd8edcfd113301d49b00ebc0681f4a1a8f3f1baece6
Instruction ID: d4f909597d13e4ab68079fa561ffee068a328cc8b499b2a2c9d568364a54a6b4
Opcode Fuzzy Hash: 05ad0975739cbf988ed14fd8edcfd113301d49b00ebc0681f4a1a8f3f1baece6
Instruction Fuzzy Hash: F6619D71901209EFDF219FA8DC48EAE7BB9FB08320F104515FA55AB295D77A9940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01018C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01018D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01018D45
CharNextW.USER32(0000014E), ref: 01018D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01018DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01018DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01018DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01018DF9
SetWindowTextW.USER32(?,0000014E), ref: 01018E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01018E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 01018E8C
_memset.LIBCMT ref: 01018EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01018EFA
_memset.LIBCMT ref: 01018F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01018F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 01018FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 01019088
InvalidateRect.USER32(?,00000000,00000001), ref: 010190AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010190F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01019121
DrawMenuBar.USER32(?), ref: 01019130
SetWindowTextW.USER32(?,0000014E), ref: 01019158

Strings

0, xrefs: 010190C2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 12576055ccb0abb2689d778daa5bbe17b163bcba4ff9421928e2aa8b257ba8e3
Instruction ID: 003078d70a87999e72ae6308af7dc1d2fbba57684a7e9b8843a6e77b1774e389
Opcode Fuzzy Hash: 12576055ccb0abb2689d778daa5bbe17b163bcba4ff9421928e2aa8b257ba8e3
Instruction Fuzzy Hash: A0E1C370900209ABDF20DF65CC84EEE7BB9FF05714F40819AFA959A298D7798A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01014B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01014C51
GetDesktopWindow.USER32 ref: 01014C66
GetWindowRect.USER32(00000000), ref: 01014C6D
GetWindowLongW.USER32(?,000000F0), ref: 01014CCF
DestroyWindow.USER32(?), ref: 01014CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01014D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01014D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01014D68
SendMessageW.USER32(?,00000421,?,?), ref: 01014D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01014D90
IsWindowVisible.USER32(?), ref: 01014DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01014DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01014DDF
GetWindowRect.USER32(?,?), ref: 01014DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 01014E1D
GetMonitorInfoW.USER32(00000000,?), ref: 01014E37
CopyRect.USER32(?,?), ref: 01014E4E
SendMessageW.USER32(?,00000412,00000000), ref: 01014EB9

Strings

0, xrefs: 01014BFC
tooltips_class32, xrefs: 01014D1D
(, xrefs: 01014E2A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 51286fa271a0fb5f10d686d57e9fcae958113efe36ec509585da129d4d78e8d2
Instruction ID: 1ac0527cadc228f7d4fe6d218f477480a6a91eef28e9e46a71d4abd572c113de
Opcode Fuzzy Hash: 51286fa271a0fb5f10d686d57e9fcae958113efe36ec509585da129d4d78e8d2
Instruction Fuzzy Hash: 0CB17A71608341AFDB54DF68C884B6ABBE4BF88314F00891DF5D9DB2A5D779E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F928BC
GetSystemMetrics.USER32(00000007), ref: 00F928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F928EF
GetSystemMetrics.USER32(00000008), ref: 00F928F7
GetSystemMetrics.USER32(00000004), ref: 00F9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F92990
GetClientRect.USER32(00000000,000000FF), ref: 00F929AE
GetStockObject.GDI32(00000011), ref: 00F929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F929D5

Part of subcall function 00F92344: GetCursorPos.USER32(?), ref: 00F92357
Part of subcall function 00F92344: ScreenToClient.USER32(010567B0,?), ref: 00F92374
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000001), ref: 00F92399
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000002), ref: 00F923A7

SetTimer.USER32(00000000,00000000,00000028,00F91256), ref: 00F929FC

Strings

AutoIt v3 GUI, xrefs: 00F92974

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 3b1c5a51be25ddf01b76c5834d751da671dd26e7da318cca8a2b92fabb73eeab
Instruction ID: 38e5ac7abb32f04b89374ebb2c822fcfdd15d59c14defb6a922aa7610c08eee9
Opcode Fuzzy Hash: 3b1c5a51be25ddf01b76c5834d751da671dd26e7da318cca8a2b92fabb73eeab
Instruction Fuzzy Hash: 71B16071A0020AEFEF24DFA8D945FAE7BB4FB48310F108219FA55E7294DB799841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01014069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010140F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010141B6

Strings

GETTEXT, xrefs: 0101415F
SELECT, xrefs: 01014250
DESELECT, xrefs: 010142A4
GETSELECTED, xrefs: 010142E4
GETSELECTEDCOUNT, xrefs: 01014199
FINDITEM, xrefs: 01014329
SELECTINVERT, xrefs: 01014286
GETSUBITEMCOUNT, xrefs: 01014141
GETITEMCOUNT, xrefs: 01014128
ISSELECTED, xrefs: 010141C1
SELECTCLEAR, xrefs: 01014235
SELECTALL, xrefs: 0101421D
VIEWCHANGE, xrefs: 01014375

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 48a36d26e4996f54a37be41864bf9f82900d2fceb6db51025a0d8f37a0deba33
Instruction ID: b765a54ad2fc42f8eae9eeef3ca7224c3bd94e142c234d42a0baf4827ad742de
Opcode Fuzzy Hash: 48a36d26e4996f54a37be41864bf9f82900d2fceb6db51025a0d8f37a0deba33
Instruction Fuzzy Hash: 9DA19F702143029BDB14EF24CC91A6EB7E5BF84314F04896CB8D69B2E6DB78E805DB51

Uniqueness

Uniqueness Score: -1.00%

Function 010052F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 01005309
LoadCursorW.USER32(00000000,00007F8A), ref: 01005314
LoadCursorW.USER32(00000000,00007F00), ref: 0100531F
LoadCursorW.USER32(00000000,00007F03), ref: 0100532A
LoadCursorW.USER32(00000000,00007F8B), ref: 01005335
LoadCursorW.USER32(00000000,00007F01), ref: 01005340
LoadCursorW.USER32(00000000,00007F81), ref: 0100534B
LoadCursorW.USER32(00000000,00007F88), ref: 01005356
LoadCursorW.USER32(00000000,00007F80), ref: 01005361
LoadCursorW.USER32(00000000,00007F86), ref: 0100536C
LoadCursorW.USER32(00000000,00007F83), ref: 01005377
LoadCursorW.USER32(00000000,00007F85), ref: 01005382
LoadCursorW.USER32(00000000,00007F82), ref: 0100538D
LoadCursorW.USER32(00000000,00007F84), ref: 01005398
LoadCursorW.USER32(00000000,00007F04), ref: 010053A3
LoadCursorW.USER32(00000000,00007F02), ref: 010053AE
GetCursorInfo.USER32(?), ref: 010053BE
GetLastError.KERNEL32(00000001,00000000), ref: 010053E9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: e00e9f20b711be2ea56a1d315d1b352ca7afb61c059346f1ffc5d05fc4b92a9c
Instruction ID: ca86a2d71d50dd5500dec43f68510de5010750b9532ec653ec9ff88c7142e0c7
Opcode Fuzzy Hash: e00e9f20b711be2ea56a1d315d1b352ca7afb61c059346f1ffc5d05fc4b92a9c
Instruction Fuzzy Hash: 46415370E083196ADB109FBA8C4996EFFF8EF51B50F10452FA549E72D0DAB894018F51

Uniqueness

Uniqueness Score: -1.00%

Function 00FEAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FEAAA5
__swprintf.LIBCMT ref: 00FEAB46
_wcscmp.LIBCMT ref: 00FEAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FEABAE
_wcscmp.LIBCMT ref: 00FEABEA
GetClassNameW.USER32(?,?,00000400), ref: 00FEAC21
GetDlgCtrlID.USER32(?), ref: 00FEAC73
GetWindowRect.USER32(?,?), ref: 00FEACA9
GetParent.USER32(?), ref: 00FEACC7
ScreenToClient.USER32(00000000), ref: 00FEACCE
GetClassNameW.USER32(?,?,00000100), ref: 00FEAD48
_wcscmp.LIBCMT ref: 00FEAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00FEAD82
_wcscmp.LIBCMT ref: 00FEAD96

Part of subcall function 00FB386C: _iswctype.LIBCMT ref: 00FB3874

Strings

%s%u, xrefs: 00FEAB40

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6e7cb93c4fd1250f970daa7224b61fea36aa6b99d764a3cbf37d1612fafd1905
Instruction ID: 0002e074404243230761cafd52bfa6e0a1a80f8b82ebdecd2f8f2638930f7a7a
Opcode Fuzzy Hash: 6e7cb93c4fd1250f970daa7224b61fea36aa6b99d764a3cbf37d1612fafd1905
Instruction Fuzzy Hash: CEA1E371604386AFD724DE26CC84BEAB7E8FF44325F104629F9A9C2190D734F945EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FEB3DB
_wcscmp.LIBCMT ref: 00FEB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FEB414
CharUpperBuffW.USER32(?,00000000), ref: 00FEB431
_wcscmp.LIBCMT ref: 00FEB44F
_wcsstr.LIBCMT ref: 00FEB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEB498
_wcscmp.LIBCMT ref: 00FEB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FEB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEB518
_wcscmp.LIBCMT ref: 00FEB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00FEB550
GetWindowRect.USER32(00000004,?), ref: 00FEB5B9

Strings

@, xrefs: 00FEB3BC
ThumbnailClass, xrefs: 00FEB4A3, 00FEB523

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: a77cd90bee835fe8d6f9cd9f15f1f8c7608108989c71f46cd3543ca75d1b6dd5
Instruction ID: 85e8babdbc84ba8e29706989378274f1135885333574febf61c0bd7b0c35f3eb
Opcode Fuzzy Hash: a77cd90bee835fe8d6f9cd9f15f1f8c7608108989c71f46cd3543ca75d1b6dd5
Instruction Fuzzy Hash: 7981C0714083859BDB10DF12C885FAB7BE8FF44324F088569FD859A096DB38DD49EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FEB23F

Strings

[CLASS:, xrefs: 00FEB28F
LAST, xrefs: 00FEB204
[ACTIVE, xrefs: 00FEB22C
REGEXP=, xrefs: 00FEB254
CLASSNAME=, xrefs: 00FEB27C
ACTIVE, xrefs: 00FEB21A
[HANDLE:, xrefs: 00FEB24B
[REGEXPTITLE:, xrefs: 00FEB267
[ALL, xrefs: 00FEB2E5
[LAST, xrefs: 00FEB2EC
ALL, xrefs: 00FEB2D3
HANDLE=, xrefs: 00FEB238

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 71133cace0d6eea5668a2b84e8e2f9f4f15b5efe25544e4fa638fd189f4e9b80
Instruction ID: 895796a47b16bdb71a50d9b6c3b82ef0ad6647f797e51d8fec103a0cf3723895
Opcode Fuzzy Hash: 71133cace0d6eea5668a2b84e8e2f9f4f15b5efe25544e4fa638fd189f4e9b80
Instruction Fuzzy Hash: 0131C371A44345A7EF11FA62CD83EEF77A8AF18B50F600039B581750D2EF696E04EA51

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FEC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FEC4E6
SetWindowTextW.USER32(?,?), ref: 00FEC4FD
GetDlgItem.USER32(?,000003EA), ref: 00FEC512
SetWindowTextW.USER32(00000000,?), ref: 00FEC518
GetDlgItem.USER32(?,000003E9), ref: 00FEC528
SetWindowTextW.USER32(00000000,?), ref: 00FEC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FEC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FEC569
GetWindowRect.USER32(?,?), ref: 00FEC572
SetWindowTextW.USER32(?,?), ref: 00FEC5DD
GetDesktopWindow.USER32 ref: 00FEC5E3
GetWindowRect.USER32(00000000), ref: 00FEC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00FEC636
GetClientRect.USER32(?,?), ref: 00FEC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00FEC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FEC693

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 5ffb7d038e1a9b283a8a84cf1438648fcc3328e618f9c0b2448d027963d129fb
Instruction ID: ef63b20b714a54d45c19e1c6b1fc5facd7d6b03bb08e682d48a8ea6c3b7303ed
Opcode Fuzzy Hash: 5ffb7d038e1a9b283a8a84cf1438648fcc3328e618f9c0b2448d027963d129fb
Instruction Fuzzy Hash: 60518D3190070AAFDB20DFA9DD89B6FBBB5FF04704F004918F686A25A0C779A905DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0101A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101A4C8
DestroyWindow.USER32(?,?), ref: 0101A542

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0101A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0101A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101A5F1
DestroyWindow.USER32(00000000), ref: 0101A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F90000,00000000), ref: 0101A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101A663
GetDesktopWindow.USER32 ref: 0101A67C
GetWindowRect.USER32(00000000), ref: 0101A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0101A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0101A6B3

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

Strings

tooltips_class32, xrefs: 0101A5B5, 0101A643
0, xrefs: 0101A4DE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a9cb111720452f0d9ed2e93e8199c23ba75181a1fc6610932843a0ac87704a9b
Instruction ID: 5302dfd76f99c7755b90955b3cfff4b02a5e1ff50e89a5f1e98be634b44266f5
Opcode Fuzzy Hash: a9cb111720452f0d9ed2e93e8199c23ba75181a1fc6610932843a0ac87704a9b
Instruction Fuzzy Hash: DD718A70240345AFE720DF28C849F6A7BE5FB88300F444A1DF985872A5D77AE906CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0101C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DragQueryPoint.SHELL32(?,?), ref: 0101C917

Part of subcall function 0101ADF1: ClientToScreen.USER32(?,?), ref: 0101AE1A
Part of subcall function 0101ADF1: GetWindowRect.USER32(?,?), ref: 0101AE90
Part of subcall function 0101ADF1: PtInRect.USER32(?,?,0101C304), ref: 0101AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0101C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0101C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0101C9AE
_wcscat.LIBCMT ref: 0101C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0101C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0101CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0101CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0101CA47
DragFinish.SHELL32(?), ref: 0101CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0101CB41

Strings

@GUI_DROPID, xrefs: 0101CA6E
@GUI_DRAGID, xrefs: 0101CAB9
@GUI_DRAGFILE, xrefs: 0101CAF0

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 4aaad98042f2eeda8bb81fa6f746f5f17ff3b040c503a1f25c7a43c9dad27602
Instruction ID: 75bbbf8426d5d052a5148df7c17cd9d5e6186fb4d188e8105bf27aadf7280cfa
Opcode Fuzzy Hash: 4aaad98042f2eeda8bb81fa6f746f5f17ff3b040c503a1f25c7a43c9dad27602
Instruction Fuzzy Hash: D4618A71108301AFEB11EF64DC85D9FBBE8FF89750F000A1EF592961A1DB799A09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01014619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010146AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 010146F6

Strings

GETTEXT, xrefs: 01014849
SELECT, xrefs: 010148A7
GETSELECTED, xrefs: 01014806
GETTOTALCOUNT, xrefs: 010146DD
UNCHECK, xrefs: 010148D2
ISCHECKED, xrefs: 01014879
CHECK, xrefs: 01014716
EXISTS, xrefs: 0101475F
EXPAND, xrefs: 010147A8
GETITEMCOUNT, xrefs: 010147D8
COLLAPSE, xrefs: 0101473C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 961bc93b967189265556d6b9fe0ecc7ef5428443e2c857f2a8e0535d83d586c5
Instruction ID: 770265d0fe3bc7a40df3fcfc4adb14ac4bfd73272dfec784e0e45e082e80f4f4
Opcode Fuzzy Hash: 961bc93b967189265556d6b9fe0ecc7ef5428443e2c857f2a8e0535d83d586c5
Instruction Fuzzy Hash: 259172742043029BDB14EF25C851A6EB7E1BF98314F04845CB8D69B3A6CB7DED09DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

CharLowerBuffW.USER32(?,?), ref: 00FFA636
GetDriveTypeW.KERNEL32 ref: 00FFA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA730

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

Strings

close, xrefs: 00FFA63C
open, xrefs: 00FFA65D
close cd wait, xrefs: 00FFA71B
closed, xrefs: 00FFA64A, 00FFA653
open , xrefs: 00FFA692
type cdaudio alias cd wait, xrefs: 00FFA6AE
set cd door , xrefs: 00FFA6D1
wait, xrefs: 00FFA6ED

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 244078654f522526a708ffe2f18d92f3b1cb1cf2c0f7e6a730f8d06d10c6e07d
Instruction ID: 5db2098a81f99591c9389f3221f2aa3299fbacc8e583c232c8034bf7afa3642e
Opcode Fuzzy Hash: 244078654f522526a708ffe2f18d92f3b1cb1cf2c0f7e6a730f8d06d10c6e07d
Instruction Fuzzy Hash: 6E514CB15083059FDB00EF25CC8196AB7F4FF88718F00496DF89A97261DB39AE09DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FFA47A
__swprintf.LIBCMT ref: 00FFA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FFA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FFA4FE
_memset.LIBCMT ref: 00FFA51D
_wcsncpy.LIBCMT ref: 00FFA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FFA58E
CloseHandle.KERNEL32(00000000), ref: 00FFA599
RemoveDirectoryW.KERNEL32(?), ref: 00FFA5A2
CloseHandle.KERNEL32(00000000), ref: 00FFA5AC

Strings

\??\%s, xrefs: 00FFA496
:, xrefs: 00FFA4BD
\, xrefs: 00FFA4B2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 8974ce09400d4138be0becc9dba19347dab0b310fb9f9d5ae4ae5f1a344fc8bf
Instruction ID: a602ee4572391441a00e05e4a7a2431d5348934b546552a36ceb365d2b9fb5ee
Opcode Fuzzy Hash: 8974ce09400d4138be0becc9dba19347dab0b310fb9f9d5ae4ae5f1a344fc8bf
Instruction Fuzzy Hash: 7731A2B190010AABDB21DFA1DC49FFB73BCEF88711F1441A6F608D6164E77896449B25

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00FCAB7B
___wtomb_environ.LIBCMT ref: 00FCAB9D

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

__malloc_crt.LIBCMT ref: 00FCABC5
__malloc_crt.LIBCMT ref: 00FCABE2
_free.LIBCMT ref: 00FCAC19
__recalloc_crt.LIBCMT ref: 00FCAC52
__recalloc_crt.LIBCMT ref: 00FCAC97
_strlen.LIBCMT ref: 00FCACC3
__calloc_crt.LIBCMT ref: 00FCACCD
_strlen.LIBCMT ref: 00FCACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00FCAD0A
_free.LIBCMT ref: 00FCAD24
_free.LIBCMT ref: 00FCAD31
_free.LIBCMT ref: 00FCAD43
__invoke_watson.LIBCMT ref: 00FCAD5D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 94298d275bf3ae9417357ae7ed977c6de27b793c89bd7614d906b475653d32e0
Instruction ID: 8e39a0bd86aec17fb7657fd92bcb455e33286af71000a94f8c0b8b96c5c191c6
Opcode Fuzzy Hash: 94298d275bf3ae9417357ae7ed977c6de27b793c89bd7614d906b475653d32e0
Instruction Fuzzy Hash: E361E57290020BAFDB209F24EE43FA977A9EB51379F10415DE801DB185EB39EC41EB52

Uniqueness

Uniqueness Score: -1.00%

Function 0101C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0101C4EC
GetFocus.USER32 ref: 0101C4FC
GetDlgCtrlID.USER32(00000000), ref: 0101C507
_memset.LIBCMT ref: 0101C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0101C65D
GetMenuItemCount.USER32(?), ref: 0101C67D
GetMenuItemID.USER32(?,00000000), ref: 0101C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0101C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0101C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0101C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0101C779

Strings

0, xrefs: 0101C62A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 5999fd40e570fa86874899b8d7f94bb521abcc0a6974e67634eaee8607e59e31
Instruction ID: 0e612ace392e15ce87ae75dd348a12428ef8ab02573781e2a56d101f237c35fd
Opcode Fuzzy Hash: 5999fd40e570fa86874899b8d7f94bb521abcc0a6974e67634eaee8607e59e31
Instruction Fuzzy Hash: B281A0702483019FE761DF28CA84AAFBBE8FB88354F00095DF9D593295D779D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE8766
Part of subcall function 00FE874A: GetLastError.KERNEL32(?,00FE822A,?,?,?), ref: 00FE8770
Part of subcall function 00FE874A: GetProcessHeap.KERNEL32(00000008,?,?,00FE822A,?,?,?), ref: 00FE877F
Part of subcall function 00FE874A: HeapAlloc.KERNEL32(00000000,?,00FE822A,?,?,?), ref: 00FE8786
Part of subcall function 00FE874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE879D

Part of subcall function 00FE87E7: GetProcessHeap.KERNEL32(00000008,00FE8240,00000000,00000000,?,00FE8240,?), ref: 00FE87F3
Part of subcall function 00FE87E7: HeapAlloc.KERNEL32(00000000,?,00FE8240,?), ref: 00FE87FA
Part of subcall function 00FE87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FE8240,?), ref: 00FE880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE8458
_memset.LIBCMT ref: 00FE846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE848C
GetLengthSid.ADVAPI32(?), ref: 00FE849D
GetAce.ADVAPI32(?,00000000,?), ref: 00FE84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE84F6
GetLengthSid.ADVAPI32(?), ref: 00FE8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FE8522
HeapAlloc.KERNEL32(00000000), ref: 00FE8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE854A
CopySid.ADVAPI32(00000000), ref: 00FE8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE85BC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 2189fea2c4a506958c8b23fceaa25bca836137d6890dcb1574a5723d1fe1a70c
Instruction ID: 17eceb4570aa3e8f5578aded05c9fc031fd04c7454700571caf46e563af1f0b5
Opcode Fuzzy Hash: 2189fea2c4a506958c8b23fceaa25bca836137d6890dcb1574a5723d1fe1a70c
Instruction Fuzzy Hash: 6E615D7190024AAFDF11EF91DC44AEEBBB9FF04360F048119F919A7290DB399A05DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0100762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010076A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 010076AE
CreateCompatibleDC.GDI32(?), ref: 010076BA
SelectObject.GDI32(00000000,?), ref: 010076C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0100771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01007757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0100777B
SelectObject.GDI32(00000006,?), ref: 01007783
DeleteObject.GDI32(?), ref: 0100778C
DeleteDC.GDI32(00000006), ref: 01007793
ReleaseDC.USER32(00000000,?), ref: 0100779E

Strings

(, xrefs: 01007723

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8c9fb87585a71efb97db370bb7f4047eaf36dd802fe216921f154f9d50d98179
Instruction ID: 5e894a71c42d284159b8f0045c63d06affce7c4fb32e6f9d13d92aa61d23ca80
Opcode Fuzzy Hash: 8c9fb87585a71efb97db370bb7f4047eaf36dd802fe216921f154f9d50d98179
Instruction Fuzzy Hash: A9514D75900209EFDB25CFA8CC84EAEBBB9FF48710F14851DF99A97250D739A944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0101FB78), ref: 00FFA0FC

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00FFA11E
__swprintf.LIBCMT ref: 00FFA177
__swprintf.LIBCMT ref: 00FFA190
_wprintf.LIBCMT ref: 00FFA246
_wprintf.LIBCMT ref: 00FFA264

Strings

Error: , xrefs: 00FFA20E
Line %d (File "%s"):, xrefs: 00FFA171, 00FFA18A
^ ERROR, xrefs: 00FFA1E8
"%s" (%d) : ==> %s:, xrefs: 00FFA25F
"%s" (%d) : ==> %s:%s%s, xrefs: 00FFA241

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 465bbd44a61bd13669cde06ad42d84ec85591a9750e0f849ca8044c481d0edbf
Instruction ID: e35d344e2c6c0acbca4db39e6021f0101d19fab0b934e8e2d4b4d768e3975a16
Opcode Fuzzy Hash: 465bbd44a61bd13669cde06ad42d84ec85591a9750e0f849ca8044c481d0edbf
Instruction Fuzzy Hash: 6B516C72904309ABDF15FBE1CD86EEEB778AF08700F500165B505721A1EB3A6F58EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F96BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F96C6C,?,00008000), ref: 00FB0BB7

Part of subcall function 00F948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F948A1,?,?,00F937C0,?), ref: 00F948CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F96D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00F96E5A

Part of subcall function 00F959CD: _wcscpy.LIBCMT ref: 00F95A05

Part of subcall function 00FB387D: _iswctype.LIBCMT ref: 00FB3885

Strings

Bad directive syntax error, xrefs: 00FCEBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FCE84A
AU3!, xrefs: 00F96CC1
EA06, xrefs: 00FCE87B
Error opening the file, xrefs: 00FCE866, 00FCE8E1
>>>AUTOIT SCRIPT<<<, xrefs: 00FCE8BF
Unterminated string, xrefs: 00FCEC0D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 2b4b4aae95376d8b385fa09ef9d269241cd91a6c62e1e039ee0b9262950bfc25
Instruction ID: a92e1f9d739e5d9b34cd82840d16bbecb458e5a32e976751569519d0af0fce36
Opcode Fuzzy Hash: 2b4b4aae95376d8b385fa09ef9d269241cd91a6c62e1e039ee0b9262950bfc25
Instruction Fuzzy Hash: DC02BE315083419FDB24EF24C881EAFBBE5BF98714F14091DF486972A1DB38D949EB42

Uniqueness

Uniqueness Score: -1.00%

Function 00F945DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F945F9
GetMenuItemCount.USER32(01056890), ref: 00FCD7CD
GetMenuItemCount.USER32(01056890), ref: 00FCD87D
GetCursorPos.USER32(?), ref: 00FCD8C1
SetForegroundWindow.USER32(00000000), ref: 00FCD8CA
TrackPopupMenuEx.USER32(01056890,00000000,?,00000000,00000000,00000000), ref: 00FCD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FCD8E9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: f4537785e72ca69a083cd15917cbae6ea839056fdd5d317123a48963e7418c8e
Instruction ID: 5f50d03ee9cf5c2369b5009477d26da6cf2c4a6772a89289d17882e3bb98eb09
Opcode Fuzzy Hash: f4537785e72ca69a083cd15917cbae6ea839056fdd5d317123a48963e7418c8e
Instruction Fuzzy Hash: 7F71E571A4020ABAFB219F54DD86FAEBF65FF05364F10022AF618A61D1C7B56814EB90

Uniqueness

Uniqueness Score: -1.00%

Function 010110A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,01010038,?,?), ref: 010110BC

Strings

HKLM, xrefs: 0101113A
HKCC, xrefs: 0101118A
HKU, xrefs: 010111CE
HKEY_CLASSES_ROOT, xrefs: 0101114F
HKEY_LOCAL_MACHINE, xrefs: 01011125
HKCR, xrefs: 01011164
HKEY_USERS, xrefs: 010111BD
HKEY_CURRENT_CONFIG, xrefs: 01011179
HKEY_CURRENT_USER, xrefs: 0101119B
HKCU, xrefs: 010111AC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 9af12d63d28acb5e7b648c1b7910d6e7c766a0d4becce1f770b8dd7b199bfbbd
Instruction ID: f5a0e669cb9551b8a94996324133db14ec2372f9db55bc5e14e41cfeb0b3d7f0
Opcode Fuzzy Hash: 9af12d63d28acb5e7b648c1b7910d6e7c766a0d4becce1f770b8dd7b199bfbbd
Instruction Fuzzy Hash: F0414AB011024A9BDF19EEA4DC81AEE3764BF09300F404454FDD15B29ADB78E91ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

Part of subcall function 00F97A84: _memmove.LIBCMT ref: 00F97B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FF55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FF55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FF560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FF561C

Strings

status PlayMe mode, xrefs: 00FF55CD
play PlayMe, xrefs: 00FF5617
play PlayMe wait, xrefs: 00FF5606
alias PlayMe, xrefs: 00FF55AB
open , xrefs: 00FF5581
close PlayMe, xrefs: 00FF55E3, 00FF5610

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 6784220ff4b693e4f037bea77d15297ced341120cbd738a2266b9ddad130b2f1
Instruction ID: b6cc5aec95ed518538a2e486f014d1f6350455c19134a9095542bc1a5807275c
Opcode Fuzzy Hash: 6784220ff4b693e4f037bea77d15297ced341120cbd738a2266b9ddad130b2f1
Instruction Fuzzy Hash: 1911CB71AA026DBAEB20B762CC85DFF7B7CEF91F00F4044297551970A1EEA41D05D5A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FF490E
gethostname.WSOCK32(?,00000100), ref: 00FF4928
gethostbyname.WSOCK32(?), ref: 00FF4935
_wcscpy.LIBCMT ref: 00FF495D
_memmove.LIBCMT ref: 00FF4970
inet_ntoa.WSOCK32(?), ref: 00FF497B
_strcat.LIBCMT ref: 00FF4989
_wcscpy.LIBCMT ref: 00FF49A0
WSACleanup.WSOCK32 ref: 00FF49AE
_wcscpy.LIBCMT ref: 00FF49BC

Strings

0.0.0.0, xrefs: 00FF4957

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 987f5f7ede1f1d2be1c703cd11213a08aeefa380bed733b0cc0cd2c5762efab2
Instruction ID: c3a1c9663dd94a8ac9ca0c63491155168795e3e6c0627fcce4f7325686b5af4b
Opcode Fuzzy Hash: 987f5f7ede1f1d2be1c703cd11213a08aeefa380bed733b0cc0cd2c5762efab2
Instruction Fuzzy Hash: 23112B31A04119AFCB30EB25DC45EFB77BCDF00720F0401B5F55496065EFB9AA85AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FF5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FF521C

Part of subcall function 00FB0719: timeGetTime.WINMM(?,75C0B400,00FA0FF9), ref: 00FB071D

Sleep.KERNEL32(0000000A), ref: 00FF5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00FF526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FF528E
SetActiveWindow.USER32 ref: 00FF52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FF52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FF52DA
Sleep.KERNEL32(000000FA), ref: 00FF52E5
IsWindow.USER32 ref: 00FF52F1
EndDialog.USER32(00000000), ref: 00FF5302

Strings

BUTTON, xrefs: 00FF5280

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 65764c963acf1f94ada60a00aeecb419e0b12645a6b52a008f389baf3d055e8a
Instruction ID: 8cc7278e545a5acbf515532d23cbfc809e105a926c94f9b8adbd22f75335dafb
Opcode Fuzzy Hash: 65764c963acf1f94ada60a00aeecb419e0b12645a6b52a008f389baf3d055e8a
Instruction Fuzzy Hash: E3219571200B49AFE7215B34ED88B363B69EF4579AF900514F38182165DBAF9C08F721

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

CoInitialize.OLE32(00000000), ref: 00FFD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FFD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00FFD8FC
CoCreateInstance.OLE32(01022D7C,00000000,00000001,0104A89C,?), ref: 00FFD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FFD9B7
CoTaskMemFree.OLE32(?,?), ref: 00FFDA0F
_memset.LIBCMT ref: 00FFDA4C
SHBrowseForFolderW.SHELL32(?), ref: 00FFDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FFDAAB
CoTaskMemFree.OLE32(00000000), ref: 00FFDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FFDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00FFDAEB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b63dc86106c62ced8a90224d9bf2c63921b17466dff5e333d723823be4d6fee2
Instruction ID: c636cfd98bc8072afe455ee5c83314e87d00b6bb46b96efb7df11f11473bd3b3
Opcode Fuzzy Hash: b63dc86106c62ced8a90224d9bf2c63921b17466dff5e333d723823be4d6fee2
Instruction Fuzzy Hash: 9FB12C75A00109AFDB14DFA5CC88DAEBBB9FF48314B048459F90AEB261DB34EE45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FF05A7
SetKeyboardState.USER32(?), ref: 00FF0612
GetAsyncKeyState.USER32(000000A0), ref: 00FF0632
GetKeyState.USER32(000000A0), ref: 00FF0649
GetAsyncKeyState.USER32(000000A1), ref: 00FF0678
GetKeyState.USER32(000000A1), ref: 00FF0689
GetAsyncKeyState.USER32(00000011), ref: 00FF06B5
GetKeyState.USER32(00000011), ref: 00FF06C3
GetAsyncKeyState.USER32(00000012), ref: 00FF06EC
GetKeyState.USER32(00000012), ref: 00FF06FA
GetAsyncKeyState.USER32(0000005B), ref: 00FF0723
GetKeyState.USER32(0000005B), ref: 00FF0731

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4787bbd232433c33e3c2f0353a27ba10bd313d8dc4233f1ba8680c90875dcf39
Instruction ID: 2f97e8ce6578da148a056612e8f132202c47b6eed9289eb0672580083eb0a62f
Opcode Fuzzy Hash: 4787bbd232433c33e3c2f0353a27ba10bd313d8dc4233f1ba8680c90875dcf39
Instruction Fuzzy Hash: 4851FA20E0478C69FB34EBA089547FABFB49F01390F0C4599D7C2561D3DEA89A4CDB55

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FEC746
GetWindowRect.USER32(00000000,?), ref: 00FEC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FEC7B6
GetDlgItem.USER32(?,00000002), ref: 00FEC7C1
GetWindowRect.USER32(00000000,?), ref: 00FEC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FEC827
GetDlgItem.USER32(?,000003E9), ref: 00FEC835
GetWindowRect.USER32(00000000,?), ref: 00FEC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FEC889
GetDlgItem.USER32(?,000003EA), ref: 00FEC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FEC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00FEC8C1

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d61141c51695465c4f07af38fea566dc85e0cf1e6ef7cf6287c8bf3f3375314
Instruction ID: 656478a94819a66318f8ade48c5bbb52b9a68db46bc8d284a5b5763dc164bf53
Opcode Fuzzy Hash: 7d61141c51695465c4f07af38fea566dc85e0cf1e6ef7cf6287c8bf3f3375314
Instruction Fuzzy Hash: 44516E71B00205AFDB18CFB9DD89AAEBBBAFB88310F14812DF515D6290D7759D048B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F92036,?,00000000,?,?,?,?,00F916CB,00000000,?), ref: 00F91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F920D3
KillTimer.USER32(-00000001,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00F9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00FCBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBF5A
DeleteObject.GDI32(00000000), ref: 00FCBF6C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6aadbdabfdd01402f3533ca6ec9122d8be2bcef494e6259e7db2b667aadf16c0
Instruction ID: 0775fe898875a0a4e57785621f9a503dfdcb4649ded768e308ad09883c2d1d09
Opcode Fuzzy Hash: 6aadbdabfdd01402f3533ca6ec9122d8be2bcef494e6259e7db2b667aadf16c0
Instruction Fuzzy Hash: E561BE35900712EFEB759F14D94AB2AB7F1FF40322F50461CE18286668C73BA895EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

GetSysColor.USER32(0000000F), ref: 00F921D3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4276bdde8ec6839a6fdf9ffd3c399a9776d979185386f086de2b33ed48b035eb
Instruction ID: 11b13ab07ca27c9a08f1d00b9c57fba1f92d1ecf9134d7c1d82a2a9ae6c6d91a
Opcode Fuzzy Hash: 4276bdde8ec6839a6fdf9ffd3c399a9776d979185386f086de2b33ed48b035eb
Instruction Fuzzy Hash: 4641E431404141AFFF655F28EC88BB93B65EB06331F184355FEA58A1E6C7368C82EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0101F910), ref: 00FFAB76
GetDriveTypeW.KERNEL32(00000061,0104A620,00000061), ref: 00FFAC40
_wcscpy.LIBCMT ref: 00FFAC6A

Strings

network, xrefs: 00FFABD4
cdrom, xrefs: 00FFAB92
unknown, xrefs: 00FFAC01
all, xrefs: 00FFAB7C
removable, xrefs: 00FFABA8
ramdisk, xrefs: 00FFABEA
fixed, xrefs: 00FFABBE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 5a2e54fb78095d65b874a6e31f705efbb4c135cb4646f94ed27a3f58ed7a0f18
Instruction ID: 8cdc19d91e05fd369fed6c2066ace16a85ad0ec7be798eee6134f464df819d07
Opcode Fuzzy Hash: 5a2e54fb78095d65b874a6e31f705efbb4c135cb4646f94ed27a3f58ed7a0f18
Instruction Fuzzy Hash: 1551D0716083059BD710EF18CC81ABEB7A5FF84710F10881DF69A572B2DB75D909EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F99997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F999C2
__swprintf.LIBCMT ref: 00F99A0C
__i64tow.LIBCMT ref: 00FCFA0F

Strings

0x%p, xrefs: 00FCF9F1
False, xrefs: 00FCF9D7
True, xrefs: 00FCF9D0
%.15g, xrefs: 00F99A06

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 869ad86c0e31815b4763d31ddf83d098d777bfdb8add4932952c98dd05e308c7
Instruction ID: e2328394541e8917717c889129bef46af40fc7267113890a35eaec8a568ef611
Opcode Fuzzy Hash: 869ad86c0e31815b4763d31ddf83d098d777bfdb8add4932952c98dd05e308c7
Instruction Fuzzy Hash: D7413772A08206AFEF24AF39DC42F7AB3E8EB44310F20046EE549D7251EE759901AB11

Uniqueness

Uniqueness Score: -1.00%

Function 010173C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010173D9
CreateMenu.USER32 ref: 010173F4
SetMenu.USER32(?,00000000), ref: 01017403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01017490
IsMenu.USER32(?), ref: 010174A6
CreatePopupMenu.USER32 ref: 010174B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010174DD
DrawMenuBar.USER32 ref: 010174E5

Strings

F, xrefs: 010174D1
0, xrefs: 010173CF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 858d8b72bea7f01b3f68282677bb5cfcdff05b3b29782e9be89d44e13b352b37
Instruction ID: e0009fe307e8b0f8ad35f973fb7525459f3f2fb6d9de6c94ebdd7126369b9296
Opcode Fuzzy Hash: 858d8b72bea7f01b3f68282677bb5cfcdff05b3b29782e9be89d44e13b352b37
Instruction Fuzzy Hash: E9415874A00209EFDB20DF68D884A9ABBF5FF49310F144168FA9597354DB3AA914CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0101772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 010177CD
CreateCompatibleDC.GDI32(00000000), ref: 010177D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 010177E7
SelectObject.GDI32(00000000,00000000), ref: 010177EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 010177FA
DeleteDC.GDI32(00000000), ref: 01017803
GetWindowLongW.USER32(?,000000EC), ref: 0101780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 01017821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0101782D

Strings

static, xrefs: 01017765

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f62e7b06079286871aa7a9e88be2f07ca8a5a3a9c1178ecc64aa053f7b544875
Instruction ID: 3b6b195006760a87f7bd2b25120ddc7063a34134966df9d10ad238349a04ef6d
Opcode Fuzzy Hash: f62e7b06079286871aa7a9e88be2f07ca8a5a3a9c1178ecc64aa053f7b544875
Instruction Fuzzy Hash: 40316D31101216ABDF229F78DC08FDA3BA9FF0D760F110215FA95A61A4DB3AD815DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB707B

Part of subcall function 00FB8D68: __getptd_noexit.LIBCMT ref: 00FB8D68

__gmtime64_s.LIBCMT ref: 00FB7114
__gmtime64_s.LIBCMT ref: 00FB714A
__gmtime64_s.LIBCMT ref: 00FB7167
__allrem.LIBCMT ref: 00FB71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB71D9
__allrem.LIBCMT ref: 00FB71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB720E
__allrem.LIBCMT ref: 00FB7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB7243
__invoke_watson.LIBCMT ref: 00FB72B4

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 5e8c52fa4917958314f9f8df0be3d032faeaa5af4f8563facff0ba31357e92e5
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 1271D771E04717ABD714BE7ACC42BDBB3B8AF94360F14422AF514E6281E774E940AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2A31
GetMenuItemInfoW.USER32(01056890,000000FF,00000000,00000030), ref: 00FF2A92
SetMenuItemInfoW.USER32(01056890,00000004,00000000,00000030), ref: 00FF2AC8
Sleep.KERNEL32(000001F4), ref: 00FF2ADA
GetMenuItemCount.USER32(?), ref: 00FF2B1E
GetMenuItemID.USER32(?,00000000), ref: 00FF2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00FF2B64
GetMenuItemID.USER32(?,?), ref: 00FF2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FF2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2C24

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 9eee58b6b21d02b89ef3d0c5989409641a489283e95774de895b9018be6ef402
Instruction ID: 41a3f49ef4cd21164d997727d9c925b7bade01fc82f41af0f2447a9b195e72a5
Opcode Fuzzy Hash: 9eee58b6b21d02b89ef3d0c5989409641a489283e95774de895b9018be6ef402
Instruction Fuzzy Hash: FA61B3B090034DAFDB61CF64C888EBE7BB8EF41364F140559EA41A7261D73AAD45EB21

Uniqueness

Uniqueness Score: -1.00%

Function 01017192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01017214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01017217
GetWindowLongW.USER32(?,000000F0), ref: 0101723B
_memset.LIBCMT ref: 0101724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0101725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 010172D6

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 582a8c88983125d11406f52b932760d7b7010a89774e8d234d5174e98f3df537
Instruction ID: c760e5815b89165ffe73bfe387e8e4b8397da3927cb7ce2d8d050fae56303772
Opcode Fuzzy Hash: 582a8c88983125d11406f52b932760d7b7010a89774e8d234d5174e98f3df537
Instruction Fuzzy Hash: 7E617CB5A00208AFDB20DFA8CC81EEE77F8EB09710F144199FA54A7391D779A945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FE7135
SafeArrayAllocData.OLEAUT32(?), ref: 00FE718E
VariantInit.OLEAUT32(?), ref: 00FE71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FE71C0
VariantCopy.OLEAUT32(?,?), ref: 00FE7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE7227
VariantClear.OLEAUT32(?), ref: 00FE723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00FE7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE7252
VariantClear.OLEAUT32(?), ref: 00FE7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE726F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e5f64446305f3f5db4e469bbd5a2f3439930b04ca0db038bc0c99d6ee4b0fdfe
Instruction ID: 778ca95aeb77a09c8261fe30f1558d72d4341ed065c2742cf8f601a0469b98f0
Opcode Fuzzy Hash: e5f64446305f3f5db4e469bbd5a2f3439930b04ca0db038bc0c99d6ee4b0fdfe
Instruction Fuzzy Hash: E8417035A04219AFCF10EFA9D844DADBBB8FF08354F008069FA45E7251CB39A949DF90

Uniqueness

Uniqueness Score: -1.00%

Function 010086D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

CoInitialize.OLE32 ref: 01008718
CoUninitialize.OLE32 ref: 01008723
CoCreateInstance.OLE32(?,00000000,00000017,01022BEC,?), ref: 01008783
IIDFromString.OLE32(?,?), ref: 010087F6
VariantInit.OLEAUT32(?), ref: 01008890
VariantClear.OLEAUT32(?), ref: 010088F1

Strings

NULL Pointer assignment, xrefs: 010087C8
Invalid parameter, xrefs: 0100880F
Failed to create object, xrefs: 0100878E, 01008844

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 92ef8bdf68bb0898525baad98157bba21ac4c135e7d613cd4d63f5cc164940d2
Instruction ID: e627e0b53b9d85aece01e7cf2da45468f4bdb2412e63f1b12057aca53639b328
Opcode Fuzzy Hash: 92ef8bdf68bb0898525baad98157bba21ac4c135e7d613cd4d63f5cc164940d2
Instruction Fuzzy Hash: 84618170A087119FE712DF69D844B5EBBE8BF44714F00885EF9C59B291CB74E948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FFB7B1
GetLastError.KERNEL32 ref: 00FFB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00FFB828

Strings

INVALID, xrefs: 00FFB7FA
UNKNOWN, xrefs: 00FFB7E0
NOTREADY, xrefs: 00FFB7E7
READONLY, xrefs: 00FFB7F3
READY, xrefs: 00FFB801

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 95053a34765e52c4bc76f20977c8980a64eb38e7ddfae44cc47a41bcc81b161a
Instruction ID: 7c955444c7758a164c41085619a9a458c985cafeaff1ba4f8c4008dbcd619444
Opcode Fuzzy Hash: 95053a34765e52c4bc76f20977c8980a64eb38e7ddfae44cc47a41bcc81b161a
Instruction Fuzzy Hash: DA31A676E4020D9FEB10FF64CC85ABEB7B4EF84750F104029E606DB2A1DB799946E750

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00FEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00FEB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FE94F6
GetDlgCtrlID.USER32 ref: 00FE9501
GetParent.USER32 ref: 00FE951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE9520
GetDlgCtrlID.USER32(?), ref: 00FE9529
GetParent.USER32(?), ref: 00FE9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FE9548

Strings

ComboBox, xrefs: 00FE947E
ListBox, xrefs: 00FE94B3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5f959b75a5dc6900de1d7f7b58c6dc16d89c75d48ab880ff59474755869064bc
Instruction ID: 40c3722ad69a859351307ee31e1699d0f38bfafdc32fe002feb72699f3379554
Opcode Fuzzy Hash: 5f959b75a5dc6900de1d7f7b58c6dc16d89c75d48ab880ff59474755869064bc
Instruction Fuzzy Hash: 1421F174D04204BBDF00EBA2CC85EFEBBB4EF49310F104119B961972A2DB7D5919EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00FE955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00FEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00FEB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FE95DF
GetDlgCtrlID.USER32 ref: 00FE95EA
GetParent.USER32 ref: 00FE9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE9609
GetDlgCtrlID.USER32(?), ref: 00FE9612
GetParent.USER32(?), ref: 00FE962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FE9631

Strings

ComboBox, xrefs: 00FE9569
ListBox, xrefs: 00FE959E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 52faa716478d194c6f7db93e560f4f73bca89ec886c137d19156aa3496d81fc9
Instruction ID: 627c69faa0f015cd6d9a1688e38b83a19e9eacbd7674c5ec1e251158c270467e
Opcode Fuzzy Hash: 52faa716478d194c6f7db93e560f4f73bca89ec886c137d19156aa3496d81fc9
Instruction Fuzzy Hash: EB21C170D00204BBDF00AB61CC85EFEBBA8EF48300F10001AB961971A5DB7D9919AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FE9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00FE9666
_wcscmp.LIBCMT ref: 00FE9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FE96F3

Strings

largeicons, xrefs: 00FE9687
list, xrefs: 00FE96D5
details, xrefs: 00FE96A1
SHELLDLL_DefView, xrefs: 00FE9672
smallicons, xrefs: 00FE96BB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: f7dfe553da31e6740ac13ebf0b34041497ddf0e840e1cb077f169a624dc4a89e
Instruction ID: cecb665bddb934d00624a810b3dea5f7a5687de15a401d72a772b5e0b2d4d5a8
Opcode Fuzzy Hash: f7dfe553da31e6740ac13ebf0b34041497ddf0e840e1cb077f169a624dc4a89e
Instruction Fuzzy Hash: DA110A7768C347BBF7102527DC46DE7779C9B08374B30003BF900A5091FEE669146AA8

Uniqueness

Uniqueness Score: -1.00%

Function 01008BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01008BEC
CoInitialize.OLE32(00000000), ref: 01008C19
CoUninitialize.OLE32 ref: 01008C23
GetRunningObjectTable.OLE32(00000000,?), ref: 01008D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 01008E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01022C0C), ref: 01008E84
CoGetObject.OLE32(?,00000000,01022C0C,?), ref: 01008EA7
SetErrorMode.KERNEL32(00000000), ref: 01008EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01008F3A
VariantClear.OLEAUT32(?), ref: 01008F4A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: de2784a95407b4010c8b48d86086938aaccf0e24bb61672bc611cfd7cae4d7d3
Instruction ID: c32869888ae1786f881cb438966bb8b9c8e7d1b2552ff41cc36a7a26f2a6c1f6
Opcode Fuzzy Hash: de2784a95407b4010c8b48d86086938aaccf0e24bb61672bc611cfd7cae4d7d3
Instruction Fuzzy Hash: B8C12871608305AFE701EF68C88492BBBE9FF88748F00495EF5899B291DB75ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FF419D
__swprintf.LIBCMT ref: 00FF41AA

Part of subcall function 00FB38D8: __woutput_l.LIBCMT ref: 00FB3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00FF41D4
LoadResource.KERNEL32(?,00000000), ref: 00FF41E0
LockResource.KERNEL32(00000000), ref: 00FF41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00FF420D
LoadResource.KERNEL32(?,00000000), ref: 00FF421F
SizeofResource.KERNEL32(?,00000000), ref: 00FF422E
LockResource.KERNEL32(?), ref: 00FF423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00FF429B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 094cd80ee4f81b8b1ac5465494d145f877084c06c9c4206472457834c3eff3b5
Instruction ID: c651fd9a200f11ad29e6dd233477b66643dcf08d98bbccabff52e49726d08a89
Opcode Fuzzy Hash: 094cd80ee4f81b8b1ac5465494d145f877084c06c9c4206472457834c3eff3b5
Instruction Fuzzy Hash: 79319071A0121AABDB219F61DC48EFF7BACFF08301F004525FA45D2150E779EA51EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FF16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF1714
GetWindowThreadProcessId.USER32(00000000), ref: 00FF171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FF173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FF0778,?,00000001), ref: 00FF17CC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6f969d0d416a8c3003223165303ab2ab719d7a66ac0df39a64194f5471804379
Instruction ID: c2204c8985f4945458f2de5df9819acc168e7e380c88fad16907405103b50ace
Opcode Fuzzy Hash: 6f969d0d416a8c3003223165303ab2ab719d7a66ac0df39a64194f5471804379
Instruction Fuzzy Hash: 9331B176A00308FBDB31EF24E888F7A77A9BF19721F104014FA49D6294D77E9D44AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F9FC06
OleUninitialize.OLE32(?,00000000), ref: 00F9FCA5
UnregisterHotKey.USER32(?), ref: 00F9FDFC
DestroyWindow.USER32(?), ref: 00FD4A00
FreeLibrary.KERNEL32(?), ref: 00FD4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD4A92

Strings

close all, xrefs: 00F9FC01

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 839de33d0b969e457c449442a51a6317141a5f432c2af5abab2b64ef8cb95cd0
Instruction ID: e9932442dad6de5d55150d420763b0bf5fd4c22f6b295500fc4810a9b21744b4
Opcode Fuzzy Hash: 839de33d0b969e457c449442a51a6317141a5f432c2af5abab2b64ef8cb95cd0
Instruction Fuzzy Hash: 54A17131B01212CFDB29EF14C895B69F765BF05710F1842AEE80AAB251CB38ED16EF54

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FEAA64), ref: 00FEA9A2

Strings

CLASSNN, xrefs: 00FEA744
INSTANCE, xrefs: 00FEA8B0
REGEXPCLASS, xrefs: 00FEA767
NAME, xrefs: 00FEA7D4
CLASS, xrefs: 00FEA721
TEXT, xrefs: 00FEA8D9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 74a669a3c4f00625634290e6a33fa79e772678cc930f67608dea77ff3fa11be3
Instruction ID: 0c9b34e35ca3fab7f3452dd1d1430425d070b9023aea18f9486f46923b2d36f4
Opcode Fuzzy Hash: 74a669a3c4f00625634290e6a33fa79e772678cc930f67608dea77ff3fa11be3
Instruction Fuzzy Hash: DF91B771A00246EBDB18EF71C881BEEF774BF08314F508129D89AA7152DF347A59EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F92EAE

Part of subcall function 00F91DB3: GetClientRect.USER32(?,?), ref: 00F91DDC
Part of subcall function 00F91DB3: GetWindowRect.USER32(?,?), ref: 00F91E1D
Part of subcall function 00F91DB3: ScreenToClient.USER32(?,?), ref: 00F91E45

GetDC.USER32 ref: 00FCCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FCCF95
SelectObject.GDI32(00000000,00000000), ref: 00FCCFA3
SelectObject.GDI32(00000000,00000000), ref: 00FCCFB8
ReleaseDC.USER32(?,00000000), ref: 00FCCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FCD04B

Strings

U, xrefs: 00FCCF20

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f478e6b9c3d46810983e491bbf31378f23dd4f58d40c63ac1a047f4098313661
Instruction ID: e722fa74164344f76abc58aa1e357ca34678802212036d2d47051e60cef34f51
Opcode Fuzzy Hash: f478e6b9c3d46810983e491bbf31378f23dd4f58d40c63ac1a047f4098313661
Instruction Fuzzy Hash: 0971D331800206EFDF21DF68C982FAA3BB6FF49360F14426EED955A159D7368841EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

Part of subcall function 00F92344: GetCursorPos.USER32(?), ref: 00F92357
Part of subcall function 00F92344: ScreenToClient.USER32(010567B0,?), ref: 00F92374
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000001), ref: 00F92399
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000002), ref: 00F923A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0101C2E4
ImageList_EndDrag.COMCTL32 ref: 0101C2EA
ReleaseCapture.USER32 ref: 0101C2F0
SetWindowTextW.USER32(?,00000000), ref: 0101C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0101C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0101C48F

Strings

@GUI_DROPID, xrefs: 0101C3E1
@GUI_DRAGFILE, xrefs: 0101C424

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: e8390277728e81561711213a97bdfc1d9779a6d2e69382c34cd46a2d0dd9dcd9
Instruction ID: e1ecf022af0dfdf585fca0b95af5adbbd9224ab4f64b3a429aa394462d933537
Opcode Fuzzy Hash: e8390277728e81561711213a97bdfc1d9779a6d2e69382c34cd46a2d0dd9dcd9
Instruction Fuzzy Hash: 1B51AE70208305AFEB10EF24C855FAA7BE1FB88310F40461DF5958B2A5DB7A9948DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01008F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0101F910), ref: 0100903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0101F910), ref: 01009071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010091EB
SysFreeString.OLEAUT32(?), ref: 01009215

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 884896fb9c504fb0c3bf58ac7918b2b38807751de2f7bfd3c8636958c1c2b8ad
Instruction ID: 312bf3310998504924ccf736fc817d3af084226c97ab70f732f0b1577285552c
Opcode Fuzzy Hash: 884896fb9c504fb0c3bf58ac7918b2b38807751de2f7bfd3c8636958c1c2b8ad
Instruction Fuzzy Hash: EAF12C71A00109EFEF15DF98C888EAEB7B9FF49314F108099F559AB291CB35AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0100FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0100FD90
CloseHandle.KERNEL32(?), ref: 0100FDBF
CloseHandle.KERNEL32(?), ref: 0100FE36

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: adcc4cdd4f5543b41c28a27d57267e57fee69f8fd1cdd2029f5ca68d97d29a95
Instruction ID: c58b374e4874dfba00bb1109bc1d05d1aa895c8763f43ea92128ddbe06a8f037
Opcode Fuzzy Hash: adcc4cdd4f5543b41c28a27d57267e57fee69f8fd1cdd2029f5ca68d97d29a95
Instruction Fuzzy Hash: 9CE1E431204342DFEB25EF28C881A6ABBE1BF85350F04845DF9998B2A2CB35DC45DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF38D3,?), ref: 00FF48C7

Part of subcall function 00FF48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF38D3,?), ref: 00FF48E0

Part of subcall function 00FF4CD3: GetFileAttributesW.KERNEL32(?,00FF3947), ref: 00FF4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00FF4FE2
_wcscmp.LIBCMT ref: 00FF4FFC
MoveFileW.KERNEL32(?,?), ref: 00FF5017

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: c6269b3dbc634dd360c298bb563bc0959a8664b395f7ce91609d1554be1d9d12
Instruction ID: 9e74b41cc786806b3fbc8a352d3b680b853cf7d4d4944c9804f84626377e51ea
Opcode Fuzzy Hash: c6269b3dbc634dd360c298bb563bc0959a8664b395f7ce91609d1554be1d9d12
Instruction Fuzzy Hash: 3E5186B24087855BC720DB50DC859EFB3ECAF84750F10091EF289D3161EF78B1889B66

Uniqueness

Uniqueness Score: -1.00%

Function 010188B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0101896E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 2815eaf1c8732f7bb2c333efa786885062c83132a5a42a5c5daf1677e79c9353
Instruction ID: 570259d7e2b7ce67f7d91a90e1359823670ac542d136d2ebc68c9fac3e64ea6c
Opcode Fuzzy Hash: 2815eaf1c8732f7bb2c333efa786885062c83132a5a42a5c5daf1677e79c9353
Instruction Fuzzy Hash: B051C131600209BBFF309E68DC85B993BA5BB05354F548253FA90E61E9D77EAB80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FCC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FCC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FCC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FCC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FCC5C0
DestroyIcon.USER32(00000000), ref: 00FCC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FCC5EC
DestroyIcon.USER32(?), ref: 00FCC5FB

Part of subcall function 0101A71E: DeleteObject.GDI32(00000000), ref: 0101A757

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: cce663f59b0a5abf084be0c65226007cd0ae1b1ab6f75a7177b9111a817e43cd
Instruction ID: 072e2c009e28a4302c98ace3afe6d1f0468b5132c1526ea20298bc772c825ec0
Opcode Fuzzy Hash: cce663f59b0a5abf084be0c65226007cd0ae1b1ab6f75a7177b9111a817e43cd
Instruction Fuzzy Hash: AE515971A0020AAFEF24DF24DD45FAA37E5FB58360F100518F94697290DB79ED90EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FE8A84,00000B00,?,?), ref: 00FE8E0C
HeapAlloc.KERNEL32(00000000,?,00FE8A84,00000B00,?,?), ref: 00FE8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE8A84,00000B00,?,?), ref: 00FE8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00FE8A84,00000B00,?,?), ref: 00FE8E30
DuplicateHandle.KERNEL32(00000000,?,00FE8A84,00000B00,?,?), ref: 00FE8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FE8A84,00000B00,?,?), ref: 00FE8E43
GetCurrentProcess.KERNEL32(00FE8A84,00000000,?,00FE8A84,00000B00,?,?), ref: 00FE8E4B
DuplicateHandle.KERNEL32(00000000,?,00FE8A84,00000B00,?,?), ref: 00FE8E4E
CreateThread.KERNEL32(00000000,00000000,00FE8E74,00000000,00000000,00000000), ref: 00FE8E68

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9ba918ed23571ae260265af0c94906f5346ccdb771f1c34074f8748ae00d8762
Instruction ID: 144f1fdb35228679c72bd56c7c9271e9ebcfa853de875106f5bba5dba182c788
Opcode Fuzzy Hash: 9ba918ed23571ae260265af0c94906f5346ccdb771f1c34074f8748ae00d8762
Instruction Fuzzy Hash: 9601BBB5240349BFE720ABA5DC4DF6B3BACEB89711F004511FA45DB195CAB99804CB20

Uniqueness

Uniqueness Score: -1.00%

Function 01009428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100947C
VariantInit.OLEAUT32(?), ref: 0100954D
VariantInit.OLEAUT32(?), ref: 0100964E
VariantClear.OLEAUT32(?), ref: 01009658
VariantClear.OLEAUT32(?), ref: 010096B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 01009631
Null Object assignment in FOR..IN loop, xrefs: 010094DD, 0100960B, 010096C3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 65cc46a2c9e75a6932e15deea7cb9ef583f0c7f52ebd98839801d55ec91181b1
Instruction ID: c7410dc27df9925195617ddf7088f83954d9abc1534846713973c2793c7be11e
Opcode Fuzzy Hash: 65cc46a2c9e75a6932e15deea7cb9ef583f0c7f52ebd98839801d55ec91181b1
Instruction Fuzzy Hash: 7991C571A00205AFEF25DFA5CC44FAEBBB8EF49314F008559F559AB282D7749904CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01016FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01017093
SendMessageW.USER32(?,00001036,00000000,?), ref: 010170A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 010170C1
_wcscat.LIBCMT ref: 0101711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 01017133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01017161

Strings

SysListView32, xrefs: 01017065

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 9c2cc6cee8f2040cf49dfe0a41ce9f665505514f4468ddcae462bdcd1b70767e
Instruction ID: 95d4630a386211629fd17274c8ef9b334ff25bf9a96d8d2be285ebf3e4131788
Opcode Fuzzy Hash: 9c2cc6cee8f2040cf49dfe0a41ce9f665505514f4468ddcae462bdcd1b70767e
Instruction Fuzzy Hash: 0541A475A00309EFEB22DF68CC85BEE77E9EF08350F10056AF584A7196D67A99848B50

Uniqueness

Uniqueness Score: -1.00%

Function 0100EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00FF3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00FF3EB6
Part of subcall function 00FF3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00FF3EC4
Part of subcall function 00FF3E91: CloseHandle.KERNEL32(00000000), ref: 00FF3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100ECB8
GetLastError.KERNEL32 ref: 0100ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0100ED77
GetLastError.KERNEL32(00000000), ref: 0100ED82
CloseHandle.KERNEL32(00000000), ref: 0100EDB7

Strings

SeDebugPrivilege, xrefs: 0100ECD6

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ecf36767eaf55ae30e955f1147e23307adf7af84ac150bfc71c2f2e7d380c6bb
Instruction ID: a3636fec865ffbc56b8243d01468a55994114dfd2587caaf404ffbc91fa5e77d
Opcode Fuzzy Hash: ecf36767eaf55ae30e955f1147e23307adf7af84ac150bfc71c2f2e7d380c6bb
Instruction Fuzzy Hash: E641A0712042019FEB11EF28CC95F6DB7A4EF40714F088459F9869B2D2DBBDA805DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FF32C5

Strings

question, xrefs: 00FF327E
blank, xrefs: 00FF3247
info, xrefs: 00FF3266
stop, xrefs: 00FF3296
warning, xrefs: 00FF32AE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7605b1774289463ed8a4cef57d18bf93bef07929e711dd1dbd3b2475ba01e761
Instruction ID: 25b81e2df4a1c6eec964eb970a35d9b5a8a8ae7ca2f76c9b125a69f24a0128ef
Opcode Fuzzy Hash: 7605b1774289463ed8a4cef57d18bf93bef07929e711dd1dbd3b2475ba01e761
Instruction Fuzzy Hash: E6110D32B8835ABBE7015A59DC83DBAB39CEF19374F10002EF60196191D6795B407AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FF454E
LoadStringW.USER32(00000000), ref: 00FF4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FF456B
LoadStringW.USER32(00000000), ref: 00FF4572
_wprintf.LIBCMT ref: 00FF4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FF45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FF4593

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 88ee4e4e373b4f56c74fed132b87ae1f5ea52520e7397a73590e45a687a6280b
Instruction ID: 39369e478fed20bd68d45bbb0e02c90dd4982a0661e7c0a1d8df35e0991d69c5
Opcode Fuzzy Hash: 88ee4e4e373b4f56c74fed132b87ae1f5ea52520e7397a73590e45a687a6280b
Instruction Fuzzy Hash: E00167F29002097FE720E7A1DD89EF7776CDB08311F400595BB85D2005EA7D9E894B70

Uniqueness

Uniqueness Score: -1.00%

Function 0101D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetSystemMetrics.USER32(0000000F), ref: 0101D78A
GetSystemMetrics.USER32(0000000F), ref: 0101D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0101D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0101DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0101DA24
ShowWindow.USER32(00000003,00000000), ref: 0101DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0101DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0101DA8B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: b3ae58ae8bdc6a568b8b84fecde1d89a2de2c4ebcd70dc828639ac6a8aaa51dd
Instruction ID: 9f6dea653d3dd5a80f06f3977e7e8ca05396bc00fc71ae539307704bdb9f9f60
Opcode Fuzzy Hash: b3ae58ae8bdc6a568b8b84fecde1d89a2de2c4ebcd70dc828639ac6a8aaa51dd
Instruction Fuzzy Hash: FEB17A71600216EBDF14CFA8C9897BD7BF2BF44711F0881A9ED889B299D739A950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FCC417,00000004,00000000,00000000,00000000), ref: 00F92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FCC417,00000004,00000000,00000000,00000000,000000FF), ref: 00F92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FCC417,00000004,00000000,00000000,00000000), ref: 00FCC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FCC417,00000004,00000000,00000000,00000000), ref: 00FCC4D6

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 56dad9334cf33421dc52ee0ffc2e9b3b9b2902490d4ec37770935c4c239d87ec
Instruction ID: 170542df8a2b09f5c896f3134d17d2fae972fe405c91099c09b8b6d7c59b2b0e
Opcode Fuzzy Hash: 56dad9334cf33421dc52ee0ffc2e9b3b9b2902490d4ec37770935c4c239d87ec
Instruction Fuzzy Hash: 81411E33A04681BAEFBADB288D98B777B91AB95320F54C80DE08786551C63D9845F750

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FF737F

Part of subcall function 00FB0FF6: std::exception::exception.LIBCMT ref: 00FB102C
Part of subcall function 00FB0FF6: __CxxThrowException@8.LIBCMT ref: 00FB1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FF73B6
EnterCriticalSection.KERNEL32(?), ref: 00FF73D2
_memmove.LIBCMT ref: 00FF7420
_memmove.LIBCMT ref: 00FF743D
LeaveCriticalSection.KERNEL32(?), ref: 00FF744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FF7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF7480

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 93cd8c7c7781c20359c77bf21e295a2aeb8169a19c18cb652336b6f4b0d92abc
Instruction ID: 02b305ace0830c01488ced8b1bdaa26539be1a73150caaa12ebfa5a6a1f47fa1
Opcode Fuzzy Hash: 93cd8c7c7781c20359c77bf21e295a2aeb8169a19c18cb652336b6f4b0d92abc
Instruction Fuzzy Hash: B831C131900205EBCF10EF55DC85AAFBB78FF45310B1441A5FD04EB24ADB399A14EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01016442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0101645A
GetDC.USER32(00000000), ref: 01016462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0101646D
ReleaseDC.USER32(00000000,00000000), ref: 01016479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 010164B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 010164C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01019299,?,?,000000FF,00000000,?,000000FF,?), ref: 01016500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01016520

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fdef45002537a9232ee5ddabf408e5890a5569fff97d98208659c97ce16f8506
Instruction ID: d8bcb4fc67a31174ea6262da32cc2d84c260cefb8eac89d7060a25e00f01dfc7
Opcode Fuzzy Hash: fdef45002537a9232ee5ddabf408e5890a5569fff97d98208659c97ce16f8506
Instruction Fuzzy Hash: 2D318072201214BFEB218F64DC49FEB3FA9EF09761F044055FE48DA199D6BA9841CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FEC087
_memcmp.LIBCMT ref: 00FEC0A9
_memcmp.LIBCMT ref: 00FEC0C1
_memcmp.LIBCMT ref: 00FEC0D4
_memcmp.LIBCMT ref: 00FEC0EE
_memcmp.LIBCMT ref: 00FEC101
_memcmp.LIBCMT ref: 00FEC119
_memcmp.LIBCMT ref: 00FEC134

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6357048c0aad9b982f850112bf493a4562c953d96fa76ded5ac20d6c8086d64a
Instruction ID: 23d111f2192e8d6a02a8aefee82983187a8034c91cf82207396d3820e6341b13
Opcode Fuzzy Hash: 6357048c0aad9b982f850112bf493a4562c953d96fa76ded5ac20d6c8086d64a
Instruction Fuzzy Hash: F5212672A00255BBD610A5238C52FFF339DAF503A4F440024FE05DB652E719DE22B5E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

Part of subcall function 00FAFEC6: _wcscpy.LIBCMT ref: 00FAFEE9

_wcstok.LIBCMT ref: 00FFEEFF
_wcscpy.LIBCMT ref: 00FFEF8E
_memset.LIBCMT ref: 00FFEFC1

Strings

X, xrefs: 00FFEFFE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 8002885a6e6122f5cb0bbe4637423d3efed5fe835c44b634f24355550b6557c7
Instruction ID: 4314be78d1e2b2fc2575fc3221c730a423b06fbf69ea964e90f643babfef6eff
Opcode Fuzzy Hash: 8002885a6e6122f5cb0bbe4637423d3efed5fe835c44b634f24355550b6557c7
Instruction Fuzzy Hash: EFC17E715083019FDB24EF24CC81AAAB7E4BF84714F04492DF9999B2B2DB74ED45DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2aa0bb859fcca3ebc82895491b995ebb111b6f29d0b4b62784b504001f294b
Instruction ID: 739b2cc389552b0461aad118b432b8feb4758c99ebdc470910dd2ea246023e95
Opcode Fuzzy Hash: 2e2aa0bb859fcca3ebc82895491b995ebb111b6f29d0b4b62784b504001f294b
Instruction Fuzzy Hash: 33718E3590010AEFDF14DF98CC49EBEBB78FF8A320F248159F915AA251C734AA51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01006E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a0f6d11a4addd693aca4ea8420b49c542766f43d37aa07334ff9254c6485c7
Instruction ID: cea88c3be4ed7bf68b19a026ee7e068a42996e4bfc19fcf064ab0f08fed4eb60
Opcode Fuzzy Hash: c3a0f6d11a4addd693aca4ea8420b49c542766f43d37aa07334ff9254c6485c7
Instruction Fuzzy Hash: 7A61C071508300ABEB11EF28CC81E6FB7E9AF84B14F004A1DF685972D2DB79AD05C792

Uniqueness

Uniqueness Score: -1.00%

Function 0101B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01A048B8), ref: 0101B6A5
IsWindowEnabled.USER32(01A048B8), ref: 0101B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0101B795
SendMessageW.USER32(01A048B8,000000B0,?,?), ref: 0101B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0101B809
GetWindowLongW.USER32(01A048B8,000000EC), ref: 0101B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0101B843

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 938fde7fe6c52a2082e237f4066c1eae4082b02f813162f19ecfc4e562640129
Instruction ID: 477265a2ddc8ee3a34f086df7a14fbb22a88a3e9af8d1bd1daeb89b4e9c65456
Opcode Fuzzy Hash: 938fde7fe6c52a2082e237f4066c1eae4082b02f813162f19ecfc4e562640129
Instruction Fuzzy Hash: 74717C34600205AFEB61DF68C8D4FAA7BF9FF5D340F084499EAC597269C73AA941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100F75C
_memset.LIBCMT ref: 0100F825
ShellExecuteExW.SHELL32(?), ref: 0100F86A

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

Part of subcall function 00FAFEC6: _wcscpy.LIBCMT ref: 00FAFEE9

GetProcessId.KERNEL32(00000000), ref: 0100F8E1
CloseHandle.KERNEL32(00000000), ref: 0100F910

Strings

@, xrefs: 0100F839

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4aee3f35734deef0cf53d9e2e7f0e60fbc9f0fa4e64b297e79afb8de0efed42b
Instruction ID: 67a3677c41e063d5023be1f3cf22a8f89a024ce840bf752f22d6badf0539c225
Opcode Fuzzy Hash: 4aee3f35734deef0cf53d9e2e7f0e60fbc9f0fa4e64b297e79afb8de0efed42b
Instruction Fuzzy Hash: 1A61A075A0061A9FEF15EF58C8809ADBBF4FF48310F15805DE889AB391CB34AE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FF149C
GetKeyboardState.USER32(?), ref: 00FF14B1
SetKeyboardState.USER32(?), ref: 00FF1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FF1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FF155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FF15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FF15C8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc26d0540ade0397344de82f8a3f63548dd921ec503e34c12320858fb46a9ff4
Instruction ID: 02db668c7732717056bd2d48276181ac88949c7f7fe78604c7f92b22e9789fb8
Opcode Fuzzy Hash: bc26d0540ade0397344de82f8a3f63548dd921ec503e34c12320858fb46a9ff4
Instruction Fuzzy Hash: 8451F3A0A043D9BDFB3286348C45BBA7EA97F46324F0C4589E2D5868E2D3D99C94E750

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FF12B5
GetKeyboardState.USER32(?), ref: 00FF12CA
SetKeyboardState.USER32(?), ref: 00FF132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FF1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FF1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FF13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FF13D9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f6b01f71218f41de5cbbfdf04c530f3e299022719e1e012cdcb232cca6e8b654
Instruction ID: 69cbbe0541c7a52f05b41a541b416f38b77c2c45998b035486d6690c4c6ee4e6
Opcode Fuzzy Hash: f6b01f71218f41de5cbbfdf04c530f3e299022719e1e012cdcb232cca6e8b654
Instruction Fuzzy Hash: DD51F6A0D047DDBDFB3686248C45B7A7FA97F06310F088589E2D8568E2D395AC98F750

Uniqueness

Uniqueness Score: -1.00%

Function 00FF589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FF58AC
_wcsncpy.LIBCMT ref: 00FF58E1
_wcsncpy.LIBCMT ref: 00FF5913
_wcsncpy.LIBCMT ref: 00FF5946
_wcsncpy.LIBCMT ref: 00FF5988
_wcsncpy.LIBCMT ref: 00FF59C2
_wcsncpy.LIBCMT ref: 00FF59F1

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 2b9678052e52ea3bae26ba26149e06249d1fb1322aefe3014fe29b0a89468981
Instruction ID: d258043c56f9633abc6577883df687d6cf1efe859a9cf5e0c2455fb8cfb03b46
Opcode Fuzzy Hash: 2b9678052e52ea3bae26ba26149e06249d1fb1322aefe3014fe29b0a89468981
Instruction Fuzzy Hash: 0A41D665C2011876CB11EBB6CC869DFB3A8AF04710F508556F618E3522FB38E715EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF38D3,?), ref: 00FF48C7

Part of subcall function 00FF48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF38D3,?), ref: 00FF48E0

lstrcmpiW.KERNEL32(?,?), ref: 00FF38F3
_wcscmp.LIBCMT ref: 00FF390F
MoveFileW.KERNEL32(?,?), ref: 00FF3927
_wcscat.LIBCMT ref: 00FF396F
SHFileOperationW.SHELL32(?), ref: 00FF39DB

Strings

\*.*, xrefs: 00FF3969

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 2ef75c12e2e575da17d2e73b6ee1cac85d52d246a14d9934bf04f29960d3dbdd
Instruction ID: 9577fa9d8d4660012b251f92f78681656adc10cf077048400fee85a557ff6144
Opcode Fuzzy Hash: 2ef75c12e2e575da17d2e73b6ee1cac85d52d246a14d9934bf04f29960d3dbdd
Instruction Fuzzy Hash: 4F41967150C3489EC761EF64C881AEFB7ECAF84350F00192EF599D3161EA79D648DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01017500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01017519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010175C0
IsMenu.USER32(?), ref: 010175D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01017620
DrawMenuBar.USER32 ref: 01017633

Strings

0, xrefs: 0101750D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 207085c389e27ddd073be0f0285610c57df25b1efe52c42d6a46212e8fbcc813
Instruction ID: 03db8445625895953048a139cbdebf4e2b7e5ca4913f5cdbfc54bb6f8fd43548
Opcode Fuzzy Hash: 207085c389e27ddd073be0f0285610c57df25b1efe52c42d6a46212e8fbcc813
Instruction Fuzzy Hash: 8C416C75A00209EFDB20DF58D884EAABBF8FF08350F048569FA9997254D739E954CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0101122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0101125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01011286
FreeLibrary.KERNEL32(00000000), ref: 0101133D

Part of subcall function 0101122D: RegCloseKey.ADVAPI32(?), ref: 010112A3
Part of subcall function 0101122D: FreeLibrary.KERNEL32(?), ref: 010112F5
Part of subcall function 0101122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01011318

RegDeleteKeyW.ADVAPI32(?,?), ref: 010112E0

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 014a0458e2e112a7cbd977604a63f89d49cbea38eb86d592690bdf711b96a954
Instruction ID: ac709839298722c8c5dad70bf91dc79cf85fccf7187072d23f260fe69c275379
Opcode Fuzzy Hash: 014a0458e2e112a7cbd977604a63f89d49cbea38eb86d592690bdf711b96a954
Instruction Fuzzy Hash: CF3134B1901119BFEB19DBA4D885DFF77BCEF08340F004169F681E2144D7799E499BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0101653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0101655B
GetWindowLongW.USER32(01A048B8,000000F0), ref: 0101658E
GetWindowLongW.USER32(01A048B8,000000F0), ref: 010165C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 010165F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0101661F
GetWindowLongW.USER32(00000000,000000F0), ref: 01016630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0101664A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 22a6cc911f76168c349dcd50088499b880f073c86628f7e4e7133a002d7e0d41
Instruction ID: 32afaf7bb60fe48eeaa2f4320c81ef8a0fcec66680dc84a7645ba77901795973
Opcode Fuzzy Hash: 22a6cc911f76168c349dcd50088499b880f073c86628f7e4e7133a002d7e0d41
Instruction Fuzzy Hash: 51312874604211AFDB31CF68DC84F653BE1FB49750F1902A8F5818B2AECBBBA844CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01006486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 010080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010080CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010064D9
WSAGetLastError.WSOCK32(00000000), ref: 010064E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01006521
connect.WSOCK32(00000000,?,00000010), ref: 0100652A
WSAGetLastError.WSOCK32 ref: 01006534
closesocket.WSOCK32(00000000), ref: 0100655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01006576

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4112e6a8c25d8c7919edca9e18f7d1717d89b01e72689131927e73b443e90da9
Instruction ID: c3803b2d9f8b51171908c6db6c57d3a0667c63ec04485639eedcbe0943ccd830
Opcode Fuzzy Hash: 4112e6a8c25d8c7919edca9e18f7d1717d89b01e72689131927e73b443e90da9
Instruction Fuzzy Hash: BE319431600119ABEB119F18CC84BBD7BAAEB44711F014069FD85972C1CB7A9918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEE120
SysAllocString.OLEAUT32(00000000), ref: 00FEE123
SysAllocString.OLEAUT32 ref: 00FEE144
SysFreeString.OLEAUT32 ref: 00FEE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00FEE167
SysAllocString.OLEAUT32(?), ref: 00FEE175

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 78a7db062e0c1ba34bcf7f8a4138ca0f5a54894db4a9f472ae69f6f2e534d33f
Instruction ID: 509d3cb7f9225dfa17a6bcf92a5ba2dcb08b8271309e4d56583bb7abc368d199
Opcode Fuzzy Hash: 78a7db062e0c1ba34bcf7f8a4138ca0f5a54894db4a9f472ae69f6f2e534d33f
Instruction Fuzzy Hash: CA21C832605109AFDB20EFA9DC88DAB77ECEB09770B008125F954CB255DB79DC85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 010178A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 010178AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 010178B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 010178C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 010178D4

Strings

Msctls_Progress32, xrefs: 01017872

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5d670452494142c22cfd119df3a21e2f8fcd37134ba6c35e51ecd5a33e66d772
Instruction ID: 0b2cc0cb6e4cd29aba97a0eefc58df4e655728b06a9c3c18e1ea592e6e2ae253
Opcode Fuzzy Hash: 5d670452494142c22cfd119df3a21e2f8fcd37134ba6c35e51ecd5a33e66d772
Instruction Fuzzy Hash: 9711B2B215021ABFEF159E64CC85EEB7F6DEF08798F014115FA44A6094CB769C21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FB4292,?), ref: 00FB41E3
GetProcAddress.KERNEL32(00000000), ref: 00FB41EA
EncodePointer.KERNEL32(00000000), ref: 00FB41F6
DecodePointer.KERNEL32(00000001,00FB4292,?), ref: 00FB4213

Strings

combase.dll, xrefs: 00FB41DE
RoInitialize, xrefs: 00FB41D2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: e8a6cd27458f12216a2750175fd60dc19dfb385c82f1abbe7395e79531180ddb
Instruction ID: 7fd99d3096cf19579bd558039cd645cc012a12cf69ed63ff6f7355a442930670
Opcode Fuzzy Hash: e8a6cd27458f12216a2750175fd60dc19dfb385c82f1abbe7395e79531180ddb
Instruction Fuzzy Hash: E3E012B4E90301AEDB306BB2EC09B8535A5B721702F508414F491DA088EBBF50959F04

Uniqueness

Uniqueness Score: -1.00%

Function 00FB429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FB41B8), ref: 00FB42B8
GetProcAddress.KERNEL32(00000000), ref: 00FB42BF
EncodePointer.KERNEL32(00000000), ref: 00FB42CA
DecodePointer.KERNEL32(00FB41B8), ref: 00FB42E5

Strings

combase.dll, xrefs: 00FB42B3
RoUninitialize, xrefs: 00FB42A7

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 53bc816bf58dec2afd55ef5d69911f4dbc3475dd6307f959f4ede5de2ff0e5b9
Instruction ID: 0ef76ac7732dbcbc0b9ac107c499949acb1747def8a74611c6eed9827fbde31a
Opcode Fuzzy Hash: 53bc816bf58dec2afd55ef5d69911f4dbc3475dd6307f959f4ede5de2ff0e5b9
Instruction Fuzzy Hash: A3E0BF78681311ABDB30AB71ED0DB853EA8B724752F504018F881D5048DB7E5554EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00FF675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF68AD
_memmove.LIBCMT ref: 00FF67E8

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

_memmove.LIBCMT ref: 00FF685B
_memmove.LIBCMT ref: 00FF6942
_memmove.LIBCMT ref: 00FF695B
_memmove.LIBCMT ref: 00FF6977

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 2bac77bd924f1e60215469b8f8b5039679a19164115d0391ecead73dde7c98c6
Instruction ID: d0e6beca44531bf738afe95173b8c5c71bcdcf40d57351dd69386d9822e40833
Opcode Fuzzy Hash: 2bac77bd924f1e60215469b8f8b5039679a19164115d0391ecead73dde7c98c6
Instruction Fuzzy Hash: 1961BE3150425E9BDF11FF64CC82EFE37A8AF44348F054519FA559B2A2DF789901EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 010110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01010038,?,?), ref: 010110BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01010548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01010588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 010105AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010105D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 01010617
RegCloseKey.ADVAPI32(00000000), ref: 01010624

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 0d3806a95d9181c40c857031a29003a86e416d45c9929f9017126e6fcf67761a
Instruction ID: 101957780ec1d2066f05305d955c720d9a408ac78051623976e87fa9a1096e27
Opcode Fuzzy Hash: 0d3806a95d9181c40c857031a29003a86e416d45c9929f9017126e6fcf67761a
Instruction Fuzzy Hash: 42514331608200AFDB15EB68CC85E6BBBE8EF88714F04491DF5858B2A5DB39E944DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01015A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01015A82
GetMenuItemCount.USER32(00000000), ref: 01015AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 01015AE1
GetMenuItemID.USER32(?,?), ref: 01015B50
GetSubMenu.USER32(?,?), ref: 01015B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 01015BAF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 7c2b04536da7589255c3144519e518b5048d4b074d0a9f56c54caec0b677c03f
Instruction ID: 433ccb66998a43cef279d791550e3eaa878d0baeea70d6d4f73def84208be079
Opcode Fuzzy Hash: 7c2b04536da7589255c3144519e518b5048d4b074d0a9f56c54caec0b677c03f
Instruction Fuzzy Hash: 49518F35A00215AFDF11DF68CC85AAEB7B4FF49310F104499E941BB355CB79AE419F90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FEF3F7
VariantClear.OLEAUT32(00000013), ref: 00FEF469
VariantClear.OLEAUT32(00000000), ref: 00FEF4C4
_memmove.LIBCMT ref: 00FEF4EE
VariantClear.OLEAUT32(?), ref: 00FEF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FEF569

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 2b036a81e8c6bef6197368823c703412a4ac6de58ab1dfa0210b954fae59e29d
Instruction ID: b801822a8468be50e671971fad91c1e3c5efabee0f75cb2f7584c80e34e88b2f
Opcode Fuzzy Hash: 2b036a81e8c6bef6197368823c703412a4ac6de58ab1dfa0210b954fae59e29d
Instruction Fuzzy Hash: 8A5168B5A0024AEFCB10CF58D880AAAB7B8FF4C354B158169E959DB344D734E915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2792
IsMenu.USER32(00000000), ref: 00FF27B2
CreatePopupMenu.USER32 ref: 00FF27E6
GetMenuItemCount.USER32(000000FF), ref: 00FF2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FF2875

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 8f7a16c3d73acf118566bbc5ff6b43ba2e3a5dc6cbd93349d97b68d862d87a1e
Instruction ID: a2732477f5886874d6c7ecb850592c489ef82a7e35f299a0ed1205a873f19612
Opcode Fuzzy Hash: 8f7a16c3d73acf118566bbc5ff6b43ba2e3a5dc6cbd93349d97b68d862d87a1e
Instruction Fuzzy Hash: 5A51AE70A0024EEBDF64CFA8C888BBEBBF5BF44364F10415AEA159B2A0D7759904DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F9179A
GetWindowRect.USER32(?,?), ref: 00F917FE
ScreenToClient.USER32(?,?), ref: 00F9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F9182C
EndPaint.USER32(?,?), ref: 00F91876

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 3066dab6ac8d7df4634cac797bd28bb49877278e6b03d288917c648c222ca6a4
Instruction ID: 8f4b47f8a949e1e7423d9bc588f019612b34edbd387ed0eaa4d18c583f728b6d
Opcode Fuzzy Hash: 3066dab6ac8d7df4634cac797bd28bb49877278e6b03d288917c648c222ca6a4
Instruction Fuzzy Hash: 4341A171500302AFEB21DF24C885FB77BF8FB5A724F140668F994872A1C73A9845EB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010567B0,00000000,01A048B8,?,?,010567B0,?,0101B862,?,?), ref: 0101B9CC
EnableWindow.USER32(00000000,00000000), ref: 0101B9F0
ShowWindow.USER32(010567B0,00000000,01A048B8,?,?,010567B0,?,0101B862,?,?), ref: 0101BA50
ShowWindow.USER32(00000000,00000004,?,0101B862,?,?), ref: 0101BA62
EnableWindow.USER32(00000000,00000001), ref: 0101BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0101BAA9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f2a0576f16cb84937c04593f98e227afc6fee7c2b5b11b82e31eca87bfe31124
Instruction ID: a3fe46f0298d9fb695c2dead6c8ecc461ba53864589b6e9d0b2ee7894a9c1977
Opcode Fuzzy Hash: f2a0576f16cb84937c04593f98e227afc6fee7c2b5b11b82e31eca87bfe31124
Instruction Fuzzy Hash: 7E415131600241AFDB62CF28C489BA57FF1BB05315F5841E9FA888F2AAC739A446CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010073B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01005134,?,?,00000000,00000001), ref: 010073BF

Part of subcall function 01003C94: GetWindowRect.USER32(?,?), ref: 01003CA7

GetDesktopWindow.USER32 ref: 010073E9
GetWindowRect.USER32(00000000), ref: 010073F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01007422

Part of subcall function 00FF54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF555E

GetCursorPos.USER32(?), ref: 0100744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010074AC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 035b26668a76aba146a1faaf20a7d2c7cb7598bd85421204d983b7c71eff0ab7
Instruction ID: 4d53350cab97a52d3b71d6a1093cfadceabacca86a70ab8ff4d622e5c7a114d8
Opcode Fuzzy Hash: 035b26668a76aba146a1faaf20a7d2c7cb7598bd85421204d983b7c71eff0ab7
Instruction Fuzzy Hash: 7131A172504316ABD721DF54D849F9BBBE9FF88314F000919F6C997181CB79EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE8608
Part of subcall function 00FE85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE8612
Part of subcall function 00FE85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE8621
Part of subcall function 00FE85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE8628
Part of subcall function 00FE85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE863E

GetLengthSid.ADVAPI32(?,00000000,00FE8977), ref: 00FE8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FE8DB8
HeapAlloc.KERNEL32(00000000), ref: 00FE8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FE8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00FE8977), ref: 00FE8DEC
HeapFree.KERNEL32(00000000), ref: 00FE8DF3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5dd7ceda39959f70441bbf9d12c772726359b28033dfc967ea9d9eca115e90ea
Instruction ID: be05fe45ca22e0151813007f65909fcc7410ab21487540ceb642f1e3bc88b4c5
Opcode Fuzzy Hash: 5dd7ceda39959f70441bbf9d12c772726359b28033dfc967ea9d9eca115e90ea
Instruction Fuzzy Hash: AA11B131900605FFDB21EFA5CC09BAE77A9EF553A5F104119F88997240CB3A9905EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FE8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00FE8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FE8B40
CloseHandle.KERNEL32(00000004), ref: 00FE8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FE8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FE8B8E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0f187d1fc340a69cf41f7b970e1b05b95b5dfc7653e01265c98e7b0c9a5ed133
Instruction ID: 0781ac45a6f86eaf9f099fd27ecf934d8263c8e2648bb7f03768b658cb64c089
Opcode Fuzzy Hash: 0f187d1fc340a69cf41f7b970e1b05b95b5dfc7653e01265c98e7b0c9a5ed133
Instruction Fuzzy Hash: B7118CB250024AABDF11DFA4DD49FDA7BA9FF48358F044015FE08A2060C77A8D65EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9135C
Part of subcall function 00F912F3: BeginPath.GDI32(?), ref: 00F91373
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0101C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0101C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0101C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0101C1F6
EndPath.GDI32(00000000), ref: 0101C206
StrokePath.GDI32(00000000), ref: 0101C216

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: dd429996f213b807add143e5f1a5fdba6ecead653497dcf565779b9df0cedbee
Instruction ID: 92dd3ac92fe04688dfe7ad077439246fc078c0cdc166c70fb8bb36a34ce806ad
Opcode Fuzzy Hash: dd429996f213b807add143e5f1a5fdba6ecead653497dcf565779b9df0cedbee
Instruction Fuzzy Hash: 49111E7640010DBFEF229F94DC48EEA7FADEB04354F048051FA5846165C77A9E59DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB0401

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fdea3d509cca070ae2f794051c4ac75159c458f9c1795713a85e26296b373cf5
Instruction ID: 04d135753d54c82f1ce9a57e0e06ff83cc8c8f11549f5dd7a2a1cbc4ce11b84c
Opcode Fuzzy Hash: fdea3d509cca070ae2f794051c4ac75159c458f9c1795713a85e26296b373cf5
Instruction Fuzzy Hash: F0016CB0901B5A7DE3008F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FF569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FF56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00FF56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF56E0

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b19a1403ef4f31b4f978f2374e1dc0d6d41102cb8ff29ce668101dbe6356c04e
Instruction ID: d30904661dab90db3466210303887e984e9a75ffc14eb029c4103e7c28322781
Opcode Fuzzy Hash: b19a1403ef4f31b4f978f2374e1dc0d6d41102cb8ff29ce668101dbe6356c04e
Instruction Fuzzy Hash: C2F0903224151ABBE3315AA2DC0DEEF7B7CEFCBB21F000159FA44D1040D7AA1A0587B5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FF74E5
EnterCriticalSection.KERNEL32(?,?,00FA1044,?,?), ref: 00FF74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00FA1044,?,?), ref: 00FF7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FA1044,?,?), ref: 00FF7510

Part of subcall function 00FF6ED7: CloseHandle.KERNEL32(00000000,?,00FF751D,?,00FA1044,?,?), ref: 00FF6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF7523
LeaveCriticalSection.KERNEL32(?,?,00FA1044,?,?), ref: 00FF752A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3c51060c22c3ba37f71007f7b5785cb73516826ea7abb2e9ede62c51deb0207
Instruction ID: f78d62b84868d21c86c9710cc70018d536a0dd35ebaee650b4ab6fd0fc22ad85
Opcode Fuzzy Hash: f3c51060c22c3ba37f71007f7b5785cb73516826ea7abb2e9ede62c51deb0207
Instruction Fuzzy Hash: 0FF0827A540713EBDB212B64FC8C9EB773AFF45322B040621F642E10A8DBBE5819DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE8E7F
UnloadUserProfile.USERENV(?,?), ref: 00FE8E8B
CloseHandle.KERNEL32(?), ref: 00FE8E94
CloseHandle.KERNEL32(?), ref: 00FE8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE8EA5
HeapFree.KERNEL32(00000000), ref: 00FE8EAC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6e4d38604d2b62773bfd6a0b74f3f31e73e02f4e4739f91c632e0358e6d82261
Instruction ID: 77187c5b7678651b70aa12be71918144b8a54512a7ef459dbd315f2e6e20cb8b
Opcode Fuzzy Hash: 6e4d38604d2b62773bfd6a0b74f3f31e73e02f4e4739f91c632e0358e6d82261
Instruction Fuzzy Hash: 28E0E536104402BBDB112FE1EC0C90ABF79FF8A322B108220F259C1078CB3F9428DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01008902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01008928
CharUpperBuffW.USER32(?,?), ref: 01008A37
VariantClear.OLEAUT32(?), ref: 01008BAF

Part of subcall function 00FF7804: VariantInit.OLEAUT32(00000000), ref: 00FF7844
Part of subcall function 00FF7804: VariantCopy.OLEAUT32(00000000,?), ref: 00FF784D
Part of subcall function 00FF7804: VariantClear.OLEAUT32(00000000), ref: 00FF7859

Strings

Incorrect Parameter format, xrefs: 01008960, 01008B22
AUTOIT.ERROR, xrefs: 01008A3D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 00764966e44dbbd674aea0cce15fae43abd7a9ec036447c83c844f109af942bd
Instruction ID: f8017c79874c03da4d2524e60806e2d89b39c70086bfd5dac861858dc469b5a9
Opcode Fuzzy Hash: 00764966e44dbbd674aea0cce15fae43abd7a9ec036447c83c844f109af942bd
Instruction Fuzzy Hash: ED918370A087019FDB11EF28C88495BBBE4FF89714F04896EF9968B3A1DB35D905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAFEC6: _wcscpy.LIBCMT ref: 00FAFEE9

_memset.LIBCMT ref: 00FF3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FF3187

Strings

0, xrefs: 00FF3063

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 7c1b83cb6edf5a4255238c2fb775d2768fa788524d89d71772667f04b5b7e5dc
Instruction ID: 91f0832b8d5f98666c52531918fcdb8a0d58461b8edbd6fc59ccdf5df76ab9d8
Opcode Fuzzy Hash: 7c1b83cb6edf5a4255238c2fb775d2768fa788524d89d71772667f04b5b7e5dc
Instruction Fuzzy Hash: 0B51E371E083049AD725AF28CC45A7BBBE4EF45364F040A2EFA85D31B1DB75CE44AB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FEDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FEDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FEDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FEDB8E

Strings

DllGetClassObject, xrefs: 00FEDB01

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ba61bfae0759847052bf1b3c39cf9dd46e0ec11ead59df866e86a00a7a195a19
Instruction ID: 1d242c0ebca7966c3b2cd809b9f59a97376977f0824d2d8a93fcbdbfe617dd65
Opcode Fuzzy Hash: ba61bfae0759847052bf1b3c39cf9dd46e0ec11ead59df866e86a00a7a195a19
Instruction Fuzzy Hash: 9041E3B1600248EFDB15CF56C884B9A7BB9EF88350F1180ADED059F205E7B5DD44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FF2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00FF2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01056890,00000000), ref: 00FF2D5A

Strings

0, xrefs: 00FF2CA4

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3e55eef1e7b945dc729a01d38dac7dbaf8d91483bd6fac197360dfcee20ffe8e
Instruction ID: 74b8e89328885447568af0b2efca415c826fbcab6796e3e797c825fcba960698
Opcode Fuzzy Hash: 3e55eef1e7b945dc729a01d38dac7dbaf8d91483bd6fac197360dfcee20ffe8e
Instruction Fuzzy Hash: 5E41C3306043069FD720EF24CC85B6ABBE8EF85320F00465EFA65972A1D774E904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00FEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00FEB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FE93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FE9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FE9439

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

Strings

ComboBox, xrefs: 00FE9380
ListBox, xrefs: 00FE93B5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ee81c636b1c89c2a625844a32a8526cf2cceabac5e56ef41eec30a55c3277a25
Instruction ID: 1de1f1630537a84008c2ee8710fc22b8104439257c675787f139d34dda7d9ebe
Opcode Fuzzy Hash: ee81c636b1c89c2a625844a32a8526cf2cceabac5e56ef41eec30a55c3277a25
Instruction Fuzzy Hash: 3721E4B1D04204AFDB14ABB2DC858FFB768DF45760B108119F965971E1DB7D090AAA60

Uniqueness

Uniqueness Score: -1.00%

Function 01001B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01001B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01001B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01001B96
InternetCloseHandle.WININET(00000000), ref: 01001BDD

Part of subcall function 01002777: GetLastError.KERNEL32(?,?,01001B0B,00000000,00000000,00000001), ref: 0100278C
Part of subcall function 01002777: SetEvent.KERNEL32(?,?,01001B0B,00000000,00000000,00000001), ref: 010027A1

Strings

, xrefs: 01001B87

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 91f5362dc9c5d4f8161f6f25e3aaca21f8c68495c51d6b37fe478da727a176a5
Instruction ID: ef74fabac451b8689889cf84059f08eeb37e8d120cd8efef5a9a6ca028f35237
Opcode Fuzzy Hash: 91f5362dc9c5d4f8161f6f25e3aaca21f8c68495c51d6b37fe478da727a176a5
Instruction Fuzzy Hash: C821BEB1600609BFFB229F249C84EBF76ECFB49754F00015AF585E2280EB35DD048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01016656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 010166D0
LoadLibraryW.KERNEL32(?), ref: 010166D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 010166EC
DestroyWindow.USER32(?), ref: 010166F4

Strings

SysAnimate32, xrefs: 010166AB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: a7fa8df05b9a84ad1dae95f5ae665a12d95ea6a2c0df13560c6084bee32adab2
Instruction ID: 5b6531d3ef017fc907fb4c5ec3dd98e1491818ae0c619baa403bbd531a09f136
Opcode Fuzzy Hash: a7fa8df05b9a84ad1dae95f5ae665a12d95ea6a2c0df13560c6084bee32adab2
Instruction Fuzzy Hash: 39219F71100206AFEF114E68EC90EBB77EDFB49368F104A69FA9092199D7BBCC519760

Uniqueness

Uniqueness Score: -1.00%

Function 00FF703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FF705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF7091
GetStdHandle.KERNEL32(0000000C), ref: 00FF70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FF70DD

Strings

nul, xrefs: 00FF70D8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 11ef68b88b7cf0a711ab24e3ee515bc726bc4c2b76d5abc116413d105ff36fd4
Instruction ID: 3b4d796f2b68ee87ac07ea8f9b6ca7eef6da709b1cea6e87af4ed24ddd5c4fcb
Opcode Fuzzy Hash: 11ef68b88b7cf0a711ab24e3ee515bc726bc4c2b76d5abc116413d105ff36fd4
Instruction Fuzzy Hash: 8C21837590430EABDB20AF28DC05AAAB7A4AF44730F204619FEA1D72E0EB7198519B50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF715D
GetStdHandle.KERNEL32(000000F6), ref: 00FF716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FF71A8

Strings

nul, xrefs: 00FF71A3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b3a408a384cf38d208946b8a2529f9bcc6744dbfa23f20df0b24114b78e526db
Instruction ID: 5a29848564379c2b8c6fb88f36e1b6cd621c1b46bce09b6e1c0fed98a0522658
Opcode Fuzzy Hash: b3a408a384cf38d208946b8a2529f9bcc6744dbfa23f20df0b24114b78e526db
Instruction Fuzzy Hash: 9121B87590430E9BDB20AF689C04AB9F7E8AF55730F200619FEE1E72E0D7749849D750

Uniqueness

Uniqueness Score: -1.00%

Function 00FFAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FFAF13
__swprintf.LIBCMT ref: 00FFAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0101F910), ref: 00FFAF6A

Strings

%lu, xrefs: 00FFAF26

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: cdc6933de661df2ad350d6126a3e1afe5c2a74ff9362efc1cca6017d3ff84a21
Instruction ID: 54b691f19c3b5a596ca364f979f5683e269740e971d0e6615b09f7bee25de451
Opcode Fuzzy Hash: cdc6933de661df2ad350d6126a3e1afe5c2a74ff9362efc1cca6017d3ff84a21
Instruction Fuzzy Hash: 38217171A0010DAFDB10EF65CD85DAE7BB8EF89704B004069F909EB251DB79EA45DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

Part of subcall function 00FEA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FEA399
Part of subcall function 00FEA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEA3AC
Part of subcall function 00FEA37C: GetCurrentThreadId.KERNEL32 ref: 00FEA3B3
Part of subcall function 00FEA37C: AttachThreadInput.USER32(00000000), ref: 00FEA3BA

GetFocus.USER32 ref: 00FEA554

Part of subcall function 00FEA3C5: GetParent.USER32(?), ref: 00FEA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00FEA59D
EnumChildWindows.USER32(?,00FEA615), ref: 00FEA5C5
__swprintf.LIBCMT ref: 00FEA5DF

Strings

%s%d, xrefs: 00FEA5D9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 14eeb0f64971dcc684c0402bfd97228375bf83d93bf600f1336ce2b4acc588ff
Instruction ID: c7d3ac249de759b70ef6732a482dab0af346152807fbcda48876dc43f68e207f
Opcode Fuzzy Hash: 14eeb0f64971dcc684c0402bfd97228375bf83d93bf600f1336ce2b4acc588ff
Instruction Fuzzy Hash: 8C11E171600309BBDF20BF72DC85FEA3779AF49310F004079B908AA042CA796949AB32

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FF2048

Strings

KEYS, xrefs: 00FF205F
APPEND, xrefs: 00FF2081
EXISTS, xrefs: 00FF2070
REMOVE, xrefs: 00FF204E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e7204905fd90968b2785788cde2c7c4e38992d275855e6d754c370ed918adf65
Instruction ID: b559b2a96e5873e823c063104873b540b531fb6b19305eb293e39f901589404e
Opcode Fuzzy Hash: e7204905fd90968b2785788cde2c7c4e38992d275855e6d754c370ed918adf65
Instruction Fuzzy Hash: 9D113C7195010ACFCF40EFA4D8815FEB7B4BF19304B108468E856673A1EF366906EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0100EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0100EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0100EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0100F07E
CloseHandle.KERNEL32(?), ref: 0100F0FF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1b62ddfae890597fc8b09a9ba84847a760dbd9b075fdd25a8d99de36ceb676b5
Instruction ID: b4ddb8749c8edb92d3c4041a552095c85f02af320b4689e1c616755b6ce97b2c
Opcode Fuzzy Hash: 1b62ddfae890597fc8b09a9ba84847a760dbd9b075fdd25a8d99de36ceb676b5
Instruction Fuzzy Hash: C7815E716043019FEB20EF28CC46B2EB7E5AF48720F05885DF599DB2D2DBB9AC419B51

Uniqueness

Uniqueness Score: -1.00%

Function 010102C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 010110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01010038,?,?), ref: 010110BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01010388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010103C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0101040E
RegCloseKey.ADVAPI32(?,?), ref: 0101043A
RegCloseKey.ADVAPI32(00000000), ref: 01010447

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 31e14cc5625598e981b2faa5e544339ed8af04651d2947c607f901aa24b5a21f
Instruction ID: 807b9e17d6d754e0a5eab441c31ac1d301859c37465ddd13faf1139d1c59887a
Opcode Fuzzy Hash: 31e14cc5625598e981b2faa5e544339ed8af04651d2947c607f901aa24b5a21f
Instruction Fuzzy Hash: F2516871208305AFEB04EF68CC81E6EB7E8FF88704F04892DB59587295DB39E904DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0100DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0100DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0100DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0100DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0100DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0100DD35

Part of subcall function 00F95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7B20,?,?,00000000), ref: 00F95B8C
Part of subcall function 00F95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7B20,?,?,00000000,?,?), ref: 00F95BB0

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 331505bc306a62aeea706ad84af00d54b6f384d8822ddf23e173faf4842dae2d
Instruction ID: 94375e2ed8b18ae9e3af29153cc7f863a9e802c322917139860873255a55d098
Opcode Fuzzy Hash: 331505bc306a62aeea706ad84af00d54b6f384d8822ddf23e173faf4842dae2d
Instruction Fuzzy Hash: AD514C35A0020A9FEB02EFA8C884D9DB7F4FF49310B058099E955AB351DB79AD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FFE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FFE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FFE8F2

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FFE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FFE91F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 092d75ee19f6c9fd2660cd6e1cacc981c2f3f2804d1fc94b51271c0e37841995
Instruction ID: 62054e56a328b15a8f06fcfc991e8f356c266aab948889f55743ebf712ecd025
Opcode Fuzzy Hash: 092d75ee19f6c9fd2660cd6e1cacc981c2f3f2804d1fc94b51271c0e37841995
Instruction Fuzzy Hash: 4A513A35A00209DFDF11EF64C981AAEBBF5FF08314B148099E949AB361CB79ED11EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2c86ec9098d4652d26669057c51b7a217f12f37af28d217077f956b626c2ca
Instruction ID: 62f2dcc38684c69f55a1d8c20999fc81a08dc68a7983a5950f3a8064fd386240
Opcode Fuzzy Hash: aa2c86ec9098d4652d26669057c51b7a217f12f37af28d217077f956b626c2ca
Instruction Fuzzy Hash: 0441D435A02284EFD760DB6CCC44FA9BBA4EB09310F0482A5FAD5A72D9D779A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F92357
ScreenToClient.USER32(010567B0,?), ref: 00F92374
GetAsyncKeyState.USER32(00000001), ref: 00F92399
GetAsyncKeyState.USER32(00000002), ref: 00F923A7

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c99b050a81821aefb635c2ea7f046d24b5760687804c9c116cf1efcad961452
Instruction ID: dad957d047223d2ae31c7928b1f2b0bc4cfed4d0e89b212c8501130916b744d2
Opcode Fuzzy Hash: 0c99b050a81821aefb635c2ea7f046d24b5760687804c9c116cf1efcad961452
Instruction Fuzzy Hash: 10419F3690411AFBDF559FA8CC44FEDBB74FB05370F20431AE86892290C779A994EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00FE69A9
TranslateMessage.USER32(?), ref: 00FE69D2
DispatchMessageW.USER32(?), ref: 00FE69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE69EB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 76d9f17846e44cc8d5c39ffd0afcee84fbf41d526118fadc63667dfad3d61908
Instruction ID: 917a2a8e508a610e0b1fdb827664cb46a2859368926d47804d35ab922c88cc97
Opcode Fuzzy Hash: 76d9f17846e44cc8d5c39ffd0afcee84fbf41d526118fadc63667dfad3d61908
Instruction Fuzzy Hash: D631F671D0038EAADB70CE72DC84FBB7BACAB25790F104165E461D3056E73E9889E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00FE8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FE8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00FE8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FE8FDA

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 068a0008970c0f692aa8f2bddd6fccbbdb219eb83b0e540964e4894d53d75fe6
Instruction ID: 5b256382b43b6622add4c6c3317b54ea3c8ea28dd157d9aad86173387ff08f7e
Opcode Fuzzy Hash: 068a0008970c0f692aa8f2bddd6fccbbdb219eb83b0e540964e4894d53d75fe6
Instruction Fuzzy Hash: D1312171900299EFDF10DFA8D94CA9E3BB6FB04325F104219F928E71D0C7B49914EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FEB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FEB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FEB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FEB742
_wcsstr.LIBCMT ref: 00FEB74C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 7d61047b69f0c2dde99f93b882c80562ff7c4ca6e3dd403d42d2a899ac90e89a
Instruction ID: bdd61f907a477d08912ed3b5be1740252f02fed38b6e6d42688b58a483528e2a
Opcode Fuzzy Hash: 7d61047b69f0c2dde99f93b882c80562ff7c4ca6e3dd403d42d2a899ac90e89a
Instruction Fuzzy Hash: 82210B32604245BBEB255B7BDC49E7B7B9CDF89760F004069FC05CA195EF69DC40A760

Uniqueness

Uniqueness Score: -1.00%

Function 0101B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetWindowLongW.USER32(?,000000F0), ref: 0101B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0101B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0101B489
GetSystemMetrics.USER32(00000004), ref: 0101B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01001184,00000000), ref: 0101B4D0

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 739b50d8b1d95bdb2c34b33140ba2f174a92127a0b4a4110430ab59ee86f3222
Instruction ID: 6cf4cec84e46985a3736d1640b0ccd61686ab5bce679dfda2cdcca9add404fdb
Opcode Fuzzy Hash: 739b50d8b1d95bdb2c34b33140ba2f174a92127a0b4a4110430ab59ee86f3222
Instruction Fuzzy Hash: 2F21B571650216AFDB608E78DC04B6A3BB4FB05724F108768FEA6C31D8EB399811CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FE97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE9802

Part of subcall function 00F97D2C: _memmove.LIBCMT ref: 00F97D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE9834
__itow.LIBCMT ref: 00FE984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE9874
__itow.LIBCMT ref: 00FE9885

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 0af3a2e3491b0df2df217abd79015a711b7e555c93de8176fa6ab120c38946ba
Instruction ID: 7a2581f4af3f8f977a74ec2140b6bb1e0e2eb4a65692346f1ab44f03c80b4ee4
Opcode Fuzzy Hash: 0af3a2e3491b0df2df217abd79015a711b7e555c93de8176fa6ab120c38946ba
Instruction Fuzzy Hash: 3A210A35B04344ABEF10EA728C86EEE3BA8DF49720F440029FD04DB251E6B48E45A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
SelectObject.GDI32(?,00000000), ref: 00F9135C
BeginPath.GDI32(?), ref: 00F91373
SelectObject.GDI32(?,00000000), ref: 00F9139C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a504c560b21ec1605ec03ac246ffac6f7d56361a6ef1509a63331dbc8688940e
Instruction ID: 1aa2e53ba7ddddac1472835f57ab0cc0e6c336d70c1e34e2f96d92dd0e119501
Opcode Fuzzy Hash: a504c560b21ec1605ec03ac246ffac6f7d56361a6ef1509a63331dbc8688940e
Instruction Fuzzy Hash: 072171B1C00306EFEF218F25D905B7A7BB8FB10321F644326F89196194D77B9995EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FEC176
_memcmp.LIBCMT ref: 00FEC194
_memcmp.LIBCMT ref: 00FEC1A7
_memcmp.LIBCMT ref: 00FEC1BF
_memcmp.LIBCMT ref: 00FEC1D7

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e6d01f0164510af9c903cc0e3bd21114a11f8ca13ca5681e2d6dbe40bd4dd299
Instruction ID: 092f6e2ef0d7f7815c7f966e4cffab57a1792da6b422bac1d2f73706e3cc6ea7
Opcode Fuzzy Hash: e6d01f0164510af9c903cc0e3bd21114a11f8ca13ca5681e2d6dbe40bd4dd299
Instruction Fuzzy Hash: BA0128B3A042197BE204A6638C52FEB735DAF213A4F444024FD049B243E758DE12A6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF4D5C
__beginthreadex.LIBCMT ref: 00FF4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00FF4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FF4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FF4DAC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: fc15ac626b7bae6ad165052e59c18777c6ddaacf3e12d4ca3c888a55b6958ce5
Instruction ID: a2c98d2ddf1da1653a61e22ea4b681645fb2a48fbd6f0e31541ad0a0640a799f
Opcode Fuzzy Hash: fc15ac626b7bae6ad165052e59c18777c6ddaacf3e12d4ca3c888a55b6958ce5
Instruction Fuzzy Hash: 9F11E1B2904609ABC7219BA89C08AAF7BACEF45360F144355FA54D3261D67E9D048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE8766
GetLastError.KERNEL32(?,00FE822A,?,?,?), ref: 00FE8770
GetProcessHeap.KERNEL32(00000008,?,?,00FE822A,?,?,?), ref: 00FE877F
HeapAlloc.KERNEL32(00000000,?,00FE822A,?,?,?), ref: 00FE8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE879D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 18214e0340398564694bbd83c348ea8381144bdb92b27fe042df913adb8898d5
Instruction ID: 089fd86cc99649c22c48eb50877f05c02693432a6d93f33e049e941e0732e724
Opcode Fuzzy Hash: 18214e0340398564694bbd83c348ea8381144bdb92b27fe042df913adb8898d5
Instruction Fuzzy Hash: 70016D71640245BFDB205FB6DC88D6B7BACFF8A3A57200569F88DC2250DA368C05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FF5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FF5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF555E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 90096b40a7593747d34b354e2ef9b0f192c8a8022f5fe174c47b0aa8c2e36110
Instruction ID: bd41ad7e04d3f97d6c75d17b2269cf7bd74508e94e1ddf89e4bb5be6ad71ce21
Opcode Fuzzy Hash: 90096b40a7593747d34b354e2ef9b0f192c8a8022f5fe174c47b0aa8c2e36110
Instruction Fuzzy Hash: 1B015B36C00A2EDBCF10EFE8E849AEDBB78BF09B15F080146EA41F2144DB395554D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE758C,80070057,?,?,?,00FE799D), ref: 00FE766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE758C,80070057,?,?), ref: 00FE768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE758C,80070057,?,?), ref: 00FE7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE758C,80070057,?), ref: 00FE76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE758C,80070057,?,?), ref: 00FE76B4

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cb639f592b854cc28e9594f71bcd429c6ab603183ab55d9604f6cfa5d935c860
Instruction ID: b1e40fc0e33b42ddac4fb525001d10d1f44801b39844ea7c8c9f06d47d8d97ae
Opcode Fuzzy Hash: cb639f592b854cc28e9594f71bcd429c6ab603183ab55d9604f6cfa5d935c860
Instruction Fuzzy Hash: 4E01D472600715BBDB20AF59DC04BAA7BACEB44765F100018FD04D2205E73ADD00ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE863E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f42dd4e3b036155c685e18bd34b62933ad07a71041aa6c3692d55d61af03d583
Instruction ID: a35bee9d51e437ae5278b19fda4b9de643c0e00672ae7fbbb3860ad1f0a39539
Opcode Fuzzy Hash: f42dd4e3b036155c685e18bd34b62933ad07a71041aa6c3692d55d61af03d583
Instruction Fuzzy Hash: 2AF06875241205AFD7211FA5DC8DE6B3BACFF467A4B004515F549C7140CB799C45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE869F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b85f1af9162f92e75665757dc6e4bb2ebf31da140db40033c44d15e9fbdd087
Instruction ID: 850292bef2a2e8874e2188836a1e8ce6bfb3e6894fc8ccf8db20a6817e9141f6
Opcode Fuzzy Hash: 1b85f1af9162f92e75665757dc6e4bb2ebf31da140db40033c44d15e9fbdd087
Instruction Fuzzy Hash: 4CF06275240345AFEB212FA5EC88E673BACEF8A7A4B100155F989C6140CB7ADD45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FEC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FEC6D1
MessageBeep.USER32(00000000), ref: 00FEC6E9
KillTimer.USER32(?,0000040A), ref: 00FEC705
EndDialog.USER32(?,00000001), ref: 00FEC71F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ca298f493779d7f88407afce5831b2889e58a8970c21e660d191b94f000e5b7c
Instruction ID: 0e089ece20337b60c3302d3d0293f37e1552da7dba6566e74e08366193735061
Opcode Fuzzy Hash: ca298f493779d7f88407afce5831b2889e58a8970c21e660d191b94f000e5b7c
Instruction Fuzzy Hash: 9401A230900749ABEB305F21DC4EF9677B8FF04701F000659F586A10D0EBE9A9599F80

Uniqueness

Uniqueness Score: -1.00%

Function 00F913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F913BF
StrokeAndFillPath.GDI32(?,?,00FCBAD8,00000000,?), ref: 00F913DB
SelectObject.GDI32(?,00000000), ref: 00F913EE
DeleteObject.GDI32 ref: 00F91401
StrokePath.GDI32(?), ref: 00F9141C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 64d1ae8e4539cb605fb8c968024106629140b29a6a5e85d6550c46daebd44085
Instruction ID: 91fdea384813c1e19d9751ca67e3f863c6ac3ff99761391cc1c4dd72fb1af442
Opcode Fuzzy Hash: 64d1ae8e4539cb605fb8c968024106629140b29a6a5e85d6550c46daebd44085
Instruction Fuzzy Hash: 09F0CD7000470A9BEF329F5AE80C7653BA4B711326F548324F4AA451E8C73F4595DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0FF6: std::exception::exception.LIBCMT ref: 00FB102C
Part of subcall function 00FB0FF6: __CxxThrowException@8.LIBCMT ref: 00FB1041

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00F97BB1: _memmove.LIBCMT ref: 00F97C0B

__swprintf.LIBCMT ref: 00FA302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FA2EC6

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f50ad68919fb212c8894c927a31187bf61519bc12109de62b442000382874b6e
Instruction ID: da34fe8a07dcf8e545bd6f0fb547f3c05b7346b36290548a7eee0f6884c32273
Opcode Fuzzy Hash: f50ad68919fb212c8894c927a31187bf61519bc12109de62b442000382874b6e
Instruction Fuzzy Hash: A4918D715087019FDB18FF24DC85C6EB7A8EF95750F04491EF4829B2A1EA34EE44EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FB524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FB52DD

Part of subcall function 00FC0340: __87except.LIBCMT ref: 00FC037B

Strings

pow, xrefs: 00FB52B5, 00FB52D2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: cdcf72b3b6d3f032830dacde9188c79be61e17b9288ba707e738fe0773044907
Instruction ID: 4230f4f61966a427d47d72745f7dff4861117aca4c6ec1b00e9b152e5482d86a
Opcode Fuzzy Hash: cdcf72b3b6d3f032830dacde9188c79be61e17b9288ba707e738fe0773044907
Instruction Fuzzy Hash: 0F515971E09602C7CB25BA25CA42BAA3BD49B40B60F34495CE1D5822D9EE7D8CC5BE42

Uniqueness

Uniqueness Score: -1.00%

Function 00FB023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00FB0280
+, xrefs: 00FB0277

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 8a8085758ed58a0ca94cf42e00ec45fc3a39871a2694e0176a40ab459a3991a3
Instruction ID: 68ff5b1d35c0e8071ee0b866fda5edcd535b85f8470aa537bc6805995ee890db
Opcode Fuzzy Hash: 8a8085758ed58a0ca94cf42e00ec45fc3a39871a2694e0176a40ab459a3991a3
Instruction Fuzzy Hash: AF513535908286DFDF259F2ACC886FE7BA4EF15720F184055EC919B2A0CB349C46EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA63A8
_memmove.LIBCMT ref: 00FA6446
_memset.LIBCMT ref: 00FA646A

Strings

ERCP, xrefs: 00FA6313

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: a28ebef32dfd6e8fa941b4c9d47e69ba467de04a10c00b8dcf2ddbed52f8406a
Instruction ID: aa8070a7ce24aa92409f8628eadfd5a0cedd7360c0a676e1e09f6e905fd84510
Opcode Fuzzy Hash: a28ebef32dfd6e8fa941b4c9d47e69ba467de04a10c00b8dcf2ddbed52f8406a
Instruction Fuzzy Hash: 5851A1B1900309DBDB24CF66C8817AABBF8FF08724F24856EE94AC7241E735D994DB40

Uniqueness

Uniqueness Score: -1.00%

Function 01017BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0101F910,00000000,?,?,?,?), ref: 01017C4E
GetWindowLongW.USER32 ref: 01017C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01017C7B

Strings

SysTreeView32, xrefs: 01017C20

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 0e54ac5021056b1997285ad63f80e61d8cfc9c7dd7b0d331d49b7b2f2c9b19ea
Instruction ID: 4358f0db22e8d71242de6d42bb5b09e41521b4cc2a164e382f7078f6f2025b45
Opcode Fuzzy Hash: 0e54ac5021056b1997285ad63f80e61d8cfc9c7dd7b0d331d49b7b2f2c9b19ea
Instruction Fuzzy Hash: 2131B23124020AAFEB618E38CC41BDA7BA9FB45324F204729F9B5931E4D739E8519B50

Uniqueness

Uniqueness Score: -1.00%

Function 01017648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 010176D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 010176E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 01017708

Strings

SysMonthCal32, xrefs: 0101769B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 10b2826ea2a30af8cd048c73938ebc50e03497f9426d37aedbe973d33e15ff3c
Instruction ID: 7fa0a6de41a944ea9ef27269b8c3e08e55c582fc05b5dafee1edcbc48cd857dd
Opcode Fuzzy Hash: 10b2826ea2a30af8cd048c73938ebc50e03497f9426d37aedbe973d33e15ff3c
Instruction Fuzzy Hash: 7821B132500219ABDF22CE64CC46FEA3BA9FF48714F110254FE556B1D5DAB9A8508BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01016F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01016FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01016FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01016FDF

Strings

Listbox, xrefs: 01016F77

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f7017be93d41ec2c15bdeea14e66552c56194fc3fa5698333b35a2484054a31e
Instruction ID: 404c203b7f11551d5d0ad976e37694f2c962534f579a557e965c1f0594b9192d
Opcode Fuzzy Hash: f7017be93d41ec2c15bdeea14e66552c56194fc3fa5698333b35a2484054a31e
Instruction Fuzzy Hash: 3E21C5326111187FDF128F58CC84FAB37AAFF89754F418168F9849B195CABA9C51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 010179E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 010179F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01017A03

Strings

msctls_trackbar32, xrefs: 010179B8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a485fc4de108bdf44b90bac3e72b9784c867c853ceef775511d089ff2cab7b72
Instruction ID: ad433081f00b89fc7bd4dea3f9021a82bfacfb5d5f66b409de3b199b3635af64
Opcode Fuzzy Hash: a485fc4de108bdf44b90bac3e72b9784c867c853ceef775511d089ff2cab7b72
Instruction Fuzzy Hash: 75110672240209BFEF219EB4CC05FEB7BA9EFC9B64F010529FA81A6091D276D451CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F94C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94C2E), ref: 00F94CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F94CB5

Strings

GetNativeSystemInfo, xrefs: 00F94CAF
kernel32.dll, xrefs: 00F94C9E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f4e066b656d3da854198417feacfaa6098e5119c40a993578af889967054cd65
Instruction ID: fee6f00fda69fda9d597cc28608cb91bd5af1f3685d9b820d7128b36f36dcadc
Opcode Fuzzy Hash: f4e066b656d3da854198417feacfaa6098e5119c40a993578af889967054cd65
Instruction Fuzzy Hash: ABD01230911723CFDB205F31D958A0676E5BF15651B11882D98C5D6504D67CD884C750

Uniqueness

Uniqueness Score: -1.00%

Function 00F94D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94CE1,?), ref: 00F94DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F94DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F94DAE
kernel32.dll, xrefs: 00F94D9D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 4a1494873364a3bfd28e6e8f9cb98a3f2f5bd1f4d201c715ba1c1837051394bf
Instruction ID: 82e3b1321a154e250ea824e80d67b1e6219071f478ae3191083ec9af0caba8df
Opcode Fuzzy Hash: 4a1494873364a3bfd28e6e8f9cb98a3f2f5bd1f4d201c715ba1c1837051394bf
Instruction Fuzzy Hash: BCD01775960713CFEB309F32D858A4676E4AF16265B11883EE8C6DA504E7B8E884CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F94D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94D2E,?,00F94F4F,?,010562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F94D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F94D7B
kernel32.dll, xrefs: 00F94D6A

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 92ddb9239ec19e28e283fa2e68eb9364d0bf84f7e688ad7691b735507c5267bc
Instruction ID: b0919319baef33d2020a50c0ba747b7cddb58f2fb512241579a117fed070239c
Opcode Fuzzy Hash: 92ddb9239ec19e28e283fa2e68eb9364d0bf84f7e688ad7691b735507c5267bc
Instruction Fuzzy Hash: A9D01274910753CFEB305F31D85861676D8BF15265B11893E94C6D6304D779D884CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01011072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,010112C1), ref: 01011080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01011092

Strings

advapi32.dll, xrefs: 0101107B
RegDeleteKeyExW, xrefs: 0101108C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 17339f67abd62a8c03c7773276c5a43c0a8e808cc36c9d145176a522e31de274
Instruction ID: 234eadeabbc1b585566c83d0107a0d002cf54ffd8e839b0dffe4869299305978
Opcode Fuzzy Hash: 17339f67abd62a8c03c7773276c5a43c0a8e808cc36c9d145176a522e31de274
Instruction Fuzzy Hash: 55D01770A10B138FD7359F3AD968A1A76E4AF06265B118C7EA9CADA104E6BCC480CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010093F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01009009,?,0101F910), ref: 01009403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01009415

Strings

GetModuleHandleExW, xrefs: 0100940F
kernel32.dll, xrefs: 010093FE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e5fbba831e16f31601c31c5d64534315e732005fa901d50426f465d9696f3c4f
Instruction ID: 7ae75c89f13c8e37812dc39f36f59d31ead4388c2c120edb7290c0e6089c6f54
Opcode Fuzzy Hash: e5fbba831e16f31601c31c5d64534315e732005fa901d50426f465d9696f3c4f
Instruction Fuzzy Hash: 93D0C730A00723CFE7208F36D948A0276E4AF02245F02C83EA8CACA541EAB8C4C4CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FE76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68086f45a2faa405d0403bcdc0c9becb48f4f73fde35871ca8e750569b2e75
Instruction ID: e01f2eb4be59d52b1d7a8b78a7f2048025de537d951a51d7d936b0ba3e6b63e8
Opcode Fuzzy Hash: 5e68086f45a2faa405d0403bcdc0c9becb48f4f73fde35871ca8e750569b2e75
Instruction Fuzzy Hash: 4CC17E75A04256EFCB14DF95C884EAEB7F5FF48710B218598E805EB251D730EE81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0100E3D2
CharLowerBuffW.USER32(?,?), ref: 0100E415

Part of subcall function 0100DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0100DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0100E615
_memmove.LIBCMT ref: 0100E628

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8b8e95c4594989b467b845223f9214d7da0d84958d9724ae518911f2a952d1b4
Instruction ID: 3aad1decbe114442b70b3b5755eefc5e41fc6b9bd5eb47cb32e22739c9c47159
Opcode Fuzzy Hash: 8b8e95c4594989b467b845223f9214d7da0d84958d9724ae518911f2a952d1b4
Instruction Fuzzy Hash: AAC17B716083018FD755DF28C88096ABBE4FF88714F04896DF999AB391EB35E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 010083A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010083D8
CoUninitialize.OLE32 ref: 010083E3

Part of subcall function 00FEDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEDAC5

VariantInit.OLEAUT32(?), ref: 010083EE
VariantClear.OLEAUT32(?), ref: 010086BF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: ee92895487984f0fb7bd9db46996ed482b17a220dca293b9e4960837991c1f44
Instruction ID: 00b5ff5f7611412eb217bc444359a7c3e42d428837adb804dbbe2ef87747c1e2
Opcode Fuzzy Hash: ee92895487984f0fb7bd9db46996ed482b17a220dca293b9e4960837991c1f44
Instruction Fuzzy Hash: 89A13A756087019FEB11DF18C881B1ABBE4BF88314F05844DFA9A9B3A1CB75ED44DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00FE7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7C4A
CLSIDFromProgID.OLE32(?,?,00000000,0101FB80,000000FF,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7C6F
_memcmp.LIBCMT ref: 00FE7C90

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2a8c3e558c8d263128c61d531f7137848c000925a39822e9a87e6ef5262efe08
Instruction ID: a01b3694cb43de3e6793fe45acd4b44425423e305baff7f3a2319f8547d28d85
Opcode Fuzzy Hash: 2a8c3e558c8d263128c61d531f7137848c000925a39822e9a87e6ef5262efe08
Instruction Fuzzy Hash: 21811C71A00209EFCB04DF95C984EEEB7B9FF89315F204198E505AB254DB75AE05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FE6E04
SysAllocString.OLEAUT32(00000000), ref: 00FE6EAD
VariantCopy.OLEAUT32 ref: 00FE6EDC
VariantClear.OLEAUT32(?), ref: 00FE6F03

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 14ee97075bb439aa8a168771779138946b2dd7b6801c8321a72b5861a4fcccd1
Instruction ID: 5d9db96b88544c6783fe543585d988eb011fc21add66f6c3cb92c335a31daab6
Opcode Fuzzy Hash: 14ee97075bb439aa8a168771779138946b2dd7b6801c8321a72b5861a4fcccd1
Instruction Fuzzy Hash: C351B9316083869BDB30BF66DC91B79B3E5AF54350F20881FE696CB291EF749840BB15

Uniqueness

Uniqueness Score: -1.00%

Function 01006CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01006CE4
WSAGetLastError.WSOCK32(00000000), ref: 01006CF4

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01006D58
WSAGetLastError.WSOCK32(00000000), ref: 01006D64

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 16dc564e943e91fd5caacadc9116f6396f8d4f0d3d7491de26dcb629893655f7
Instruction ID: 57812c6a36e8d6c45124ad6212c9458a4d15f8244db90f339b064f42d3ee63df
Opcode Fuzzy Hash: 16dc564e943e91fd5caacadc9116f6396f8d4f0d3d7491de26dcb629893655f7
Instruction Fuzzy Hash: D7419174640200AFFB21BF28DC86F2A77E5AB44B10F44805CFA59DB2C2DAB99D419791

Uniqueness

Uniqueness Score: -1.00%

Function 0100672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0101F910), ref: 010067BA
_strlen.LIBCMT ref: 010067EC

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 9147cb33f629115720bb6afe00136c3239f815f2a7df77905b859098bb67371a
Instruction ID: a0e8fd2e67fdebed1ad2e77cd64c3393c7c786930816279c890f2d0fb5b5309f
Opcode Fuzzy Hash: 9147cb33f629115720bb6afe00136c3239f815f2a7df77905b859098bb67371a
Instruction Fuzzy Hash: 3B411770A00105AFEB15EB69CCC1EEEB3AAEF44710F048159F9599B2D2DF39AE14DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FFBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FFBB09
GetLastError.KERNEL32(?,00000000), ref: 00FFBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FFBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FFBB80

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4818ca4670f32b968f0429d8bf45c1ea55871963ddd341aadd88c689c9763827
Instruction ID: 5cf38979eb1b2b4a26693a5d27c0d0736eb6eb70aaaff77022fd165b8d11f71b
Opcode Fuzzy Hash: 4818ca4670f32b968f0429d8bf45c1ea55871963ddd341aadd88c689c9763827
Instruction Fuzzy Hash: 1C415E39604515DFDF10DF19C984A5DBBE5EF89320B098488EE4A9B362CB78FD01EB91

Uniqueness

Uniqueness Score: -1.00%

Function 01018AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01018B4D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f0b8dcde060e82a11b2aadc2d5aa29c5a6dbed591c2b41965619ba7c36d96f4d
Instruction ID: c6ca777f26e19fa24763e24adacf7ff78fe056eafeb4e5689ce763f89d77570a
Opcode Fuzzy Hash: f0b8dcde060e82a11b2aadc2d5aa29c5a6dbed591c2b41965619ba7c36d96f4d
Instruction Fuzzy Hash: A031B0B4600204BFFB609A2CCCC5BA93BA5FB05310F54CA43FBD1D62A9C63DA6408B41

Uniqueness

Uniqueness Score: -1.00%

Function 0101ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0101AE1A
GetWindowRect.USER32(?,?), ref: 0101AE90
PtInRect.USER32(?,?,0101C304), ref: 0101AEA0
MessageBeep.USER32(00000000), ref: 0101AF11

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 749904b579dd5a58bf9343f64f64efbd8b2bb72fcf88e578ea733af3b31e51fe
Instruction ID: 44662a52c6fcea49690d87642b32679f323e730a99e87f5abd2b9f651056b25c
Opcode Fuzzy Hash: 749904b579dd5a58bf9343f64f64efbd8b2bb72fcf88e578ea733af3b31e51fe
Instruction Fuzzy Hash: 24418E70701249DFDB22CF98C484AA97BF5FF49340F1481A9E594CB34AD73AA842CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FF1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FF1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FF10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FF110B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 57d62724473486b7a6c11a70b522e7488ad5dc9d79e1cac12ebfdf5e90176851
Instruction ID: fc3ee65857c490f0faacb8e569d807d45930810dc069dc456f586b2852594f05
Opcode Fuzzy Hash: 57d62724473486b7a6c11a70b522e7488ad5dc9d79e1cac12ebfdf5e90176851
Instruction Fuzzy Hash: 8B312631E4069CEEFB308A658C05BFABBA9BF44320F04435AE781521F1CB7989C4B751

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FF1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FF1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FF11F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FF1243

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 76e27c5f8fdcbd3a61e04b67ba433c4064e5fadb90680b7b8de22d40bcb06fed
Instruction ID: 54575a3034f90f88b72d056cb1f273a5fd1fe94220611f7f0978f6d2b26e1b4a
Opcode Fuzzy Hash: 76e27c5f8fdcbd3a61e04b67ba433c4064e5fadb90680b7b8de22d40bcb06fed
Instruction Fuzzy Hash: FF310730D4061CDAFF318AA588147FABBAEBF49320F04431AE780921E1C3795955A751

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FC644B
__isleadbyte_l.LIBCMT ref: 00FC6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FC64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FC64DD

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 56c449282db78e9fec5311fd1329cc0a5fdcb92edb6b3dfb65a05e83d49f7fec
Instruction ID: 516af760c3418b941b741741f1054dc49f6b694e49fc0c6949d28cadf8780da1
Opcode Fuzzy Hash: 56c449282db78e9fec5311fd1329cc0a5fdcb92edb6b3dfb65a05e83d49f7fec
Instruction Fuzzy Hash: B031CD31A08247AFDB29CF65CE46FAA7BA9FF81320F15402DE854C7190EB35D850EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01015175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01015189

Part of subcall function 00FF387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FF3897
Part of subcall function 00FF387D: GetCurrentThreadId.KERNEL32 ref: 00FF389E
Part of subcall function 00FF387D: AttachThreadInput.USER32(00000000,?,00FF52A7), ref: 00FF38A5

GetCaretPos.USER32(?), ref: 0101519A
ClientToScreen.USER32(00000000,?), ref: 010151D5
GetForegroundWindow.USER32 ref: 010151DB

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cf76be7135802a675b81b4d4acd8e35dd114b61bc29685142f25b5ecb942e76d
Instruction ID: 9170f257d9bfbb70e97ffd1e728d49a4f0631ff7a009b61c81a8bf155f7035cd
Opcode Fuzzy Hash: cf76be7135802a675b81b4d4acd8e35dd114b61bc29685142f25b5ecb942e76d
Instruction Fuzzy Hash: EB312F72900108AFDB10EFA9CC459EFB7F9EF98300F11406AE555E7251EA799E05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0101C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetCursorPos.USER32(?), ref: 0101C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FCBBFB,?,?,?,?,?), ref: 0101C7D7
GetCursorPos.USER32(?), ref: 0101C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FCBBFB,?,?,?), ref: 0101C85E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4e17829d94e2ba5da690aca1539d4670e1e1c2dd0cc0eed0e6fe3e3a4b23bb90
Instruction ID: b05cac336a41fc273796473010514bd56656dd9b9509fd8b70e8c7fcb1d4712d
Opcode Fuzzy Hash: 4e17829d94e2ba5da690aca1539d4670e1e1c2dd0cc0eed0e6fe3e3a4b23bb90
Instruction Fuzzy Hash: CA31A035600018EFEB25CF58C898EFA7FF6FB09320F444199FA858B255C73A9950DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00FB0BF2

Part of subcall function 00F95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7B20,?,?,00000000), ref: 00F95B8C
Part of subcall function 00F95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7B20,?,?,00000000,?,?), ref: 00F95BB0

_fprintf.LIBCMT ref: 00FB0C29
OutputDebugStringW.KERNEL32(?), ref: 00FE6331

Part of subcall function 00FB4CDA: _flsall.LIBCMT ref: 00FB4CF3

__setmode.LIBCMT ref: 00FB0C5E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: e31dc98a74c7c303dd4442518d0e197367ade7f36a06d2e3f1df77210b5ac649
Instruction ID: 840eca27b68ab4aeb654ca6580fcca100d1e4fb24c8e92d5f5f5b45277580512
Opcode Fuzzy Hash: e31dc98a74c7c303dd4442518d0e197367ade7f36a06d2e3f1df77210b5ac649
Instruction Fuzzy Hash: 8F113672A042087EDB15B7BA9C839FE7B6D9F41320F24011AF20497193DF792D46BB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE8669
Part of subcall function 00FE8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8673
Part of subcall function 00FE8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8682
Part of subcall function 00FE8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8689
Part of subcall function 00FE8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FE8BEB
_memcmp.LIBCMT ref: 00FE8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE8C44
HeapFree.KERNEL32(00000000), ref: 00FE8C4B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5f1365daa7857b82d23464a8354524fc9cf8a48eb2b9d8e57e5471b604215040
Instruction ID: 11cdfcc3ada559b71073f3bdd7f27b3c21dc282239a8247fc4cba02f369c20d9
Opcode Fuzzy Hash: 5f1365daa7857b82d23464a8354524fc9cf8a48eb2b9d8e57e5471b604215040
Instruction Fuzzy Hash: 3A21B071E01209EFCB10EFA9C944BEEB7B8FF41394F144099E458A7240DB35AE06EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FEE1C4,?,?,?,00FEEFB7,00000000,000000EF,00000119,?,?), ref: 00FEF5BC
Part of subcall function 00FEF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00FEF5E2
Part of subcall function 00FEF5AD: lstrcmpiW.KERNEL32(00000000,?,00FEE1C4,?,?,?,00FEEFB7,00000000,000000EF,00000119,?,?), ref: 00FEF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00FEE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00FEE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00FEE237

Strings

cdecl, xrefs: 00FEE22E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 65de334061a67f6b5f304dd4a11042c595bed494f6d7c85848917bf1cdaa3695
Instruction ID: bec7e082d6a670766e86c4d0465b513f6e2f6f85f6ac38c4badef5fcd1395527
Opcode Fuzzy Hash: 65de334061a67f6b5f304dd4a11042c595bed494f6d7c85848917bf1cdaa3695
Instruction Fuzzy Hash: FA11D336600381EFCB25AF65EC45D7A77B8FF85350B40402AF906CB254EB759854E790

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC5351

Part of subcall function 00FB594C: __FF_MSGBANNER.LIBCMT ref: 00FB5963
Part of subcall function 00FB594C: __NMSG_WRITE.LIBCMT ref: 00FB596A
Part of subcall function 00FB594C: RtlAllocateHeap.NTDLL(019F0000,00000000,00000001,00000000,?,?,?,00FB1013,?), ref: 00FB598F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2c137375871964cd4104add4d3ea2fb3982ae44a52c260616f3cc1b0cb01e11e
Instruction ID: c9754272e3e29eebe06046e0e71f6736d3f81e43ddf89930b901696c16f16883
Opcode Fuzzy Hash: 2c137375871964cd4104add4d3ea2fb3982ae44a52c260616f3cc1b0cb01e11e
Instruction Fuzzy Hash: BD112732D04A17AFCB302FB1AD06B9D37996F04BF0B10452EF8449A080DE7E9981FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F94531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F94560

Part of subcall function 00F9410D: _memset.LIBCMT ref: 00F9418D
Part of subcall function 00F9410D: _wcscpy.LIBCMT ref: 00F941E1
Part of subcall function 00F9410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F941F1

KillTimer.USER32(?,00000001,?,?), ref: 00F945B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F945C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FCD6CE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 82d0d2a7a25c1d095a4ebfd1428bea198f066046986b21310553d39ab7191107
Instruction ID: b4dc314e252e21b6f31651418c728fc4149483828f06a4271506e3ba6deadb58
Opcode Fuzzy Hash: 82d0d2a7a25c1d095a4ebfd1428bea198f066046986b21310553d39ab7191107
Instruction Fuzzy Hash: B8210A71904784AFFB328B24C845FEBBBEC9F11314F04009EE2DE56145C7796A89EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0100667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7B20,?,?,00000000), ref: 00F95B8C
Part of subcall function 00F95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7B20,?,?,00000000,?,?), ref: 00F95BB0

gethostbyname.WSOCK32(?,?,?), ref: 010066AC
WSAGetLastError.WSOCK32(00000000), ref: 010066B7
_memmove.LIBCMT ref: 010066E4
inet_ntoa.WSOCK32(?), ref: 010066EF

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 3428d71579076a4dfb7db01c9db7a725667665dc3af45ea3e49a1fd3ab9429cc
Instruction ID: db58f071cc5aa70e49c6e5c111243f15a4ad38b854418c8c361ee0ac2cb6a0ca
Opcode Fuzzy Hash: 3428d71579076a4dfb7db01c9db7a725667665dc3af45ea3e49a1fd3ab9429cc
Instruction Fuzzy Hash: F8118B35904109AFDF01FFA8DD86CEEB7B8BF58710B044069F506A71A1DB39AE04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FE9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE9086

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f76093d3537c3872510d046ba54318bb091975ace9af1d189bda7c1da4e6f3f
Instruction ID: 61e35d47301b0f32e19b25c841e030d45f66fd1b25e0100a4629c5c9ea4cf4d7
Opcode Fuzzy Hash: 3f76093d3537c3872510d046ba54318bb091975ace9af1d189bda7c1da4e6f3f
Instruction Fuzzy Hash: 61115E7A901218FFDB10DFA5CC84F9DBB74FB48310F204095EA04B7250D6726E50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F91290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,00000020,?), ref: 00F912D8
GetClientRect.USER32(?,?), ref: 00FCB84B
GetCursorPos.USER32(?), ref: 00FCB855
ScreenToClient.USER32(?,?), ref: 00FCB860

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 39fb64a08dce49fb89dd4dec64bdf83696afdadf351496fff8c28cdd4ab22037
Instruction ID: 34212ec65efc43942e6aaef39140efab55208f94c5e01f3ece53f3223eb26927
Opcode Fuzzy Hash: 39fb64a08dce49fb89dd4dec64bdf83696afdadf351496fff8c28cdd4ab22037
Instruction Fuzzy Hash: 3F113A39A0001AAFDF10EFA4D8859FE77B8FB05300F4004A5F941E7140D739BA55ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FF01FD,?,00FF1250,?,00008000), ref: 00FF166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FF01FD,?,00FF1250,?,00008000), ref: 00FF1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FF01FD,?,00FF1250,?,00008000), ref: 00FF169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00FF01FD,?,00FF1250,?,00008000), ref: 00FF16D1

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 39b3ce577db4f0976bbd977dc170c097cc2ea3415d93799f9d1f5f3e1195b79f
Instruction ID: c7b7063057f1536ed80ddbac21ad951eb9c852a3ad5624fb471533d3b56d2439
Opcode Fuzzy Hash: 39b3ce577db4f0976bbd977dc170c097cc2ea3415d93799f9d1f5f3e1195b79f
Instruction Fuzzy Hash: 91117C31C0051DDBCF109FA5D948AFEBB78FF09711F044059EA80F6240DB3595609B96

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FC722B

Part of subcall function 00FC7912: __fltout2.LIBCMT ref: 00FC793B

__cftog_l.LIBCMT ref: 00FC7251
__cftoe_l.LIBCMT ref: 00FC7283

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fda5c1f5d8683c82831545d722fea9b178bc5b6d23c2ad43cfca936602ea3dc2
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: AB017E3244824ABBCF526F85CD02DEE3F22BF69350B088519FA1858031C236C9B1BF81

Uniqueness

Uniqueness Score: -1.00%

Function 0101B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0101B59E
ScreenToClient.USER32(?,?), ref: 0101B5B6
ScreenToClient.USER32(?,?), ref: 0101B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0101B5F5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bfa660d3b8a0a3b493c4b15300153fef7d09f9f9537207363a877adfcb876592
Instruction ID: a509a8951820aca92411354fca1cf974524d5e9ff2189d83954aff5dca06b8bf
Opcode Fuzzy Hash: bfa660d3b8a0a3b493c4b15300153fef7d09f9f9537207363a877adfcb876592
Instruction Fuzzy Hash: E71143B9D0020AEFDB51DFA9C484AEEFBF9FB08310F108156E954E3214D735AA558F90

Uniqueness

Uniqueness Score: -1.00%

Function 0101B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101B8FE
_memset.LIBCMT ref: 0101B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01057F20,01057F64), ref: 0101B93C
CloseHandle.KERNEL32 ref: 0101B94E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9a2dffb6e03249d6beedb9455445b7657357c88785193edca59371d8c25207a3
Instruction ID: ed3be24bd8a9cac633da7e9c097d699130dc2e76291071d1afba6b4ba3091d36
Opcode Fuzzy Hash: 9a2dffb6e03249d6beedb9455445b7657357c88785193edca59371d8c25207a3
Instruction Fuzzy Hash: 72F082B26403007BF320BA65AC05FBB3A9CEB08398F404021BB89D518AD77E4900A7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FF6E88

Part of subcall function 00FF794E: _memset.LIBCMT ref: 00FF7983

_memmove.LIBCMT ref: 00FF6EAB
_memset.LIBCMT ref: 00FF6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00FF6EC8

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8988e9e8555b76323c209569242cd217432723b63cb428bc26ec2e6d0b1a44c3
Instruction ID: e213848b03bbe2f788d8b4d0f23fc3cb76f38032194e74529ad008a659335e78
Opcode Fuzzy Hash: 8988e9e8555b76323c209569242cd217432723b63cb428bc26ec2e6d0b1a44c3
Instruction Fuzzy Hash: 8BF05E7A200204ABCF117F55DC85A9ABB2AEF45360B04C051FE089E22AC77AA911DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0101C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9135C
Part of subcall function 00F912F3: BeginPath.GDI32(?), ref: 00F91373
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0101C030
LineTo.GDI32(00000000,?,?), ref: 0101C03D
EndPath.GDI32(00000000), ref: 0101C04D
StrokePath.GDI32(00000000), ref: 0101C05B

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2c00651206b29a740c9af8b56e66c15ab8ecc12a472f03ba98382222378efc36
Instruction ID: 1926e70d879a4f4218813fe54c7ded826eb782d636ca0878469c070e72c1939b
Opcode Fuzzy Hash: 2c00651206b29a740c9af8b56e66c15ab8ecc12a472f03ba98382222378efc36
Instruction Fuzzy Hash: 9FF09A3100022ABBEB236F94AC0AFDA3F98AF06310F044140FA91210C5C76E4264CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FEA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEA3AC
GetCurrentThreadId.KERNEL32 ref: 00FEA3B3
AttachThreadInput.USER32(00000000), ref: 00FEA3BA

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6e4341247a5ea3df17c9fdfd6e571d3585365a2167f955b87fa67898d2c81d02
Instruction ID: 38ffca9243a7bbc49ad3b9ed040e6f6e12d62894351c9a5e3d1f1680b16616f2
Opcode Fuzzy Hash: 6e4341247a5ea3df17c9fdfd6e571d3585365a2167f955b87fa67898d2c81d02
Instruction Fuzzy Hash: 7DE03931541268BADB201AA2DC0CED73F1CEF1A7B1F008014F548C4050D67A9544DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F92231
SetTextColor.GDI32(?,000000FF), ref: 00F9223B
SetBkMode.GDI32(?,00000001), ref: 00F92250
GetStockObject.GDI32(00000005), ref: 00F92258
GetWindowDC.USER32(?,00000000), ref: 00FCC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FCC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00FCC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00FCC112
GetPixel.GDI32(00000000,?,?), ref: 00FCC132
ReleaseDC.USER32(?,00000000), ref: 00FCC13D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 4bae2fcb4deb92ab87ffd7aea652cc49d89e983f99a4dd04e8d6ba57afcc46f7
Instruction ID: 43b37bf0c445bd03137460cf854c201b6544d721d0018fc8fde97ec7c7dc266e
Opcode Fuzzy Hash: 4bae2fcb4deb92ab87ffd7aea652cc49d89e983f99a4dd04e8d6ba57afcc46f7
Instruction Fuzzy Hash: 65E06531544145AAEF315F74F80DBD83B10EB06332F148356FBAD880D5C77A4584DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FE8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FE882E), ref: 00FE8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FE882E), ref: 00FE8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FE882E), ref: 00FE8C7E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 42c09e1801b1492390f7e07d5d4b4a9f3aeca1a0392497c131d0b68d609f69e2
Instruction ID: 550923cc579b44e1a6e750351dfe4e5d8884c7f86cc0050abc1ffcfce7e52768
Opcode Fuzzy Hash: 42c09e1801b1492390f7e07d5d4b4a9f3aeca1a0392497c131d0b68d609f69e2
Instruction Fuzzy Hash: 69E0DF36A422129BD7306EB16D0CB863BA8AF117A2F144818B289C9044DA3D844A8B20

Uniqueness

Uniqueness Score: -1.00%

Function 00FD2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FD2187
GetDC.USER32(00000000), ref: 00FD2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FD21B1
ReleaseDC.USER32(?), ref: 00FD21D2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c3faa111c3af120416bda80fa9988c0a63b73c857e4c94443a0f602caa878a8e
Instruction ID: 15f4591a0b56e25d8db2121277f493c37ca717d91fad09c2e19bb184caa7671b
Opcode Fuzzy Hash: c3faa111c3af120416bda80fa9988c0a63b73c857e4c94443a0f602caa878a8e
Instruction Fuzzy Hash: 87E0E575800205EFDF119FB0C808A9D7BB1EB5C350F11880AF99A97210CB7E8146AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FD219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FD219B
GetDC.USER32(00000000), ref: 00FD21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FD21B1
ReleaseDC.USER32(?), ref: 00FD21D2

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bab4478e007da63ad41602b161370b868b67f5c2f81171a482b5365b5d8c242a
Instruction ID: a97b8073924c4771c788fe5c8adfd2272c09389e650afceadbdbb535c541c596
Opcode Fuzzy Hash: bab4478e007da63ad41602b161370b868b67f5c2f81171a482b5365b5d8c242a
Instruction Fuzzy Hash: 28E012B5800206AFDF219FB0C80869D7BF1EB4C350F118809F99AA7210CB7E9145AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FEB981

Strings

AutoIt3GUI, xrefs: 00FEB8F9
Container, xrefs: 00FEB8FE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 1b2b097417b50f113dcde1e99cb6dfbf201eebfaf6fcc2aea96c44adaa1e01cb
Instruction ID: aac6d88ef2a6036e18275311f972b3021a71ad04252ae9cfbfe72701c664d43d
Opcode Fuzzy Hash: 1b2b097417b50f113dcde1e99cb6dfbf201eebfaf6fcc2aea96c44adaa1e01cb
Instruction Fuzzy Hash: F59148716006019FDB24DF69C884B6BBBE8FF48710F24856EE94ACB7A1DB70E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAFEC6: _wcscpy.LIBCMT ref: 00FAFEE9

Part of subcall function 00F99997: __itow.LIBCMT ref: 00F999C2
Part of subcall function 00F99997: __swprintf.LIBCMT ref: 00F99A0C

__wcsnicmp.LIBCMT ref: 00FFB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FFB361

Strings

LPT, xrefs: 00FFB292

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 3c711bf536fb0c28d91c168a162d46d882146555f78c5dbe25757e8457989b09
Instruction ID: 371137ff58e5e7d89a588250c0cd177223d4d5e18534a727c65af839365c8544
Opcode Fuzzy Hash: 3c711bf536fb0c28d91c168a162d46d882146555f78c5dbe25757e8457989b09
Instruction Fuzzy Hash: 07619276E04219AFDF14DF98C881EBEB7B4AF08310F114059F646AB361DB74AE44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FA2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FA2AE1

Strings

@, xrefs: 00FA2AD5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a1d0003e2538283834a1a6ebc54715aa2483813d3ff9057b95cd8c11fc943ed9
Instruction ID: 888714d8cf2596f6e7d7c4d1a6b045f02c00d1baa5d924708c620b525b34a27b
Opcode Fuzzy Hash: a1d0003e2538283834a1a6ebc54715aa2483813d3ff9057b95cd8c11fc943ed9
Instruction Fuzzy Hash: 79515A714187449BE320AF14DC85BAFBBF8FF84310F42484DF1E941095EB798529DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00FF99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F9506B: __fread_nolock.LIBCMT ref: 00F95089

_wcscmp.LIBCMT ref: 00FF9AAE
_wcscmp.LIBCMT ref: 00FF9AC1

Strings

FILE, xrefs: 00FF99FA

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b810a4ea32ce29776f85b592d911a9c5f9a1a804d6dc1956507f320e1337e852
Instruction ID: 10103eeb8fcbc16783d59c27714d4bd8eb38929734a328b138fb9aa70d888afe
Opcode Fuzzy Hash: b810a4ea32ce29776f85b592d911a9c5f9a1a804d6dc1956507f320e1337e852
Instruction Fuzzy Hash: 5641E971E0460EBADF219EA1DC45FEFBBBDDF45710F000079FA00A7191DAB99A0497A1

Uniqueness

Uniqueness Score: -1.00%

Function 01002882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01002892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010028C8

Strings

|, xrefs: 01002899

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: efdfd2932972141cb35cb0864cdcb91ca614adba753d99f55e22579b635c9e41
Instruction ID: abb8e1ee8fdd932bf23b1d388e2de79adf798629e8fee70be2f37f24bb942d42
Opcode Fuzzy Hash: efdfd2932972141cb35cb0864cdcb91ca614adba753d99f55e22579b635c9e41
Instruction Fuzzy Hash: D3316F71811219AFDF45EFA1CC89EEEBFB8FF08340F100069F815A6166DB355A56DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01016CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01016D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01016DC2

Strings

static, xrefs: 01016D22

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 502a3787940ce2e48d856f2dbb758c8f4ae46d949d69ce871d561858c816aaa3
Instruction ID: f1e7ebfb3652f8ffe9878d9e05832f6d50aff0971eed5819469bc2c35f45a156
Opcode Fuzzy Hash: 502a3787940ce2e48d856f2dbb758c8f4ae46d949d69ce871d561858c816aaa3
Instruction Fuzzy Hash: 6A31A171500604AEEB119F38CC40AFB77B9FF48720F50851DF99987194DA7AA891DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FF2E3B

Strings

0, xrefs: 00FF2DF9

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 895179b52babf6ae14abacca822908682d43000c4213a9a31a94646de0e0e5ac
Instruction ID: df1b62574bd903c94db9b0c861b56bb2190980e01f672794364d8fec8f431ad6
Opcode Fuzzy Hash: 895179b52babf6ae14abacca822908682d43000c4213a9a31a94646de0e0e5ac
Instruction Fuzzy Hash: BD31E931E0030DABEB649F58C8457FEBBB5FF05360F240029EA85961B0E7749944EB50

Uniqueness

Uniqueness Score: -1.00%

Function 01016943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 010169D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010169DB

Strings

Combobox, xrefs: 0101699D

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7f350c0517c24eb842ccceccd76b3602bbac6f849cf9bbf90ff82228ac7872f7
Instruction ID: 17ce36bf5e85dd5327a5fe72473b0d8351473de18349c035086a599d73a4f422
Opcode Fuzzy Hash: 7f350c0517c24eb842ccceccd76b3602bbac6f849cf9bbf90ff82228ac7872f7
Instruction Fuzzy Hash: 2D11CB717002096FEF529E18CC80EFB3BAFEB45394F110165F99497295D67A9C5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 01016E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

GetWindowRect.USER32(00000000,?), ref: 01016EE0
GetSysColor.USER32(00000012), ref: 01016EFA

Strings

static, xrefs: 01016EBD

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d140cf65919a69410c4c4f7373a95aab1c7c371b366928dc45714e53ba8af0f8
Instruction ID: a6bd6a59c6488a708e08bc479d135c73e5af6fd52238c8c2278656aa0244f9cd
Opcode Fuzzy Hash: d140cf65919a69410c4c4f7373a95aab1c7c371b366928dc45714e53ba8af0f8
Instruction Fuzzy Hash: 5721597261021AAFDB04DFB8CC45AEA7BF8FB08314F004629FD95D3244E679E861DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01016B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 01016C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 01016C20

Strings

edit, xrefs: 01016BF5

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5f4bc5aaf199d32752c4c77e9282840d72c4d44ac84f201605355b5471fdae2d
Instruction ID: 07d171e7cb59bfddd983823bd9789fc27deed96502ad55bc44586d3063c63575
Opcode Fuzzy Hash: 5f4bc5aaf199d32752c4c77e9282840d72c4d44ac84f201605355b5471fdae2d
Instruction Fuzzy Hash: 46119D71500209ABEB518E689C81AFB37A9FB04368F504714F9A0971D8C6BEDC919760

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FF2F30

Strings

0, xrefs: 00FF2F07

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f9cc81b316854eb79f188f95058c279f2584b7fc0dc757e1f1bc1d75af2e75a9
Instruction ID: f94dba757340822dbadcdf8dfed4aac236e21e4e27350b764fb6a828afa3dff1
Opcode Fuzzy Hash: f9cc81b316854eb79f188f95058c279f2584b7fc0dc757e1f1bc1d75af2e75a9
Instruction Fuzzy Hash: D611E632E1121CABCB60DA58DC84BBA77B9EF01320F1401A1FA44E72F0D7B6AD04E791

Uniqueness

Uniqueness Score: -1.00%

Function 010024CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01002520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01002549

Strings

<local>, xrefs: 01002511

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 91771c86a9c161de520b08b7551dabe12f7610b46a18f60b5de70037f5aaa812
Instruction ID: 6ea0eb37b39c1a5c6408f99007c9dc4b51b65f0d00ba965397bb6a42273c7e35
Opcode Fuzzy Hash: 91771c86a9c161de520b08b7551dabe12f7610b46a18f60b5de70037f5aaa812
Instruction Fuzzy Hash: 10110670100225BAFB268F558C9CFBBFFA8FF05252F00816AF58646080D6715554C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 010080A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,010080C8,?,00000000,?,?), ref: 01008322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010080CB
htons.WSOCK32(00000000,?,00000000), ref: 01008108

Strings

255.255.255.255, xrefs: 010080E3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 00c34c6dddeffa255436e20ffd758ad531548bdcf5781dc06727a3c224feb496
Instruction ID: 79fc3bdb17876e185a316328728f0ecc528729bad528fef1a54d2b14df25c174
Opcode Fuzzy Hash: 00c34c6dddeffa255436e20ffd758ad531548bdcf5781dc06727a3c224feb496
Instruction Fuzzy Hash: EC11E534A00205ABEF21EF64CC46FEDB364FF14720F108567FA51972D2D636A810C755

Uniqueness

Uniqueness Score: -1.00%

Function 00FE92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00FEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00FEB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FE9355

Strings

ComboBox, xrefs: 00FE92F4
ListBox, xrefs: 00FE931F

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0fe5354fde417a2a2562f60be0e3f750bd9d7185d9a33e436e05a5b0a9b91ae0
Instruction ID: 7be3af0642d0324aca589072842c4369354209fa1e07e9b518bd41d24f7845e0
Opcode Fuzzy Hash: 0fe5354fde417a2a2562f60be0e3f750bd9d7185d9a33e436e05a5b0a9b91ae0
Instruction Fuzzy Hash: BC01D271A09314AB9F04EBA2CC958FE736DBF06320B100619B972572D2DA395808A760

Uniqueness

Uniqueness Score: -1.00%

Function 00FE91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00FEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00FEB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FE924D

Strings

ComboBox, xrefs: 00FE91EC
ListBox, xrefs: 00FE9217

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: af50aa788af326e5bf8f82db4c738c46e1033c035184bc866b7d6c1a54c50706
Instruction ID: f2842a54ed2eedcbb9a0659833e5f7c7668738027d3ed64a204d5dd902080dc2
Opcode Fuzzy Hash: af50aa788af326e5bf8f82db4c738c46e1033c035184bc866b7d6c1a54c50706
Instruction Fuzzy Hash: 6401FC71E4520477DF04EBA1CC96EFF73AC9F45710F1400297A1267191DA596F0CA7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97F41: _memmove.LIBCMT ref: 00F97F82

Part of subcall function 00FEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00FEB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FE92D0

Strings

ComboBox, xrefs: 00FE9271
ListBox, xrefs: 00FE929C

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 62a607ac740d12c4793a82337fa1c3257e0e48bec273b85b9c0cbd93435c781a
Instruction ID: 226e65759b2a3fe9bfc704d34a9f6ca3935e31abcd5872272fc95a7380c0d1a8
Opcode Fuzzy Hash: 62a607ac740d12c4793a82337fa1c3257e0e48bec273b85b9c0cbd93435c781a
Instruction Fuzzy Hash: 3001F771E4520477DF00E6A1CC86EFF73AC9F04710F240025790263191DA195E0CA6B6

Uniqueness

Uniqueness Score: -1.00%

Function 00FF51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FF51E8
_wcscmp.LIBCMT ref: 00FF51FA

Strings

#32770, xrefs: 00FF51F4

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: dd015eae9902ad430c9afd2eea0b004d4920431e957ee6c3524aeea0fb93c78e
Instruction ID: 6e5d9294545078f1724397d1bf7ae320dee00a5c5afacd73666fe92f85d16d84
Opcode Fuzzy Hash: dd015eae9902ad430c9afd2eea0b004d4920431e957ee6c3524aeea0fb93c78e
Instruction Fuzzy Hash: A5E02B72A0022D27D320959A9C49BA7F7ACEB40731F00015AF950D3040D56499048BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FE81CA

Part of subcall function 00FB3598: _doexit.LIBCMT ref: 00FB35A2

Strings

AutoIt, xrefs: 00FE81BE
Error allocating memory., xrefs: 00FE81C3

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 55e9570f6648d47a5b912d41b60b07247e6bb39b0897e3529dda3469a3feeee7
Instruction ID: f379ec3e272371cf14af7f6045bde4cba1b1185c788e7999db65939a41302fbb
Opcode Fuzzy Hash: 55e9570f6648d47a5b912d41b60b07247e6bb39b0897e3529dda3469a3feeee7
Instruction Fuzzy Hash: 11D0C23238031832D22032A6AC06FC639484B08B51F000029BB48990C3CEDA54825298

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB564: _memset.LIBCMT ref: 00FCB571

Part of subcall function 00FB0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FCB540,?,?,?,00F9100A), ref: 00FB0B89

IsDebuggerPresent.KERNEL32(?,?,?,00F9100A), ref: 00FCB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F9100A), ref: 00FCB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FCB54E

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fb5bbf301a0a74e43656e0deca1cee40e4ee0267485901170c57fd83cdcfade4
Instruction ID: aced3ae7419df965fe1c4fc047f795d8880f858272844cce302a24f34eb448e1
Opcode Fuzzy Hash: fb5bbf301a0a74e43656e0deca1cee40e4ee0267485901170c57fd83cdcfade4
Instruction Fuzzy Hash: FCE06DB46007128FD730DF29E506B427BE8AB00754F048D2CE486C7355DBBEE408DB61

Uniqueness

Uniqueness Score: -1.00%

Function 01015BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01015BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01015C08

Part of subcall function 00FF54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF555E

Strings

Shell_TrayWnd, xrefs: 01015BEE

Memory Dump Source

Source File: 00000000.00000002.1688752035.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1688741780.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1688948449.0000000001045000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689158412.000000000104F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1689176341.0000000001058000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Payment_Advice-pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b63b6db56b28fcd97649b241792aa33ed27fc0113baaf3aff3cce5d8f2b3353e
Instruction ID: 19828c171e0ead6920e1b20241b9da2f94ad12f917dc793a475f714852735f30
Opcode Fuzzy Hash: b63b6db56b28fcd97649b241792aa33ed27fc0113baaf3aff3cce5d8f2b3353e
Instruction Fuzzy Hash: 22D0C971388312BBE774AA70AC5BFA77A14AB04B51F000829B78AAA1D5D9ED5804C750

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_Advice-pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2D03.tmp

C:\Users\user\AppData\Local\Temp\aut2D52.tmp

C:\Users\user\AppData\Local\Temp\aut37A1.tmp

C:\Users\user\AppData\Local\Temp\aut37E1.tmp

C:\Users\user\AppData\Local\Temp\exhilaratingly

C:\Users\user\AppData\Local\Temp\windigos

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Payment_Advice-pdf.exe

Function 00F93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F94AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00FF93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00F93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F93778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 019B2770 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 019B24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168
filememoryCOMMON

Function 00F9410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00FB564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre